| Category | Details |
|---|---|
| Threat Actors | SideWinder APT (aka Rattlesnake, T-APT4), suspected Indian group active since 2012. |
| Campaign Overview | Targeting Pakistan with the WarHawk backdoor, distributing via compromised legitimate servers, and deploying Cobalt Strike payloads. |
| Target Regions | Pakistan (Government and military sectors). |
| Methodology | ISO files containing LNK files, decoy PDFs, and malicious binaries hosted on legitimate compromised websites. |
| Product Targeted | Windows systems. |
| Malware Reference | WarHawk Backdoor (newly discovered), RtlAudioDriver.exe (older version), MsBuild.exe (newer version). |
| Tools Used | WarHawk Backdoor modules, Cobalt Strike, custom Cobalt Strike loader using KernelCallBackTable Injection. |
| Vulnerabilities Exploited | Compromised legitimate websites to host malware (e.g., “nepra.org.pk”). |
| TTPs | – KernelCallBackTable Injection – Time zone validation (Pakistan Standard Time) – Use of decoy PDFs to distract victims – Modular malware functionality: Download & Execute, Command Execution, File Management, and Exfiltration modules. |
| Attribution | Network infrastructure reuse linked to SideWinder APT. |
| Recommendations | – Monitor for suspicious ISO and LNK files – Implement threat intelligence to detect SideWinder APT activity – Secure web servers to prevent compromise – Strengthen endpoint detection for KernelCallBackTable Injection and Cobalt Strike. |
| Source | Zscaler |
Read full article: https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group
The above summary has been generated by an AI language model
Related posts:
SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea
Beyond the Surface: the evolution and expansion of the SideWinder APT group
Cryptojacking Campaign Targets Docker and Kubernetes: Surge in Container-Based Attacks
New Yokai Side-loaded Backdoor Targets Thai Officials
Leave a Reply