SideWinder targets the maritime and nuclear sectors with an updated toolset

March 10, 2025, 12:21 p.m.

Description

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.

External References

https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/
https://otx.alienvault.com/pulse/67cebdf90f3d662d90cb0701
Tags
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer

Date

  • Created: March 10, 2025, 10:24 a.m.
  • Published: March 10, 2025, 10:24 a.m.
  • Modified: March 10, 2025, 12:21 p.m.

Indicators

  • 57d761453bbc6ba9ace467f4491d7a19b9c7e097f81d9772efbcd2f43ada4dce
  • 44ff1117bb0167f85d599236892deede636c358df3d8908582a6ce6a48070bd4
  • https://dgtk.depo-govpk.com/19263687/trui
  • http://dgtk.depo-govpk.com/19263687/trui
  • dgtk.depo-govpk.com
  • ziptec.info
  • zeltech.live
  • veorey.live
  • portdedjibouti.live
  • pmd-office.info
  • pncert.info
  • pmd-offc.info
  • ms-office.pro
  • mteron.info
  • mods.email
  • modpak.info
  • mod-kh.info
  • mevron.tech
  • file-dwnld.org
  • downl0ad.org
  • dowmload.co
  • dowmloade.org
  • documentviewer.info
  • document-viewer.live
  • document-viewer.info
  • directt88.com
  • dirctt888.com
  • dirctt888.info
  • dirctt88.info
  • depo-govpk.com
  • defencearmy.pro
  • debcon.live
  • d0wnlaod.org
  • crontec.site
  • d0wnlaod.com
  • d0cumentview.info
  • aliyum.email
  • session-out.com
Download all indicators here!

Attack Patterns

  • Module Installer
  • Downloader Module
  • StealerBot
  • SideWinder
  • T1027.004
  • T1574.002
  • T1012
  • T1059.007
  • T1518.001
  • T1204.002
  • T1547
  • T1203
  • T1082
  • T1566.001
  • T1055
  • T1036
  • T1140
  • T1027
  • CVE-2017-11882

Additional Informations

  • Energy
  • Defense
  • Transportation
  • Telecommunications
  • Government
  • modpak-info.services
  • Djibouti
  • Maldives
  • Rwanda
  • Mozambique
  • Uganda
  • British Indian Ocean Territory
  • Austria
  • Algeria
  • Egypt
  • Afghanistan
  • Bulgaria
  • Myanmar
  • Sri Lanka
  • Nepal
  • Bangladesh
  • India
  • Saudi Arabia
  • China
  • United Arab Emirates
  • Indonesia
  • Cambodia
  • Philippines
  • Pakistan