Threat Research

SideWinder APT Group aka Rattlesnake – Active IOCs SideWinder APT Group aka Rattlesnake – Active IOCs – Rewterz

Securonix

SideWinder APT, also known as Rattlesnake, is a long-running espionage group believed to be based in India, targeting government, military, and financial institutions in South Asia and the Middle East. The group uses social engineering, spear-phishing, and zero-day exploits to infiltrate networks and deploy custom malware and backdoors for persistence and data theft in pursuit of geopolitical intelligence. #SideWinder #Rattlesnake #Kabul2013 #PakistaniAirForce2015 #UkrainianMilitary2018

Keypoints

  • Active since at least 2012, with alleged base in India and operations targeting South Asia and the Middle East.
  • Primary objectives include espionage, data theft, and geopolitical intelligence gathering.
  • Tactics include social engineering and spear-phishing, complemented by zero-day exploits to gain initial access.
  • After infiltration, attackers deploy custom malware and backdoors to maintain persistence and exfiltrate data.
  • Notable campaign instances cited: Indian embassy in Kabul (2013), Pakistani Air Force (2015), Ukrainian military website (2018).
  • Provided indicators of compromise cover a domain and multiple hashes (MD5, SHA-256, SHA-1) for detection.
  • Remediation emphasizes multi-layer defense, patching, endpoint protection, MFA, monitoring, and threat intelligence.

MITRE Techniques

  • [T1566] Phishing – Uses social engineering and spear-phishing to infiltrate target networks. Quote: “These include social engineering, spear-phishing, and zero-day exploits to infiltrate target networks.”
  • [T1203] Exploitation for Client Execution – Zero-day exploits to infiltrate target networks. Quote: “zero-day exploits to infiltrate target networks.”
  • [T1041] Exfiltration – Exfiltration of data / theft of sensitive information. Quote: “to gain persistent access and steal sensitive data.”

Indicators of Compromise

  • [Domain] Domain name context – mailarmylk.mods.email
  • [MD5] Hashes – 872c2ddf6467b1220ee83dca0e118214, 1e06ee76b8ec0069945391736f22c472
  • [SHA-256] Hashes – 57d761453bbc6ba9ace467f4491d7a19b9c7e097f81d9772efbcd2f43ada4dce, d000f860042cf9311b4e68c09ff41880d36d049371317d912974f6a50507dabc
  • [SHA-1] Hashes – dbc5756895b6585527bd6ebc4411ea6a4a6e2886, 8843eafeef0b5d2ae3f62ee6b6904de9748a469d

Read more: https://www.rewterz.com/threat-advisory/sidewinder-apt-group-aka-rattlesnake-active-iocs-5