The advanced persistent threat (APT) group, SideWinder, has been accused of deploying a backdoor in attacks against Pakistan government organizations in a campaign that began in November 2022. BlackBerry Research and Intelligence Team reported the group used a server-based polymorphism technique to deliver the next stage payload. SideWinder is primarily known for targeting Southeast Asian entities in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.
It is believed to be an Indian state-sponsored group and is also known as APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. The group’s attack sequences involve carefully crafted email lures and DLL side-loading techniques to deploy malware capable of granting remote access to the targeted systems.
Furthermore, SideWinder has been linked to a cyber attack on Pakistan Navy War College (PNWC) and an Android malware campaign that leveraged rogue phone cleaner and VPN apps. The latest attack, documented by BlackBerry, mirrors findings from Chinese cybersecurity firm QiAnXin in December 2022, which revealed the use of PNWC lure documents to drop a lightweight .NET-based backdoor capable of retrieving and executing next-stage malware from a remote server.
The campaign stands out for its use of server-based polymorphism to distribute additional payloads, potentially sidestepping traditional signature-based antivirus detection.
In addition to targeting Pakistan, BlackBerry also found that SideWinder has set Turkey as a collection priority. The disclosure comes after Fortinet and Team Cymru revealed a new set of attacks perpetrated by a Pakistan-based threat actor known as SideCopy against Indian defense and military targets.
The latest SideWinder campaign targeting Turkey overlaps with the most recent developments in geopolitics.
