Cybersecurity researchers from Group-IB and Bridewell have discovered a previously undocumented attack infrastructure used by the state-sponsored group SideWinder to target entities in Pakistan and China.
The infrastructure consists of a network of 55 domains and IP addresses that mimic various organizations in sectors such as news, government, telecommunications, and finance. SideWinder has been active since at least 2012 and primarily employs spear-phishing techniques to gain access to targeted environments.
The group’s main targets are believed to be associated with Indian espionage interests, with frequent attacks directed at countries including Pakistan, China, Sri Lanka, and Afghanistan.
In recent findings, SideWinder was observed using a technique called server-based polymorphism to evade detection in attacks against Pakistani government organizations. The newly discovered domains imitate government organizations in Pakistan, China, and India, and host government-themed lure documents designed to download an unknown next-stage payload.
Additionally, researchers uncovered malicious files uploaded to VirusTotal, including a Microsoft Word file allegedly from the Pakistan Navy War College and a Windows shortcut file engineered to run an HTML application retrieved from a server spoofing Tsinghua University’s email system.
Further investigation into SideWinder’s infrastructure led to the discovery of a malicious Android APK file masquerading as a “Ludo Game.” This rogue app prompts users to grant access to sensitive information such as contacts, location, phone logs, and SMS messages, effectively functioning as spyware.
The domains associated with SideWinder indicate the group’s targeting of financial, government, law enforcement, e-commerce, and mass media organizations in Pakistan and China.
The researchers emphasized the importance of deploying business email protection solutions to detect and neutralize malicious content, as spear-phishing remains SideWinder’s initial vector of attack.
