SideWalk, a new modular backdoor, has been discovered in new campaigns launched by an APT group dubbed SparklingGoblin. The APT was first spotted in May 2020, while tracking attacks on Hong Kong universities by another group that used CrossWalk backdoor, in 2019. But no relation could be established then.

SideWalk and CrossWalk affairs

Accordion to a recent report, the new SideWalk backdoor shares several similarities with Winnti’s CrossWalk backdoor.
  • Though disparity in codes, SideWalk and CrossWalk has various architectural similarities such as anti-tampering techniques, threading model, data layout, and the way data is managed during the execution.
  • Going by features, both backdoors are modular in nature as additional plugins could enhance their capabilities. 
  • SideWalk and Crosswalk have been found using Motnug loader, a type of shellcode loader, in their campaigns.
  • Moreover, both can obtain proxy configurations by stealing user token and then use them to communicate with their C&C servers.

With mild to strong confidence, ESET researchers conclude that the SparklingGoblin APT is another subgroup of the Winnti group using the SideWalk backdoor.

SparklingGoblin’s attack history

SparklingGoblin targets a wide range of organizations around the world. It targets several other sectors but primarily focuses on the academic sector.
  • Some of the targets are academic sectors in Macau, Hong Kong, and Taiwan, along with a religious organization and an electronics manufacturer in Taiwan, and government entities in Southeast Asia.
  • It has also targeted e-commerce firms in South Korea; education institutions in Canada; media firms in India, Bahrain, and the U.S.; retail firms in the U.S.; local government in Georgia; and unknown firms in South Korea and Singapore.


SparklingGoblin is notably a very active threat group targeting a wide range of organizations globally. With links established between SideWalk and CrossWalk, the Winnti group could use these backdoors in the near future and security analysts need to watch out. Meanwhile, it is very important for security agencies to keep an eye on this threat to prevent future attacks.

Cyware Publisher