3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Windshift

Windshift

ID: 82be24fe68596702112898966fa3b3bd51544
Cybercrime State-Sponsored
Threat types: Intrusion, Surveillance, Phishing
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East. Ref: https://attack.mitre.org/groups/G0112/


Technique Technique name Tactics Evidence
T1036.001 Invalid Code Signature TA0005
  • Invalid Code Signature - Windshift has used revoked certificates to sign malware. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Windshift has used Visual Basic 6 (VB6) payloads. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Windshift has used tools that communicate with C2 over HTTP. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Windshift has used links embedded in e-mails to lure victims into executing malicious code. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Windshift has used e-mail attachments to lure victims into executing malicious code. · ref
T1417.001 Keylogging TA0031 TA0035
  • Input Capture: Keylogging - Windshift has included keylogging capabilities as part of Operation ROCK. · ref
T1518.001 Security Software Discovery TA0007
  • Security Software Discovery - Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools. · ref
T1521.001 Symmetric Cryptography TA0037
  • Encrypted Channel: Symmetric Cryptography - Windshift has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Windshift has created LNK files in the Startup folder to establish persistence. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Windshift has sent spearphishing emails with links to harvest credentials and deliver malware. · ref
T1566.003 Spearphishing via Service TA0001
  • Phishing: Spearphishing via Service - Windshift has used fake personas on social media to engage and target victims. · ref
T1627.001 Geofencing TA0030
  • Execution Guardrails: Geofencing - Windshift has region-locked their malicious applications during their Operation BULL campaign. · ref
T1628.003 Conceal Multimedia Files TA0030
  • Hide Artifacts: Conceal Multimedia Files - Windshift has hidden multimedia files from the user. · ref
T1632.001 Code Signing Policy Modification TA0030
  • Subvert Trust Controls: Code Signing Policy Modification - Windshift has installed malicious MDM profiles on iOS devices as part of Operation ROCK. · ref
T1633.001 System Checks TA0030
  • Virtualization/Sandbox Evasion: System Checks - Windshift has deployed anti-analysis capabilities during their Operation BULL campaign. · ref
T1636.003 Contact List TA0035
  • Protected User Data: Contact List - Windshift has included contact list exfiltration in the malicious apps deployed as part of Operation BULL. · ref
T1636.004 SMS Messages TA0035
  • Protected User Data: SMS Messages - Windshift has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.