G0121: Sidewinder
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]
Analyst context for executives and security teams
Sidewinder is an ATT&CK group entry for a suspected Indian threat actor reported as active since at least 2012 and observed targeting government, military, and business entities in parts of Asia. Its value for defenders is not a single indicator list, but the behavior pattern in the relationships: user-driven execution, scripting, client exploitation, discovery, staging, web-based command and control, tool transfer, and automated collection/exfiltration. For leaders, this makes Sidewinder relevant to resilience planning where phishing, endpoint scripting, and sensitive document exposure could affect government, defense, or regionally connected business operations.
Executive priority
Prioritize this as a validation scenario for targeted intrusion readiness rather than as proof of current exposure. Executives should ask whether the organization can detect and investigate a chain that begins with malicious links or files, uses Windows scripting or trusted utilities, performs broad discovery, stages data locally, and moves data out over common web protocols. This supports control prioritization for endpoint visibility, email/web risk reduction, vulnerability management for client applications, data protection, and incident response evidence collection.
Technical view
ATT&CK does not provide a detection section for Sidewinder, so SOC and IR teams should validate coverage from the related techniques. Key areas include execution through PowerShell, Visual Basic, JavaScript, Mshta, malicious links/files, and exploitation for client execution; discovery of users, processes, network configuration, files, system information, time, installed software, and security tools; local staging and automated collection; ingress tool transfer; web-protocol command and control; and automated exfiltration. Koadic is the associated software relationship and is described as a Windows post-exploitation framework using Windows Script Host, so Windows script execution telemetry is especially important where Windows assets are in scope.
Likely telemetry
- Endpoint process creation and command-line logging for PowerShell, script hosts, mshta.exe, JavaScript/JScript, and Visual Basic execution
- Parent-child process relationships showing document, browser, email, script host, or trusted utility execution chains
- File creation, modification, and directory traversal events related to local data staging and file discovery
- Discovery command evidence for user, process, network configuration, system information, software, security software, and system time enumeration
- Network proxy, DNS, firewall, and web gateway logs for outbound HTTP/S or other web-protocol command-and-control patterns
Detection direction
- Build detections around sequences, not isolated commands: user interaction or client exploitation followed by scripting, discovery, staging, and outbound web traffic is more meaningful than any single administrative utility.
- Tune for legitimate administration noise because discovery commands, PowerShell, JavaScript, and web protocols are common in enterprise environments.
- Validate whether obfuscated commands and encoded or encrypted files are visible to existing endpoint, EDR, proxy, and logging controls.
- Review mshta.exe and Windows Script Host activity where Windows endpoints are present, especially when launched from user-writable paths, browsers, email clients, or document applications.
- Correlate security software discovery with later evasion, staging, or transfer behaviors; on its own it may overlap with IT inventory activity.
Mitigation priorities
- Reduce initial execution risk through email and web controls, user-focused safeguards for malicious links/files, and hardening of client applications vulnerable to exploitation.
- Limit and monitor script execution, including PowerShell, Windows Script Host, JavaScript/JScript, Visual Basic, and mshta.exe where operationally feasible.
- Maintain patch and vulnerability management for client applications because exploitation for client execution is part of the related behavior set.
- Improve endpoint visibility for command-line execution, file staging, discovery activity, and suspicious parent-child process chains.
- Constrain outbound network paths and monitor web-protocol traffic for unusual destinations, automation, or data transfer patterns.
Analyst notes and limits
The strongest defensive value comes from using Sidewinder as a threat-informed test case across phishing/user execution, scripting, discovery, collection, C2, and exfiltration. The official group description includes regional targeting and aliases, while the relationship set provides the practical detection and control validation surface. Koadic’s Windows Script Host behavior is notable, but the group object itself lists no platforms, so platform-specific assumptions should be validated locally.
ATT&CK provides no official detection guidance for this group, and the group object does not specify platforms or tactics. The relationships identify associated software and techniques, but they do not prove current activity against any organization or guarantee that all listed behaviors occur in every intrusion. Local telemetry, asset inventory, geography, business ties, and incident evidence are required for prioritization.
Sidewinder
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1203 | Exploitation for Client Execution | Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.[1][3] |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Sidewinder has used the Windows service |
| Enterprise | T1218.005 | Mshta Sub-technique | Sidewinder has used |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Sidewinder has sent e-mails with malicious links to credential harvesting websites.[1] |
| Enterprise | T1124 | System Time Discovery | Sidewinder has used tools to obtain the current system time.[1] |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Sidewinder has sent e-mails with malicious links often crafted for specific targets.[1][3] |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.[1] |
| Enterprise | T1057 | Process Discovery | Sidewinder has used tools to identify running processes on the victim's machine.[1] |
| Enterprise | T1059.007 | JavaScript Sub-technique | Sidewinder has used JavaScript to drop and execute malware loaders.[1]CitationRewterz Sidewinder COVID-19 June 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.[1]CitationRewterz Sidewinder APT April 2020[3] |
| Enterprise | T1020 | Automated Exfiltration | Sidewinder has configured tools to automatically send collected files to attacker controlled servers.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | Sidewinder has used LNK files to download remote files to the victim's network.[1][3] |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Sidewinder has added paths to executables in the Registry to establish persistence.CitationRewterz Sidewinder APT April 2020CitationRewterz Sidewinder COVID-19 June 2020[3] |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Sidewinder has used HTTP in C2 communications.[1]CitationRewterz Sidewinder APT April 2020CitationRewterz Sidewinder COVID-19 June 2020 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.CitationRewterz Sidewinder APT April 2020CitationRewterz Sidewinder COVID-19 June 2020 |
| Enterprise | T1083 | File and Directory Discovery | Sidewinder has used malware to collect information on files and directories.[1] |
| Enterprise | T1016 | System Network Configuration Discovery | Sidewinder has used malware to collect information on network interfaces, including the MAC address.[1] |
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.[1]CitationRewterz Sidewinder APT April 2020[3] |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Sidewinder has used base64 encoding for scripts.[1]CitationRewterz Sidewinder APT April 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Sidewinder has used PowerShell to drop and execute malware loaders.[1] |
| Enterprise | T1518 | Software Discovery | Sidewinder has used tools to enumerate software installed on an infected host.[1]CitationRewterz Sidewinder APT April 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Sidewinder has used VBScript to drop and execute malware loaders.[1] |
| Enterprise | T1082 | System Information Discovery | Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.[1]CitationRewterz Sidewinder COVID-19 June 2020 |
| Enterprise | T1119 | Automated Collection | Sidewinder has used tools to automatically collect system and network configuration information.[1] |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.[1] |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Sidewinder has named malicious files |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Sidewinder has lured targets to click on malicious links to gain execution in the target environment.[1]CitationRewterz Sidewinder APT April 2020CitationRewterz Sidewinder COVID-19 June 2020[3] |
| Enterprise | T1204.002 | Malicious File Sub-technique | Sidewinder has lured targets to click on malicious files to gain execution in the target environment.[1]CitationRewterz Sidewinder APT April 2020CitationRewterz Sidewinder COVID-19 June 2020[3] |
| Enterprise | T1033 | System Owner/User Discovery | Sidewinder has used tools to identify the user of a compromised host.[1] |
| Enterprise | T1574.001 | DLL Sub-technique | Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[1] |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | c657657a4341… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ATT Sidewinder January 2021
Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
Open source URL -
[2]
Securelist APT Trends April 2018
Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021.
Open source URL -
[3]
Cyble Sidewinder September 2020
Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
Open source URL -
[4]
Rattlesnake
(Citation: Cyble Sidewinder September 2020)
-
[5]
T-APT-04
(Citation: Cyble Sidewinder September 2020)
-
[6]
mitre-attack G0121Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.