• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

United Natural Foods Expects $400M revenue impact from June cyber attack

 | 

Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity

 | 

UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations

 | 

Operation Eastwood disrupted operations of pro-Russian hacker group NoName057(16)

 | 

Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network

 | 

Former US Army member confesses to Telecom hack and extortion conspiracy

 | 

CVE-2025-6554 marks the fifth actively exploited Chrome Zero-Day patched by Google in 2025

 | 

DDoS peaks hit new highs: Cloudflare mitigated massive 7.3 Tbps assault

 | 

U.S. CISA adds Wing FTP Server flaw to its Known Exploited Vulnerabilities catalog

 | 

Android Malware Konfety evolves with ZIP manipulation and dynamic loading

 | 

Belk hit by May cyberattack: DragonForce stole 150GB of data

 | 

North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

 | 

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Intelligence
  • SideWinder APT targets maritime and nuclear sectors with enhanced toolset

SideWinder APT targets maritime and nuclear sectors with enhanced toolset

Pierluigi Paganini March 11, 2025

The APT group SideWinder targets maritime and logistics companies across South and Southeast Asia, the Middle East, and Africa.

Kaspersky researchers warn that the APT group SideWinder (also known as Razor Tiger, Rattlesnake, and T-APT-04) is targeting maritime, logistics, nuclear, telecom, and IT sectors across South Asia, Southeast Asia, the Middle East, and Africa.

SideWinder (also known as Razor Tiger, Rattlesnake, and T-APT-04) has been active since at least 2012, the group mainly targeted Police, Military, Maritime, and the Naval forces of Central Asian countries. In the 2022 attacks, the threat actors also targeted departments of Foreign Affairs, Scientific and Defence organisations, Aviation, IT industry, and Legal firms.

The threat actor maintains a large C2 infrastructure composed of more than 400 domains and subdomains that were used to host malicious payloads and control them.

Kaspersky observed SideWinder expanding its attacks in 2024, with growing activity in Egypt, Asia, and Africa.

Some of the attacks observed by the Russian cybersecurity firm show a focus on nuclear power plants and nuclear energy in South Asia and further expansion of activities into new African countries.

SideWinder APT

SideWinder rapidly adapts to security detections, modifying malware within hours, altering tactics, techniques, and procedures. The group was spotted changing file names to maintain persistence and evade defense.

“Once their tools are identified, they respond by generating a new and modified version of the malware, often in under five hours. If behavioral detections occur, SideWinder tries to change the techniques used to maintain persistence and load components. Additionally, they change the names and paths of their malicious files.” reads the report published by Kaspersky. “Thus, monitoring and detection of the group’s activities reminds us of a ping-pong game.”

The infection pattern observed in the second part of 2024 is consistent with the one described in the previous article.

The infection flow is the same as past attacks, threat actors send spear-phishing emails with a DOCX file attached. The document loads an RTF template file stored on a remote server controlled by the attacker. The file exploits a Microsoft Office Memory Corruption flaw, tracked as CVE-2017-11882, to run a malicious shellcode and initiate a multi-level infection process. The final stage of the attack chain is a malware dubbed “Backdoor Loader” which loads a custom post-exploitation toolkit named “StealerBot”.

“During the investigation, we found a new C++ version of the “Backdoor Loader” component. The malware logic is the same as that used in the .NET variants, but the C++ version differs from the .NET implants in that it lacks anti-analysis techniques. Furthermore, most of the samples were tailored to specific targets, as they were configured to load the second stage from a specific file path embedded in the code, which also included the user’s name.” continues the report. “It indicates that these variants were likely used after the infection phase and manually deployed by the attacker within the already compromised infrastructure, after validating the victim.”

Most detected bait documents focused on government and diplomatic matters, though some covered generic topics like car rentals, real estate, and freelance job offers.

“SideWinder is a very active and persistent actor that is constantly evolving and improving its toolkits. Its basic infection method is the use of an old Microsoft Office vulnerability, CVE-2017-11882, which once again emphasizes the critical importance of installing security patches.” concludes the report. “Despite the use of an old exploit, we should not underestimate this threat actor. In fact, SideWinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)


facebook linkedin twitter

Hacking hacking news information security news Intelligence IT Information Security Pierluigi Paganini Security Affairs SideWinder APT

you might also like

Pierluigi Paganini July 17, 2025
United Natural Foods Expects $400M revenue impact from June cyber attack
Read more
Pierluigi Paganini July 17, 2025
Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    United Natural Foods Expects $400M revenue impact from June cyber attack

    Security / July 17, 2025

    Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity

    Security / July 17, 2025

    UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations

    Hacking / July 17, 2025

    Operation Eastwood disrupted operations of pro-Russian hacker group NoName057(16)

    Cyber Crime / July 16, 2025

    Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network

    Intelligence / July 16, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT