Threat Actor Profile
High APT
Description

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)

Confidence Score
90%
Known Aliases
Sidewinder T-APT-04 Rattlesnake
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (30)
T1074.001 - Local Data Staging
Collection
T1119 - Automated Collection
Collection
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1027.010 - Command Obfuscation
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1124 - System Time Discovery
Discovery
T1518 - Software Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1059.007 - JavaScript
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1559.002 - Dynamic Data Exchange
Execution
T1020 - Automated Exfiltration
Exfiltration
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
T1598.002 - Spearphishing Attachment
Reconnaissance
T1598.003 - Spearphishing Link
Reconnaissance
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Sidewinder', 'T-APT-04', 'Rattlesnake'],
 'created': '2021-01-27T15:57:11.183Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Sidewinder](https://attack.mitre.org/groups/G0121) is a '
                'suspected Indian threat actor group that has been active '
                'since at least 2012. They have been observed targeting '
                'government, military, and business entities throughout Asia, '
                'primarily focusing on Pakistan, China, Nepal, and '
                'Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: '
                'Securelist APT Trends April 2018)(Citation: Cyble Sidewinder '
                'September 2020)',
 'external_references': [{'external_id': 'G0121',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0121'},
                         {'description': '(Citation: Cyble Sidewinder '
                                         'September 2020)',
                          'source_name': 'T-APT-04'},
                         {'description': '(Citation: Cyble Sidewinder '
                                         'September 2020)',
                          'source_name': 'Rattlesnake'},
                         {'description': 'Cyble. (2020, September 26). '
                                         'SideWinder APT Targets with '
                                         'futuristic Tactics and Techniques. '
                                         'Retrieved January 29, 2021.',
                          'source_name': 'Cyble Sidewinder September 2020',
                          'url': 'https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/'},
                         {'description': 'Global Research and Analysis Team . '
                                         '(2018, April 12). APT Trends report '
                                         'Q1 2018. Retrieved January 27, 2021.',
                          'source_name': 'Securelist APT Trends April 2018',
                          'url': 'https://securelist.com/apt-trends-report-q1-2018/85280/'},
                         {'description': 'Hegel, T. (2021, January 13). A '
                                         'Global Perspective of the SideWinder '
                                         'APT. Retrieved January 27, 2021.',
                          'source_name': 'ATT Sidewinder January 2021',
                          'url': 'https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf'}],
 'id': 'intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e',
 'modified': '2024-04-11T00:07:05.918Z',
 'name': 'Sidewinder',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Lacework Labs', 'Daniyal Naeem, BT Security'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (30)
Local Data Staging
Collection
Automated Collection
Collection
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
Command Obfuscation
Defense Evasion
View All 30 TTPs
Back to Threat Actors
Dashboard Home