Threat Research

WarHawk: the New Backdoor in the Arsenal of the SideWinder APT Group

Securonix

Two Zscaler ThreatLabz reports reveal WarHawk, a new backdoor used by the SideWinder APT to target Pakistan, delivering Cobalt Strike via a multi-module loader that includes KernelCallBackTable injection and a Pakistan Standard Time check. The campaign leveraged ISO bundles and LNK decoys hosted on NEPRA’s site, with decoy PDFs drawn from Pakistani Cabinet Division advisories, to drop and execute malicious components and loader payloads.
#WarHawk #SideWinder

Keypoints

  • WarHawk is a new backdoor used by the SideWinder APT to target Pakistan
  • Backdoor comprises four modules: Download & Execute, Command Execution, File Manager InfoExfil, UploadFromC2
  • WarHawk loader uses KernelCallBackTable Process Injection to load Cobalt Strike and includes a Pakistan Standard Time zone check
  • Infection chains employ ISO files with a LNK file and a decoy PDF to lure victims
  • ISO bundles and URLs were hosted on NEPRA’s website and in lures referencing Pakistan Cabinet Advisory content
  • Stage-2 payloads include Snitch.exe, OneDrive.exe, and DDRA.exe CS loaders, using C2 infrastructure tied to fia-gov.org and customs-lk.org
  • Attribution is tied to SideWinder APT via reused infrastructure and Pakistan-focused timing checks

MITRE Techniques

  • [T1566] Initial Access – Phishing – The .LNK File had a PDF icon to lure the victim into execution. Once the .LNK File is executed, it runs the malicious binary “RtlAudioDriver.exe” along with the decoy PDF “32-Advisory-No-32-2022.pdf” to distract the victims.
  • [T1190] Exploit Public-Facing Application – ISO hosted on the official NEPRA website may indicate a compromise of their web server and delivery of the malware.
  • [T1204] User Execution – The LNK file execution leads to running the malicious binary and decoy PDF.
  • [T1059] Command and Scripting Interpreter – The received command is passed as an argument to the CMD.exe process which has been spawned using ShellExecuteA.
  • [T1140] Deobfuscate/Decode Files or Information – The WarHawk loader decrypts API/DLL names via a string decryption routine that subtracts a key to reveal function names.
  • [T1564] Hide Artifacts – The loader unhooks NTDLL.dll by mapping a fresh copy and replacing its .text section to evade API hooks.
  • [T1055] Process Injection – KernelCallbackTable Process Injection is used to inject shellcode into a remote process (e.g., notepad.exe).
  • [T1071.001] Application Layer Protocols – Web Protocols – WarHawk communicates with a C2 server via HTTP(S) requests, including beacon and task responses.
  • [T1041] Exfiltration – Exfiltration over C2 Channel – System information and command outputs are JSON-encoded and sent to the C2 server.

Indicators of Compromise

  • [ISO] 32-Advisory-No-32.iso and 33-Advisory-No-33-2022.pdf.iso – ISO disk images used as lures
  • [URL] nepra.org.pk/css/32-Advisory-No-32.iso, cabinet.gov.pk/SiteImage/Misc/files/NTISB%20Advisories/2022/32-Advisory-No-32-2022.pdf – lure URLs hosted on legitimate sites
  • [File Hash] WarHawk_v1: 8f9cf5c828cb02c83f8df52ccae03e2a, WarHawk_v1.1: 5cff6896e0505e8d6d98bff35d10c43a
  • [Domain] fia-gov.org, customs-lk.org – Cobalt Strike beacons used by SideWinder infrastructure
  • [IP] 3.239.29.103; 146.190.235.137 – attack infrastructure hosting C2 and payloads
  • [File Name] RtlAudioDriver.exe; MsBuild.exe – malicious binaries used as WarHawk components
  • [URL] https://146.190.235.137/wh/glass.php; https://146.190.235.137/Snitch.exe – C2 and stage-2 payload delivery URLs
  • [File Hash] Snitch.exe CS Loader: ec33c5e1773b510e323bea8f70dcddb0; OneDrive.exe CS Beacon: d0acccab52778b77c96346194e38b244; DDRA.exe CS Beacon: 40f86b56ab79e94893e4c6f1a0a099a1

Read more: https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0