APT SideWinder Actor Profile – Recent Attacks, Tactics, Techniques, and Procedures

APT SideWinder, cyber security, Cyber Security News, CyberSecurity Research, Threat Actor Profiles

APT SideWinder, also known as Rattlesnake, Razor Tiger, and T-APT-04, is a nation-state advanced persistent threat (APT) group active since at least 2012 and believed to originate from India.

Noted for targeting military, government, and strategic business entities, particularly in South Asia, SideWinder’s operational footprint has recently expanded to critical infrastructure in the Middle East and Africa.

Who is APT SideWinder?

SideWinder is distinguished by its persistent and adaptive cyber-espionage operations. The group’s primary motives revolve around intelligence gathering targeting national defense, diplomatic, financial, maritime, and nuclear sectors.

Alias Names	Suspected Country	Years Active	Focus Regions	Typical Victims
Rattlesnake, T-APT-04, Razor Tiger, APT-C-17	India	2012–Present	South Asia, Middle East, Africa, Southeast Asia	Military, Government, Maritime, Nuclear, Logistics, Telecom, Financial Institutions

Recent campaigns indicate an aggressive shift toward government, logistics, and especially maritime infrastructure in the Indian Ocean and Mediterranean Sea.

SideWinder—also tracked as APT-C-17, Razor Tiger, Rattlesnake, Baby Elephant, Leafperforator, and T-APT-04—is suspected of operating from India based on persistent focus on Pakistan, China, Nepal, Bangladesh, and other geopolitical rivals, plus linguistic and infrastructure clues.

Primary motivation: long-term political and military intelligence gathering.
Typical victims: defence ministries, foreign affairs departments, armed-forces e-mail systems, and, since 2024, maritime logistics operators and nuclear-power agencies.
Infrastructure depth: more than 400 live domains and hundreds of sub-domains supporting download sites, C2 nodes, and phishing portals at any given time.

Overview of APT SideWinder

Operational Approach

SideWinder orchestrates well-planned spear-phishing campaigns, leveraging geo-fenced payloads and regionally tailored lures. Exploitation of legacy Microsoft Office vulnerabilities (notably CVE-2017-11882, CVE-2017-0199) is a hallmark of its campaigns.

The group uses sophisticated multi-stage loader delivery mechanisms, frequently deploying obfuscated JavaScript, malicious Office documents, and weaponized RTF/LNK files.

Infection Chain Diagram

A detailed diagram mapping SideWinder’s attack orchestration:

Victimology has expanded markedly since 2022, when Kaspersky logged over 1,000 SideWinder intrusions in 18 months. By 2025, the actor was simultaneously running campaigns against port authorities in Egypt, logistics firms in Djibouti, and nuclear-power regulators in South Asia.

Analyzing SideWinder’s Tactics, Techniques, and Procedures (TTPs)

SideWinder’s TTPs are mapped comprehensively to the MITRE ATT&CK framework, leveraging a mix of fileless, modular payloads, document exploitation, and C2 sophistication.

1. Initial Access

Spear-phishing emails: Weaponized Office documents or ZIP files, tailored to individual organizations and regions, often with geofenced delivery.
Exploitation: Remote template injection triggers embedded exploit code for CVE-2017-0199 and CVE-2017-11882, resulting in initial payload execution.

2. Execution, Persistence, and Evasion

Multi-Stage Loaders: Obfuscated JavaScript/.NET, leveraging shellcode-based loaders to download modular implants like StealerBot and WarHawk backdoor.
DLL Side-Loading: Hijacking legitimate system binaries for stealthy execution.
Fileless Malware: Implants loaded directly into memory (RAM-resident) to evade disk-based detection.

3. Command and Control (C2)

Infrastructure: 400+ domains, dynamic subdomains, HTTPS-encrypted communications, Telegram for data exfiltration, periodic infrastructure changes for detection evasion.

4. Post-Exploitation Modules

StealerBot: Modular espionage tool providing keystroke logging, screenshot capture, credential harvesting, data exfiltration, persistent access, and secondary malware deployment.
WarHawk Backdoor: Advanced loader with kernel-level injection, time zone checks, and dedicated modules for download/execute, command execution, and file exfiltration.

5. Lateral Movement

Credential Harvesting: RDP, browser credentials, and access escalation to adjacent systems.
Rapid Adaptation: SideWinder modifies malware within hours post-detection, alters file and infrastructure naming for persistence.

MITRE ATT&CK Stage	Example Techniques (IDs)	SideWinder Implementation
Initial Access	Phishing (T1566.001), Exploit Public-Facing App (T1190)	Targeted spear-phishing, document exploits
Execution	User Execution (T1204.002), Scripting (T1059.007)	Weaponized attachments, script loaders
Persistence	DLL Side-Loading (T1073), Fileless Malware (T1055.003)	Side-loaded binaries, RAM-resident implants
Defense Evasion	Obfuscated Files (T1027), Dynamic C2 (T1105)	Obfuscated payloads, rapid infrastructure changes
Credential Access	Credential Dumping (T1003), Browser Credential Theft (T1555)	StealerBot credential harvesting
Discovery	System Information Discovery (T1082), Network Discovery (T1046)	Recon modules post-compromise
Collection & Exfiltration	Data Staged (T1074), Exfiltration to C2 (T1041)	Data theft, screenshots, exfil via HTTPS/Telegram
Command and Control	Encrypted C2 (T1071.001), External Remote Services (T1133)	HTTPS/Tor, Telegram, custom protocols
Impact & Lateral Movement	Remote Services (T1021), Execution via API (T1106)	Move within network, maintain persistent espionage

Notable Attacks and Campaigns

Real-World Attack Examples

Year	Target/Region	Attack Vector & Payload	Outcome/Impact
2013	Indian Embassy, Kabul	Phishing with malicious DOC/RTF	Data exfiltration, diplomatic intelligence loss
2015	Pakistani Air Force	Spear-phishing, exploit chain, custom backdoor implant	Sensitive military files exfiltrated
2018	Ukrainian Military Website	Malicious script, credential harvesting via info stealer	Tactical intelligence compromised
2024	Sri Lanka CB & Govt Agencies	Geofenced spear-phishing, Office exploit to StealerBot	Persistent access, financial and government espionage
2024	Maritime Sector (Djibouti, Egypt)	Phishing, compromised documents, agile infrastructure, StealerBot, WarHawk	Strategic infrastructure mapping, logistics planning theft
2025	Pakistan Cabinet Division	ISO bundles, LNK, WarHawk backdoor, kernel injection, timezone checks	Cobalt Strike deployment, access maintained in local time zone

APT SideWinder exemplifies a modern, adaptive, and regionally effective cyber espionage threat. By continuously improving its toolkit (e.g., StealerBot, WarHawk), leveraging fileless persistence, and targeting geopolitical interests, SideWinder remains a persistent risk for government, defense, maritime, and financial sectors across Eurasia and Africa.

Primary motivation: long-term political and military intelligence gathering.
Typical victims: defence ministries, foreign affairs departments, armed-forces e-mail systems, and, since 2024, maritime logistics operators and nuclear-power agencies.
Infrastructure depth: more than 400 live domains and hundreds of sub-domains supporting download sites, C2 nodes, and phishing portals at any given time.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post APT SideWinder Actor Profile – Recent Attacks, Tactics, Techniques, and Procedures appeared first on Cyber Security News.

¶¶¶¶¶

Bragg Confirms Cyberattack, Internal IT Systems Breached

·

Cyber Attack, cyber security, Cyber Security News, vulnerability

Bragg Gaming Group (NASDAQ: BRAG, TSX: BRAG), a prominent content and technology provider in the online gaming industry, has disclosed a cybersecurity incident that compromised its internal computer systems over the weekend. The company discovered the breach on August 16, 2025, and has immediately implemented containment measures while engaging independent cybersecurity experts to assist with […]

The post Bragg Confirms Cyberattack, Internal IT Systems Breached appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
DoJ Seizes $2.8M in Crypto from Zeppelin Ransomware Group

·

cryptocurrency, cyber security, Cyber Security News, Ransomware, vulnerability

The Department of Justice has announced a significant victory against cybercriminals, seizing over $2.8 million in cryptocurrency and additional assets from a Zeppelin ransomware operation. The coordinated law enforcement action targeted Ianis Aleksandrovich Antropenko, who faces federal charges for his role in deploying ransomware attacks against victims worldwide, including numerous American organizations and businesses. Major […]

The post DoJ Seizes $2.8M in Crypto from Zeppelin Ransomware Group appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
⚡ Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More

·

Power doesn’t just disappear in one big breach. It slips away in the small stuff—a patch that’s missed, a setting that’s wrong, a system no one is watching. Security usually doesn’t fail all at once; it breaks slowly, then suddenly. Staying safe isn’t about knowing everything—it’s about acting fast and clear before problems pile up. Clarity keeps control. Hesitation creates risk. Here are this

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Linux Kernel Netfilter Flaw Enables Privilege Escalation

·

CVE/vulnerability, cyber security, Cyber Security News, vulnerability

A critical vulnerability in the Linux kernel’s netfilter subsystem has been discovered that allows local attackers to escalate privileges through an out-of-bounds write condition. The flaw, identified as CVE-2024-53141, affects the ipset bitmap functionality and could enable unprivileged users to gain root access on vulnerable systems. CVE ID CVE-2024-53141 Affected Versions Up to commit 041bd1e4 in Torvalds’s Linux […]

The post Linux Kernel Netfilter Flaw Enables Privilege Escalation appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities

·

cyber security, Cyber Security News, vulnerability, Vulnerability News
Over 1,000 exposed and unpatched N-able N-central Remote Monitoring and Management (RMM) servers are vulnerable to two newly disclosed zero-day vulnerabilities – CVE-2025-8875 and CVE-2025-8876.

As of August 15, 2025, exactly 1,077 unique IPs have been identified as running outdated N-central versions, presenting a significant risk to managed service providers (MSPs) and their clients.

These vulnerabilities are now tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, underlining their severity.
```
Key Takeaways
1. 1,077 unpatched N-able N-central RMM servers exposed to CVE-2025-8875 & CVE-2025-8876 zero-days.
2. RCE vulnerabilities allow attackers to compromise MSP environments.
3. Immediate upgrade required.
```
The Shadowserver Foundation scan data reveals that unpatched servers are concentrated in the United States (440 IPs), Canada (112 IPs), the Netherlands (110 IPs), and the United Kingdom (98 IPs), with additional exposed instances found in Australia and South Africa.

Top affected countries

N-able N-central Vulnerabilities

Both vulnerabilities affect HTTP-accessible N-central deployments and remain exploitable until administrators apply the newly released version 2025.3.1 security patch.

CVE-2025-8875 and CVE-2025-8876 are classified as authentication-required RCE (Remote Code Execution) vulnerabilities.

While authentication limits initial attack vectors, threat actors who obtain credentials—through phishing or prior compromises—can exploit these flaws to execute arbitrary commands, escalate privileges, and potentially pivot within MSP-managed environments.

N-able’s recommended upgrade path is critical: “You must upgrade your on-premises N-central to 2025.3.1.

Details of the CVEs will be published three weeks after the release as per our security practices.”

The update introduces vital audit logging improvements for SSH and scheduled tasks (such as “SSH Login”, “Scheduled Task Edited”, “Script Deleted”) and supports Syslog export for enhanced compliance monitoring.

Administrators can configure the new audit logging using:

Alongside these security upgrades, N-central’s Device Management API has improved automation. MSPs can now onboard endpoints in bulk via POST /api/device and retrieve application details using:

These enhancements empower defenders to audit user activity and accelerate device onboarding, but require timely remediation.

Any instances receiving Shadowserver alerts should be immediately reviewed for compromise and patched using N-able’s official update.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post 1000+ Exposed N-able N-central RMM Servers Unpatched for 0-Day Vulnerabilities appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
VirtualBox 7.2 Released With Support for Windows 11/Arm VMs and 50 Bug Fixes

·

cyber security, Tech News
Oracle has announced the release of VirtualBox 7.2, a major update to the popular open-source virtualization platform that introduces significant enhancements for Windows 11/Arm virtualization, comprehensive GUI improvements, and numerous bug fixes.

Released on August 14, 2025, this version marks a substantial advancement in cross-platform virtualization capabilities, particularly targeting the growing Arm-based computing ecosystem while maintaining robust support for traditional x86_64 architectures.
```
Key Takeaways
1. VirtualBox 7.2 introduces full virtualization of Windows 11/Arm guests on both Arm and x86‑64 hosts (via Hyper‑V).
2. Redesigned interface with sidebar tools and tabbed VM panels improves usability.
3. Hardware-accelerated 3D/video, TPM 2.0 save-state security, and over 50 bug fixes.
```
GUI Enhancements and Interface Improvements

The most immediately noticeable change in VirtualBox 7.2 involves a complete redesign of the user interface architecture.

The development team has relocated global and VM tools from traditional hamburger menus to a more accessible global tools taskbar positioned vertically on the left side of the interface, complemented by VM tools tabs displayed horizontally above the right-hand panel.

This restructuring addresses long-standing user experience concerns regarding tool accessibility and workflow efficiency.

Additional interface refinements include improvements to the Preferences and Settings pages with enhanced NLS (Native Language Support) fixing, better handling of keyboard LEDs in the Soft Keyboard feature, and the addition of a checkbox for making Shared Folders global across all virtual machines.

The clone VM wizard has also received critical bug fixes that previously prevented users from including snapshots in clone operations, addressing GitHub issue GH-59.

Windows/Arm Support and Cross-Platform Virtualization

The headline feature of VirtualBox 7.2 centers on comprehensive Windows/Arm host support, now included in the unified Windows installer package.

This implementation enables Arm virtualization of VMs and specifically supports Windows 11/Arm guest systems, complete with dedicated Guest Additions for the new OS type.

The Windows/Arm guest environment now includes a WDDM Graphics driver supporting both 2D and 3D rendering modes, alongside full Shared Folder functionality.

For macOS Arm hosts, VirtualBox 7.2 introduces experimental 3D acceleration support using DXMT technology, replacing the previous non-functional solution that relied on DXVK over MoltenVK.

However, this update notably removes 3D acceleration support for macOS hosts using Intel CPUs.

The VMM (Virtual Machine Manager) has received substantial improvements for both x86_64 and Arm CPU feature reporting when utilizing Windows Hyper-V as the virtualization engine, including enhanced xsave/xrestor instruction handling and support for x86_64-v3 instruction set extensions featuring AVX and AVX2 capabilities.

Bug Fixes and Performance Optimizations

VirtualBox 7.2 addresses numerous critical issues across multiple subsystems. The VMM/HM (Hardware Management) component now properly supports Nested Virtualization on Intel CPUs, while the graphics subsystem avoids assertions when guests attempt to use VMSVGA 3D functions with disabled features.

Storage improvements include fixes for VMDK image corruption during resizing operations and the integration of NVMe storage controller emulation into the open-source base package.

Network functionality has received comprehensive attention, with multiple NAT (Network Address Translation) fixes improving DNS server handling and VM settings preservation.

The TPM (Trusted Platform Module) implementation now properly handles save state operations, while ACPI support has been added for Arm VMs.

Linux compatibility extends to kernel version 6.17, ensuring continued support for cutting-edge distributions.

Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →

The post VirtualBox 7.2 Released With Support for Windows 11/Arm VMs and 50 Bug Fixes appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New Ghost-Tapping Attacks Target Apple Pay and Google Pay Users’ Linked Cards

·

Apple, cyber security, Cyber Security News, Google

Chinese-speaking cybercriminals are using ghost-tapping techniques to take advantage of Near Field Communication (NFC) relay tactics in a sophisticated evolution of payment card fraud. They are mainly targeting mobile payment services such as Apple Pay and Google Pay. This attack vector involves relaying stolen payment card credentials from compromised devices to mules’ burner phones, enabling […]

The post New Ghost-Tapping Attacks Target Apple Pay and Google Pay Users’ Linked Cards appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

·

Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution. The package, named termncolor, realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

Rockwell ControlLogix Ethernet Vulnerability Let Attackers Execute Remote Code

cyber security, Cyber Security News, Vulnerabilities, vulnerability, Vulnerability News

A critical security vulnerability has been discovered in Rockwell Automation’s ControlLogix Ethernet communication modules, potentially allowing remote attackers to execute arbitrary code on industrial control systems.

The vulnerability, tracked as CVE-2025-7353, affects multiple ControlLogix Ethernet modules and carries a maximum CVSS score of 9.8, indicating severe security implications for industrial automation environments.

Key Takeaways
1. Critical flaw in Rockwell ControlLogix Ethernet modules due to the enabled web debugger agent.
2. Attackers can remotely execute code, dump memory, and control industrial systems.
3. Update immediately; implement network segmentation if patching is delayed.

Rockwell Automation published the security advisory on August 14, 2025, after discovering the flaw during internal testing procedures.

Insecure Default Configuration Flaw (CVE-2025-7353)

The CVE-2025-7353 vulnerability stems from an insecure default configuration in the web-based debugger (WDB) agent that remains enabled on production devices.

This debugging interface, intended for development purposes, creates a significant attack vector when left active in operational environments.

The vulnerability allows unauthenticated remote attackers to establish connections using specific IP addresses to access the WDB agent functionality.

The flaw is classified under CWE-1188: Initialization of a Resource with an Insecure Default, highlighting the fundamental security issue of shipping products with debugging capabilities enabled by default.

The CVSS 3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates that the vulnerability can be exploited over the network with low complexity, requires no privileges or user interaction, and provides high impact across confidentiality, integrity, and availability.

The vulnerability impacts several ControlLogix Ethernet communication modules, including 1756-EN2T/D, 1756-EN2F/C, 1756-EN2TR/C, 1756-EN3TR/B, and 1756-EN2TP/A models running firmware version 11.004 or below.

These modules serve as critical communication interfaces between ControlLogix programmable automation controllers (PACs) and Ethernet networks in industrial environments.

Successful exploitation enables attackers to perform memory dumps, modify system memory, and control the execution flow of the affected devices.

This level of access could potentially allow attackers to manipulate industrial processes, access sensitive operational data, or disrupt manufacturing operations.

The web-based debugger agent provides low-level system access typically reserved for authorized development and maintenance personnel.

Risk Factors	Details
Affected Products	Rockwell Automation ControlLogix Ethernet Modules:- 1756-EN2T/D- 1756-EN2F/C- 1756-EN2TR/C- 1756-EN3TR/B- 1756-EN2TP/A(All running firmware version 11.004 or below)
Impact	Execute remote code
Exploit Prerequisites	– Network access to target device- Specific IP address connection to WDB agent- No authentication required- No user interaction needed
CVSS 3.1 Score	9.8 (Critical)

Mitigations

Rockwell Automation has released firmware version 12.001 to address the vulnerability across all affected ControlLogix Ethernet modules.

Organizations should prioritize updating to this corrected version as the primary mitigation strategy. The update disables the insecure default configuration of the WDB agent, eliminating the primary attack vector.

For environments where immediate firmware updates are not feasible, Rockwell Automation recommends implementing comprehensive security best practices.

These include network segmentation to isolate industrial control systems, implementation of proper firewall rules to restrict access to debugging interfaces, and continuous monitoring of network traffic for suspicious activities.

Organizations should also conduct thorough security assessments of their industrial automation infrastructure to identify similar vulnerabilities in other systems.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Rockwell ControlLogix Ethernet Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.