Overview 

SideWinder is an advanced persistent threat (APT) group that has been active since 2012. The group is assessed to originate from an Indian company, and its operations have historically centered on Pakistani military entities, though its targeting footprint extends well beyond that core focus. 

SideWinder’s tradecraft is less about novel exploitation and more about consistency: the group is known for exploiting known, sometimes long-disclosed vulnerabilities to deploy PowerShell-based payloads rather than burning zero-days. 

This pragmatic approach has sustained over a decade of continuous operations. Its motivations point toward intelligence gathering tied to regional geopolitical interests, and its most recent activity shows a notable pivot toward ports, maritime facilities, and government officials in Turkey. 

A typical SideWinder operation begins with a lure document built around a live geopolitical event, crafted specifically to entice a target into downloading and opening it. That single action is usually enough to trigger the malware chain and open the door to cyber espionage. 

Attribution and Operational Origin 

SideWinder is assessed to originate from India, with a track record of activity dating back to at least 2012. The group’s targeting has historically concentrated on government, military, and business entities throughout Asia, with Pakistan, China, Nepal, and Afghanistan absorbing the bulk of its attention over the years. 

National-level cybersecurity authorities have independently corroborated this activity. A national CERT has reported a surge in targeted phishing activity directly attributed to SideWinder, tracked under its aliases Rattlesnake, Hardcore Nationalist (HN2), and T-APT-04, describing the group as a persistent and strategic operator whose campaigns are aimed squarely at institutions of critical national value rather than opportunistic targets. 

This same reporting ties SideWinder to concrete infrastructure, including the malicious IP address 151.106.117.19 and a set of domains built to impersonate law enforcement and government organizations. Confirmed victims named in this reporting include the Ministry of Foreign Affairs (MoFA), Ministry of Interior (MoI), Islamabad Capital Territory (ICT) Police, and Special Security Units, institutions whose compromise carries direct national security implications. 

Targeting Profile 

SideWinder’s targeting reflects a focus on sectors with strategic and national security value rather than broad economic espionage. Key industries include: 

• Aerospace & Defense 

• Government & Law Enforcement Agencies 

• Transportation & Logistics 

Geographically, the group has been observed operating against 12 target countries: 

Region focus	Countries
South Asia	Pakistan, Bangladesh, Bhutan, Nepal, Sri Lanka, Maldives, Afghanistan
East/Southeast Asia	China, Myanmar
Middle East	Egypt, Qatar
Recent expansion	Turkey

This spread shows a group whose core mission, pressure on Pakistan and its regional neighbors, has remained stable since 2012, even as new geographies like Turkey have entered the picture in more recent campaigns, particularly around port and maritime infrastructure. 

Tooling and Malware Ecosystem 

SideWinder’s malware ecosystem is comparatively compact next to other long-running APTs, with four malware families currently associated with the group: 

Rather than maintaining a sprawling toolkit, SideWinder leans on a small set of multi-purpose implants; callCam in particular spans reconnaissance, backdoor access, info-stealing, and exfiltration in a single family, reducing the group’s need to deploy and manage multiple discrete tools per intrusion. Koadic’s dual role as both a vulnerability scanner and loader reinforces the group’s preference for known-vulnerability exploitation over custom exploit development. 

The infection chain below traces how these pieces typically fit together, from the initial lure through to the credential-reuse loop that sustains long-term access. 

Initial Access and Execution Techniques 

SideWinder’s initial access relies almost entirely on social engineering rather than exploitation of internet-facing infrastructure. The group’s phishing methodology follows a consistent pattern: 

• Spearphishing via fabricated communications: Emails and social media messages sent from compromised or fraudulent accounts, frequently impersonating government offices, banks, or official portals. 

• Urgency-based lures: Fake security alerts, account suspension notices, or password reset warnings designed to push a recipient into acting before scrutinizing the message. 

• Geopolitically themed documents: Files referencing live regional conflicts or events, increasing the likelihood that a target, often a government or military official, will open them. 

Execution spans multiple platforms simultaneously. Windows systems are compromised through malicious payloads delivered via the phishing chain; Android devices are targeted with spyware and trojans; and cloud and email services tied to government or military networks are compromised through credential-based account takeover. This multi-platform targeting means a single successful phish can yield footholds across a victim’s device, mobile environment, and cloud accounts at once. 

Organizations in highly targeted sectors should continuously monitor phishing infrastructure, look-alike domains, and brand impersonation attempts associated with threat actors such as SideWinder. Cyble Vision provides visibility into these external threats. 

Are You a Target? See Which Industries SideWinder Is Actively Hitting 

Conclusion 

More than a decade after its emergence, SideWinder remains a persistent cyber-espionage threat targeting government, military, diplomatic, and critical infrastructure organizations across South Asia and beyond. 

Its success stems not from highly sophisticated malware, but from consistent targeting, rapid exploitation of vulnerabilities, and sustained intelligence-gathering operations. As actors like SideWinder continue to evolve, organizations need continuous visibility into emerging threats and attacker activity.  

See How Cyble Track SideWinder and New Cyber Threats 

Cyble helps security teams track threat actors, monitor cybercrime ecosystems, and operationalize actionable threat intelligence for faster detection and response. 

MITRE ATT&CK Techniques Associated with SideWinder 

• Spearphishing Attachments (T1566.001 | Initial Access): Delivered targeted phishing emails containing malicious attachments to gain initial access to victim systems. 

• Spearphishing Links (T1566.002 | Initial Access): Used crafted phishing emails with malicious links to lure victims into executing malware or visiting compromised websites. 

• PowerShell (T1059.001 | Execution): Leveraged PowerShell scripts to download, deploy, and execute malware payloads. 

• Visual Basic (T1059.005 | Execution): Employed VBScript-based loaders to execute malicious code on compromised systems. 

• JavaScript (T1059.007 | Execution): Used JavaScript payloads to facilitate malware delivery and execution. 

• Exploitation for Client Execution (T1203 | Execution): Exploited known vulnerabilities, including CVE-2017-11882 and CVE-2020-0674, to execute malicious code on target systems. 

• User Execution: Malicious Link (T1204.001 | Execution): Relied on victims interacting with malicious links to trigger malware execution. 

• User Execution: Malicious File (T1204.002 | Execution): Tricked users into opening weaponized documents or files to initiate infection. 

• Dynamic Data Exchange (T1559.002 | Execution): Abused ActiveX and OLE objects through Internet Explorer to achieve code execution.