G0112: Windshift
Analyst context for executives and security teams
Windshift is documented by ATT&CK as a surveillance-focused threat group active since at least 2017, targeting specific individuals in government departments and critical infrastructure across the Middle East. The business significance is not broad commodity compromise; it is targeted collection against people whose roles may expose sensitive policy, operational, or infrastructure information. Leaders should treat this as a reminder that executive, diplomatic, operational, and mobile-user security controls need evidence-based validation, not just perimeter coverage.
Executive priority
Prioritize questions around high-risk individuals and sensitive functions: who would be most damaging to surveil, what devices and accounts do they use, and can the organization prove monitoring coverage for endpoint, mobile, web, and identity-adjacent activity? Because ATT&CK links Windshift to surveillance tooling and discovery, user-execution, web command-and-control, and mobile collection behaviors, this object is useful for executive protection planning, incident-response readiness, compliance evidence around monitoring, and cyber-physical risk discussions for critical infrastructure personnel.
Technical view
ATT&CK does not provide a group-level detection section or group platforms, so defenders should validate coverage through the listed relationships. Windshift is linked to WindTail, a macOS surveillance implant, and to techniques covering drive-by compromise, malicious links/files, Visual Basic, WMI, discovery of users/processes/system/software/security tools, masquerading and invalid code signatures, web-protocol command and control, ingress tool transfer, and mobile surveillance behaviors such as runtime code download, keylogging, file/device discovery, audio capture, location tracking, and video capture. SOC and IR teams should test whether telemetry can connect initial user interaction, suspicious execution, discovery, network callbacks, payload transfer, and mobile permission abuse into a single investigation timeline.
Likely telemetry
- Endpoint process execution and command-line/activity logs for discovery behaviors such as user, process, system, software, and security-tool enumeration.
- macOS endpoint telemetry, including application execution, file creation/modification, code-signing validation results, and suspicious masquerading indicators relevant to WindTail context.
- Web proxy, DNS, firewall, and EDR network telemetry for unusual HTTP/S or web-protocol command-and-control patterns and external file transfers.
- Email, browser, and web gateway evidence for malicious links, malicious files, and drive-by compromise investigation paths.
- Windows telemetry for WMI activity where Windows systems are in scope of the related technique set.
Detection direction
- Do not rely on a single indicator or malware name; validate behavior chains across user interaction, execution, discovery, masquerading, C2 over web protocols, and tool transfer.
- For macOS coverage, confirm that invalid or suspicious code-signing states, misleading application names/locations, and surveillance-implant-like behaviors are visible to the SOC.
- Tune discovery detections to account for legitimate administration and inventory tools; prioritize unusual parent processes, rare execution paths, sensitive-user devices, and sequences that combine discovery with outbound web traffic.
- For mobile, validate whether the organization can detect or investigate excessive permissions, runtime code download, audio/video/location access, keylogging-like behavior, and suspicious file/device discovery; many environments have weaker mobile telemetry than endpoint telemetry.
- Use relationship-driven context to build threat-informed hunts, but avoid assuming every listed technique will appear in every incident.
Mitigation priorities
- Identify high-risk individuals in government, critical infrastructure, executive, legal, policy, or operational roles and apply enhanced endpoint, mobile, and account monitoring where appropriate.
- Harden user-execution paths with secure email/web controls, attachment and link handling, browser protections, and user reporting workflows.
- Strengthen macOS security baselines, including application control, code-signing validation, endpoint visibility, and rapid triage of suspicious applications or files.
- Maintain endpoint and mobile patching, application inventory, and security-tool health monitoring so discovery and evasion attempts are more visible.
- Control and monitor web egress and external file transfer paths, especially from sensitive-user devices.
Analyst notes and limits
The most decision-useful aspect of this object is the surveillance and individual-targeting context. Windshift is also linked to WindTail, a macOS surveillance implant, which makes Apple endpoint visibility especially relevant where such devices are used by sensitive personnel. The listed mobile techniques broaden the defensive conversation to phones and tablets, where audio, video, location, keyboard, and runtime-code behaviors may be material but are often under-instrumented.
ATT&CK provides no official detection text, no group-level tactics, and no group-level platforms for this intrusion set. Platform and behavior guidance above is derived from the supplied relationships and related technique/software descriptions, not from a complete Windshift procedure list. Local asset mix, telemetry availability, legal constraints for mobile monitoring, and regional threat exposure must determine final prioritization.
Windshift
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | Windshift has used malware to enumerate active processes.CitationBlackBerry Bahamut |
| Enterprise | T1189 | Drive-by Compromise | Windshift has used compromised websites to register custom URL schemes on a remote system.Citationobjective-see windtail1 dec 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Windshift has used Visual Basic 6 (VB6) payloads.CitationBlackBerry Bahamut |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.CitationBlackBerry Bahamut |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.CitationSANS Windshift August 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Windshift has used links embedded in e-mails to lure victims into executing malicious code.CitationSANS Windshift August 2018 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Windshift has used fake personas on social media to engage and target victims.CitationSANS Windshift August 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Windshift has created LNK files in the Startup folder to establish persistence.CitationBlackBerry Bahamut |
| Enterprise | T1518 | Software Discovery | Windshift has used malware to identify installed software.CitationBlackBerry Bahamut |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.CitationSANS Windshift August 2018 |
| Enterprise | T1036.001 | Invalid Code Signature Sub-technique | Windshift has used revoked certificates to sign malware.Citationobjective-see windtail1 dec 2018CitationSANS Windshift August 2018 |
| Enterprise | T1027 | Obfuscated Files or Information | Windshift has used string encoding with floating point calculations.CitationBlackBerry Bahamut |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Windshift has used tools that communicate with C2 over HTTP.CitationBlackBerry Bahamut |
| Enterprise | T1036 | Masquerading | |
| Enterprise | T1105 | Ingress Tool Transfer | Windshift has used tools to deploy additional payloads to compromised hosts.CitationBlackBerry Bahamut |
| Enterprise | T1047 | Windows Management Instrumentation | Windshift has used WMI to collect information about target machines.CitationBlackBerry Bahamut |
| Enterprise | T1033 | System Owner/User Discovery | Windshift has used malware to identify the username on a compromised host.CitationBlackBerry Bahamut |
| Enterprise | T1082 | System Information Discovery | Windshift has used malware to identify the computer name of a compromised host.CitationBlackBerry Bahamut |
| Enterprise | T1204.002 | Malicious File Sub-technique | Windshift has used e-mail attachments to lure victims into executing malicious code.CitationSANS Windshift August 2018 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | dc022417c5a1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SANS Windshift August 2018
Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.
Open source URL -
[2]
objective-see windtail1 dec 2018
Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
Open source URL -
[3]
objective-see windtail2 jan 2019
Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
Open source URL -
[4]
Bahamut
(Citation: SANS Windshift August 2018)
-
[5]
mitre-attack G0112Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.