SideWinder, also known as Rattlesnake, is an APT group that mainly targets Southeast Asian countries, including Pakistan and China. Recently, the group was found using a server to deliver a malicious LNK file hosting credential phishing pages.

What has been discovered?

SideWinder was observed using credential phishing pages copied from their victims’ webmail login pages and modified for phishing.
  • The group has been targeting government and military units, mostly in Nepal and Afghanistan using phishing. 
  • After collecting credentials, the phishing pages redirect victims to other documents or news pages. These pages, along with documents, have topics related to either COVID-19 or territory disputes between Pakistan, Nepal, India, and China. 
  • In addition, multiple Android APK files have been discovered on their phishing server. 
  • One of the applications is OpinionPoll, which is a survey app for finding opinions concerning the Nepal-India political map dispute.
  • One of the most common infection vectors of SideWinder is the use of malicious documents. These RTF document files contain an exploit of the CVE-2017-11882 vulnerability.

Recent attacks

  • Recently, a pro-India disinformation campaign was discovered using 750 fake media outlets to serve Indian interests.
  • Last month, a hacker-for-hire was found targeting victims in South Asia with a cyberespionage campaign.


The SideWinder APT group is very active and uses current topics as a lure to target SouthAsia. Therefore, experts recommend staying alert while receiving an email from an unknown sender, using a reliable anti-malware solution, and avoiding clicking on links or downloading files that appear suspicious.

Cyware Publisher