SideWinder
SideWinder is a highly prolific espionage APT group active since at least 2012. It is also known as RattleSnake, Razor Tiger, and T-APT-04. The group has historically targeted government and military entities, particularly in Pakistan, Sri Lanka, China, and Nepal, and reporting in the provided content also describes targeting of business entities primarily throughout Asia. More recent activity expanded to diplomatic entities, maritime infrastructure, logistics companies, and organizations linked to nuclear energy across South and Southeast Asia, the Middle East, and Africa, with victims and targeting noted in countries including Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, the United Arab Emirates, and diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco. The group primarily uses spear-phishing emails with malicious attachments to gain initial access. Observed lures include DOCX/OOXML documents and ZIP archives containing malicious LNK files, often crafted for specific targets. The documents use remote template injection to retrieve attacker-hosted RTF files that exploit CVE-2017-11882, leading to multistage execution involving mshtml RunHTMLApplication, mshta, obfuscated JavaScript, and PowerShell-based loader execution. SideWinder has also used JavaScript and PowerShell to drop and execute malware loaders. Post-compromise, SideWinder has conducted broad host reconnaissance and collection. Reported behaviors include collecting information on files and directories, staging stolen files in temporary folders for exfiltration, identifying running processes, collecting system and network configuration information, identifying the user of a compromised host, collecting computer name, OS version, installed hotfixes, memory and processor details, and collecting network interface information including MAC addresses. The group has used HTTP in command-and-control communications and has used Base64 encoding and ECDH-P256 encryption for payloads. Persistence and evasion behaviors in the content include adding executable paths to the Registry, naming malicious files rekeywiz.exe to resemble a legitimate Windows executable, anti-analysis checks, AMSI patching, DLL sideloading, and selective execution based on installed security products. The provided reporting describes SideWinder’s malware ecosystem as including a .NET Downloader Module, ModuleInstaller, Backdoor Loader, and the in-memory StealerBot post-exploitation toolkit. StealerBot is described as a modular espionage implant with plugins for keylogging, screenshots, file theft, reverse shell/live console access, browser token theft, RDP credential theft, credential phishing, and UAC bypass. Backdoor Loader variants and a C++ Backdoor Loader were also observed, with some C++ samples assessed as tailored to specific victims and likely manually deployed after initial compromise. The content attributes SideWinder as an India-linked espionage group in one report focused on China-related threats, but the provided material does not state a definitive government attribution beyond that phrasing.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
56 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
8 malware families attributed to this actor across reporting.
3 additional families tracked in Mallory.
Associated vulnerabilities
6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.
RTF files were specifically crafted by the attacker to exploit CVE-2017-11882, a memory corruption vulnerability in Microsoft Office software.
This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.
An India-linked threat actor operating from machine MALDEV01 under username WarMachine is exploiting CVE-2026-21509 (Microsoft Office security feature bypass, CVSS 7.8) to target Pakistani government entities.
The DOCX file exploits CVE-2017-0199 to fetch a remote template from internal-advisory-azerbaijan-russia-diplomatic-crisis[.]defence-np[.]net.
Sidewinder has exploited vulnerabilities to gain execution including... CVE-2020-0674.
1 more CVE tied to this actor tracked in Mallory.
Observables
398 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
India-linked espionage group conducting political and military intelligence collection, with secondary targeting of China focused on military modernization, defense technology, and government strategic planning.
Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.
Conducting credential-harvesting spearphishing campaigns using a Zimbra-themed phishing kit hosted on Cloudflare Workers, targeting South Asian government, military, telecom, and related accounts. The campaign used stolen diplomatic documents as lures and fake Zimbra login portals to capture credentials.
Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.