Evasive SideWinder APT Campaign Detected
Dec. 22, 2025, 10:31 a.m.
Description
A sophisticated espionage campaign targeting Indian entities has been identified, masquerading as the Income Tax Department of India. The activity is associated with the SideWinder APT group, which has evolved its toolkit to evade detection by mimicking Chinese enterprise software. The campaign uses DLL side-loading techniques with legitimate Microsoft Defender binaries to bypass EDR, and utilizes public cloud storage and URL shorteners to evade reputation-based detections. The threat actors employ geofencing behavior, focusing on systems in South Asian timezones. The attack chain includes phishing emails, fraudulent websites, and malicious payloads delivered through file-sharing services. The final stage involves a resident agent that beacons to a command-and-control server, mimicking Chinese endpoint tool protocols.
Tags
Date
- Created: Dec. 20, 2025, 5:19 p.m.
- Published: Dec. 20, 2025, 5:19 p.m.
- Modified: Dec. 22, 2025, 10:31 a.m.
Indicators
- 950ad7a33457a1a37a0797316cdd2fbaf9850f7165425274351d08b3c01ed2d8
- 13474f4e82b8fa13c6e43009433720e07e0485971293afdc5867849b9fac8f09
- 415be77f99144c27e2612e1021043f61302b28e28fa3262b1792c1e4a9d668d4
- 180.178.56.230
- wwwqqo.icu
Attack Patterns
- mysetup.exe
- MpGear.dll
- Sidewinder
Additional Informations
- Health
- Telecommunications
- Retail (distribution)
- Services
- Government
- oytdwzz.shop
- zhantugaokao.com
- stockjp.top
- googlevip.shop
- googlewery.cyou
- hetyqraftryt.cyou
- googlehkcom.com
- wwsxcpl.shop
- googleaxc.shop
- oopae.icu
- oopv.shop
- gfmqvip.vip
- qqooe.click
- mrysaqw.qpon
- googlevip.icu
- googlewww.qpon
- zibenbang.vip
- gsrydkjz.cyou
- wgooglegoogle.com
- gofjasj.help
- sow4.shop
- India
- British Indian Ocean Territory