Home/ Threat Actors/ Sidewinder

🌐Sidewinder

🌐 Sidewinder is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 30 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0121) ↗

14Use cases

0Articles

30Techniques

0IOCs

About this actor (MITRE)

[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)

Known aliases

SidewinderT-APT-04Rattlesnake

Top techniques

T1016 · System Network Configuration Discovery T1020 · Automated Exfiltration T1027.010 · Command Obfuscation

All other tracked techniques

T1027.013 · Encrypted/Encoded File T1033 · System Owner/User Discovery T1036.005 · Match Legitimate Resource Name or Location T1057 · Process Discovery T1059.001 · PowerShell T1059.005 · Visual Basic T1059.007 · JavaScript T1071.001 · Web Protocols T1074.001 · Local Data Staging T1082 · System Information Discovery T1083 · File and Directory Discovery T1105 · Ingress Tool Transfer T1119 · Automated Collection T1124 · System Time Discovery T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.002 · Malicious File T1218.005 · Mshta T1518 · Software Discovery T1518.001 · Security Software Discovery T1547.001 · Registry Run Keys / Startup Folder T1559.002 · Dynamic Data Exchange T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1574.001 · DLL T1598.002 · Spearphishing Attachment T1598.003 · Spearphishing Link

Detection use cases (14)

Sidewinder (Rattlesnake/T-APT-04) CVE-2017-11882 Equation Editor exploitation chain from RTF lure AI · profile SΣ Sidewinder mshta.exe staged HTA download chain from Office or scripting parent AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match