Sidewinder

Background

Sidewinder, tracked as Rattlesnake and T-APT-04 by different security vendors, is an advanced persistent threat group attributed to India's state intelligence apparatus. Active since at least 2012, Sidewinder is one of South Asia's most prolific nation-state threat actors, with operations primarily targeting Pakistani military and government entities, Chinese frontier territories, and neighboring South Asian nations including Nepal, Bangladesh, Afghanistan, Sri Lanka, and the Maldives.

The group's targeting pattern is closely aligned with Indian strategic intelligence priorities in the South Asian geopolitical environment. Operations against Pakistan focus on military and intelligence services, particularly those related to disputed territories in Kashmir and Balochistan. Chinese-language targeting increases during periods of heightened India-China border tensions. Operations in Nepal and Bangladesh often target government and diplomatic entities during periods of contested Indian influence.

Sidewinder demonstrates significant operational velocity — Kaspersky researchers documented over 1,000 attacks in a three-year period — and consistent use of spearphishing as the primary initial access vector. While the group's individual tool sophistication may be lower than top-tier APT groups, its scale, persistence, and operational tempo make it a significant regional threat. The group has expanded its targeting in recent years to include maritime organizations, reflecting India's growing focus on Indian Ocean security.

Notable Campaigns

Pakistani Military Targeting (2017-2024) — Sidewinder's primary sustained campaign targets Pakistani military officers, intelligence officials, and defense ministry personnel. Operations use military-themed lures including fake promotion notices, Pakistani army documents, and security-related advisories. The group has successfully compromised Pakistani government networks, obtaining sensitive military correspondence and personnel information.

China Border Operations (2020-2021) — During the 2020 Galwan Valley standoff between Indian and Chinese forces, Sidewinder significantly escalated targeting of Chinese military and government entities in border regions. The group used Mandarin-language lures themed around the military confrontation to target PLA personnel and frontier province officials.

Nepal Political Targeting (2021-2022) — Sidewinder conducted a campaign against Nepali government officials and political figures during a period of Nepal-India diplomatic friction. The group deployed malicious documents disguised as official Nepali government communications and diplomatic correspondence.

Maritime Expansion (2022-2024) — Kaspersky documented Sidewinder's expanded targeting of maritime organizations including naval institutions, port authorities, and shipping companies across the Indian Ocean region, specifically in India's immediate neighborhood. The group deployed updated tooling including WarHawk against Pakistani Navy and maritime security organizations.

Tactics, Techniques & Procedures

Spearphishing with Document Exploitation — Sidewinder's primary initial access vector is spearphishing emails with malicious document attachments (T1566.001). The group is notable for the high volume and velocity of its phishing campaigns. Documents exploit RTF and Office vulnerabilities to execute embedded payloads. The group also uses shortcut (.LNK) files containing embedded PowerShell scripts. JavaScript-based payloads are delivered via HTML files masquerading as legitimate documents.

Execution Chain — Sidewinder uses a multi-stage execution chain: malicious document exploitation triggers JavaScript or VBScript (T1059.005) that downloads and executes a .NET loader. The loader decrypts and runs the final payload (SideWinder RAT or similar). This multi-stage approach complicates automated analysis and sandboxing.

Persistence and Registry Abuse — Persistence is achieved primarily through registry run keys (T1547.001). The group also uses scheduled tasks and startup folder placement. Registry queries (T1012) are used during reconnaissance to fingerprint the target environment and determine what persistence mechanism to use.

Android Mobile Targeting — Sidewinder deploys Android malware (AndroRAT, WarHawk) against mobile devices of Pakistani military officers and government officials. Mobile payloads are distributed via fake Pakistani government applications and security advisories, delivered through both phishing links and third-party app stores.

Tools & Malware

• SideWinder RAT — The group's primary custom .NET-based remote access tool, providing command execution, file management, keylogging, screenshot capture, and system reconnaissance. Regularly updated with new evasion techniques.
• WarHawk — A sophisticated Android RAT used against Pakistani targets, capable of exfiltrating SMS messages, contacts, call logs, device location, and encrypted messaging application data.
• AndroRAT — An Android remote access trojan used in mobile surveillance campaigns against high-value targets, providing comprehensive device access.
• Binder — A tool used to bind malware to legitimate document files, creating weaponized decoy documents that execute payloads while displaying the expected content.
• ModuleInstaller — A modular payload installer that deploys multiple specialized espionage modules after initial compromise, allowing capability customization per target.
• Net Ninja — A network reconnaissance and scanning tool used for internal network mapping and service discovery.
• Revenge RAT — An open-source commodity RAT used alongside custom tools, providing basic remote access with lower attribution risk.
• njRAT — Another commodity RAT used in operations, particularly against lower-priority targets where custom tooling is not warranted.

Indicators & Detection

Email Lure Analysis — Sidewinder phishing emails frequently impersonate Pakistani military commands, Indian government agencies, and international organizations operating in South Asia. Subject lines often reference military promotions, defense ministry circulars, or diplomatic advisories. Implement email attachment sandboxing and block execution of JavaScript and VBScript in Office documents via Group Policy.

Document Exploit Detection — Monitor for RTF documents that spawn cmd.exe, PowerShell, or wscript.exe child processes. Detect LNK file execution by monitoring for shortcut files in email attachments that launch PowerShell with encoded commands. Alert on Office processes that initiate network connections or spawn unexpected child processes.

Android Device Management — Organizations whose personnel use mobile devices for sensitive communications should implement mobile device management (MDM) solutions that restrict application installations to approved sources. Monitor for anomalous device activity including excessive SMS access by non-messaging applications or background location reporting.

Network Indicators — Sidewinder C2 infrastructure is typically hosted on legitimate cloud services or compromised websites to blend traffic with normal web usage. Monitor for HTTP connections with encoded parameters matching SideWinder RAT communication patterns. Implement DNS filtering to block known malicious domains associated with Sidewinder infrastructure.