Sidewinder (G0121): Agile Cyber-Espionage Targeting Critical Sectors
- Suspected Origin
- India (suspected)
- Motivation
- Espionage, Geopolitical Intelligence Gathering, Data Theft
- Aliases
- T-APT-04, Rattlesnake
- Target Sectors
- Government, Military, Diplomatic, Financial, Maritime, Logistics, Nuclear Energy, Critical Infrastructure, Education, Hospitality, Telecommunications
- Associated Malware
- StealerBot, ModuleInstaller, WarHawk, Custom RAT, USBStealer, Backdoor Loader
Overview
SideWinder, tracked as G0121, T-APT-04, and Rattlesnake, is a highly active and persistent advanced persistent threat (APT) group believed to operate out of India. Active since at least 2012, this group is a primary actor in cyber-espionage, consistently targeting entities aligned with regional geopolitical interests. Their long-standing campaigns focus heavily on intelligence gathering, data theft, and politically motivated attacks against government, military, and business organizations. While their historical focus has been South Asia, particularly Pakistan, China, Nepal, and Afghanistan, SideWinder has significantly expanded its operational scope to include targets across Southeast Asia, the Middle East, Africa, and parts of Europe, with a notable recent emphasis on maritime, logistics, and nuclear sectors. This expansion demonstrates their adaptability and a strategic broadening of intelligence collection priorities.
SideWinder’s tradecraft is characterized not by groundbreaking zero-day exploits, but by a pragmatic and consistent approach to exploiting known, often long-disclosed vulnerabilities. They are known for high-volume attack campaigns, leveraging hundreds of domains and servers to maintain their operations and achieve persistent access for long-term, stealthy information exfiltration. Their ability to rapidly adapt and refine their toolset, often generating new malware variants within hours of detection, underscores their sophisticated operational capabilities and commitment to avoiding security defenses.
Tactics & Techniques
SideWinder’s initial access heavily relies on sophisticated social engineering, predominantly through tailored spear-phishing campaigns. These campaigns often use malicious attachments or links crafted to mimic legitimate organizations or exploit current geopolitical events, such as COVID-19 themes or regional conflicts, to entice victims. Historically, they’ve used Microsoft Office documents exploiting known vulnerabilities like CVE-2017-0199 and CVE-2017-11882. More recently, they’ve evolved to incorporate novel PDF and ClickOnce-based infection chains, demonstrating an ongoing effort to circumvent conventional security measures. These lures often direct victims to credential harvesting pages disguised as legitimate login portals for services like Zimbra webmail or central banks.
Once initial access is gained, SideWinder employs multi-stage infection processes. Execution often involves Windows scripting environments such as PowerShell, VBScript, JavaScript, and mshta-based HTA delivery, which drop and execute malware loaders. Persistence is typically achieved through scheduled tasks and autostart scripts, with privilege escalation sometimes leveraging User Account Control (UAC) bypass techniques.
Defense evasion is a hallmark of SideWinder’s operations. They employ extensive obfuscation, masquerading, artifact cleanup, and DLL side-loading, often hijacking legitimate Windows application files to execute malicious payloads. Their delivery infrastructure is designed to evade detection and hinder analysis, frequently using geofencing to serve empty RTFs to non-targeted requests and generating unique hashes for payloads. Command and Control (C2) operations rely on rotating server lists, encrypted channels, and occasional web-service-based exfiltration.
The group is adept at credential theft, targeting RDP, Windows credential stores, and browser data using advanced hooking and token-grabbing tools. For data collection, their malware is programmed to harvest documents, system information (OS version, installed hotfixes, memory, processor details, network interfaces, running processes, installed software), and browser tokens. They have also demonstrated multi-platform targeting, compromising Windows systems, Android devices with spyware and Trojans, and cloud/email services through credential-based account takeover.
Notable Campaigns
SideWinder has maintained a consistent and evolving campaign tempo over the years. Some key activities include:
- Early Operations (2012 onwards): The group began its cyber-espionage activities, primarily focusing on government, military, and business entities in Pakistan, China, Nepal, and Afghanistan.
- Public Naming (2018): Kaspersky first publicly named the SideWinder APT group.
- COVID-19 Themed Operations (2020): The group capitalized on global events, launching campaigns using COVID-19 lures, notably targeting Pakistani government officials.
- Expansive Multi-Country Campaigns (2021-2024): SideWinder conducted systematic and broad campaigns targeting over 60 entities across South and East Asia, including governments, military organizations, central banks, and media in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.
- Broadening Geographic and Sectoral Focus (2024-2025): The group expanded its operations into Africa, Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, the Philippines, Sri Lanka, the UAE, Vietnam, and global diplomatic entities. Concurrently, they shifted their sector focus towards maritime infrastructure, logistics companies, and nuclear power facilities in South Asia, the Middle East, and Africa. Recent campaigns in September 2025 targeted European embassies in New Delhi and organizations in Sri Lanka, Pakistan, and Bangladesh, demonstrating their adaptable TTPs with new PDF and ClickOnce-based infection chains.
Associated Malware & Tools
SideWinder leverages a dedicated arsenal of custom malware and legitimate tools to achieve its objectives:
- StealerBot: This is a sophisticated, modular, and memory-resident backdoor primarily designed for espionage. It operates entirely in memory, with decrypted components injected directly by the loader to avoid disk artifacts, making it difficult to detect and trace. It can launch reverse shells, deliver additional malware, and collect extensive data, including screenshots, keystrokes, passwords, and files.
- ModuleInstaller: Often serves as a downloader for next-stage payloads, including StealerBot.
- WarHawk: A downloader used in the initial stage of an attack, it profiles the victim’s computer and retrieves subsequent malware.
- Custom RAT: SideWinder utilizes its own advanced Remote Access Trojan (RAT) to gain full control over infected machines, enabling file management, program execution, and data theft.
- USBStealer: A tool frequently used to locate and exfiltrate files from USB drives connected to compromised systems.
- Backdoor Loader: Acts as a loader for the StealerBot post-exploitation toolkit.
- Other Tools: The group has also been associated with tools like ADModule, BroStealer, callCam, ChromePasswordRecovery, Chisel, Cobalt Strike, Koadic, Rafel RAT, RemotePotato0, and Telegram for various operational phases.
Current Status
SideWinder remains a highly active and evolving threat. Recent reports from 2024 to 2026 consistently highlight their ongoing campaigns and continuous refinement of tactics, techniques, and procedures. They are actively upgrading their infrastructure, adopting new delivery methods like PDF and ClickOnce-based infection chains, and expanding their geographical and sectoral targeting. The group demonstrates a sophisticated understanding of geopolitical contexts, crafting highly specific lures for diplomatic targets. Their commitment to maintaining operational secrecy, evidenced by geofencing techniques and rapid malware updates, indicates a persistent and long-term espionage objective. Organizations, particularly those in the targeted sectors and regions, must remain vigilant and implement robust security measures to defend against SideWinder’s adaptable and relentless operations.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call