3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
SideWinder

SideWinder

ID: 432a7ada458a856deb38ed1eecd9634929552
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Phishing
India UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
APT-C-17 Razor Tiger
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan. Ref: https://attack.mitre.org/groups/G0121/


Technique Technique name Tactics Evidence
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - Sidewinder has used base64 encoding for scripts. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Sidewinder has used PowerShell to drop and execute malware loaders. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Sidewinder has used VBScript to drop and execute malware loaders. · ref
T1059.007 JavaScript TA0002
  • Command and Scripting Interpreter: JavaScript - Sidewinder has used JavaScript to drop and execute malware loaders. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Sidewinder has used HTTP in C2 communications. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Sidewinder has lured targets to click on malicious links to gain execution in the target environment. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Sidewinder has lured targets to click on malicious files to gain execution in the target environment. · ref
T1218.005 Mshta TA0005
  • System Binary Proxy Execution: Mshta - Sidewinder has used mshta.exe to execute malicious payloads. · ref
T1518.001 Security Software Discovery TA0007
  • Security Software Discovery - Sidewinder has used the Windows service winmgmts:\.\root\SecurityCenter2 to check installed antivirus products. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Sidewinder has added paths to executables in the Registry to establish persistence. · ref
T1559.002 Dynamic Data Exchange TA0002
  • Inter-Process Communication: Dynamic Data Exchange - Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Sidewinder has sent e-mails with malicious attachments often crafted for specific targets. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Sidewinder has sent e-mails with malicious links often crafted for specific targets. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe. · ref
T1598.002 Spearphishing Attachment TA0043
  • Phishing for Information: Spearphishing Attachment - Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites. · ref
T1598.003 Spearphishing Link TA0043
  • Phishing for Information: Spearphishing Link - Sidewinder has sent e-mails with malicious links to credential harvesting websites. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.