TIARAS - Windshift

Threat Actor Profile

High APT

Description

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

Confidence Score

90%

Known Aliases

Windshift Bahamut

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (19)

T1071.001 - Web Protocols

Command and Control

T1105 - Ingress Tool Transfer

Command and Control

T1027 - Obfuscated Files or Information

Defense Evasion

T1036 - Masquerading

Defense Evasion

T1036.001 - Invalid Code Signature

Defense Evasion

T1033 - System Owner/User Discovery

Discovery

T1057 - Process Discovery

Discovery

T1082 - System Information Discovery

Discovery

T1518 - Software Discovery

Discovery

T1518.001 - Security Software Discovery

Discovery

T1047 - Windows Management Instrumentation

Execution

T1059.005 - Visual Basic

Execution

T1204.001 - Malicious Link

Execution

T1204.002 - Malicious File

Execution

T1189 - Drive-by Compromise

Initial Access

T1566.001 - Spearphishing Attachment

Initial Access

T1566.002 - Spearphishing Link

Initial Access

T1566.003 - Spearphishing via Service

Initial Access

T1547.001 - Registry Run Keys / Startup Folder

Persistence

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['Windshift', 'Bahamut'],
 'created': '2020-06-25T17:16:39.168Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Windshift](https://attack.mitre.org/groups/G0112) is a '
                'threat group that has been active since at least 2017, '
                'targeting specific individuals for surveillance in government '
                'departments and critical infrastructure across the Middle '
                'East.(Citation: SANS Windshift August 2018)(Citation: '
                'objective-see windtail1 dec 2018)(Citation: objective-see '
                'windtail2 jan 2019)',
 'external_references': [{'external_id': 'G0112',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0112'},
                         {'description': '(Citation: SANS Windshift August '
                                         '2018)',
                          'source_name': 'Bahamut'},
                         {'description': 'Karim, T. (2018, August). TRAILS OF '
                                         'WINDSHIFT. Retrieved November 17, '
                                         '2024.',
                          'source_name': 'SANS Windshift August 2018',
                          'url': 'https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868'},
                         {'description': 'Wardle, Patrick. (2018, December '
                                         '20). Middle East Cyber-Espionage '
                                         "analyzing WindShift's implant: "
                                         'OSX.WindTail (part 1). Retrieved '
                                         'October 3, 2019.',
                          'source_name': 'objective-see windtail1 dec 2018',
                          'url': 'https://objective-see.com/blog/blog_0x3B.html'},
                         {'description': 'Wardle, Patrick. (2019, January 15). '
                                         'Middle East Cyber-Espionage '
                                         "analyzing WindShift's implant: "
                                         'OSX.WindTail (part 2). Retrieved '
                                         'October 3, 2019.',
                          'source_name': 'objective-see windtail2 jan 2019',
                          'url': 'https://objective-see.com/blog/blog_0x3D.html'}],
 'id': 'intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1',
 'modified': '2024-11-17T14:15:51.850Z',
 'name': 'Windshift',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}

Quick Actions

Related TTPs (19)

Web Protocols
Command and Control

Ingress Tool Transfer
Command and Control

Obfuscated Files or Informati…
Defense Evasion

Masquerading
Defense Evasion

Invalid Code Signature
Defense Evasion

View All 19 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (19)

T1071.001 - Web Protocols

T1105 - Ingress Tool Transfer

T1027 - Obfuscated Files or Information

T1036 - Masquerading

T1036.001 - Invalid Code Signature

T1033 - System Owner/User Discovery

T1057 - Process Discovery

T1082 - System Information Discovery

T1518 - Software Discovery

T1518.001 - Security Software Discovery

T1047 - Windows Management Instrumentation

T1059.005 - Visual Basic

T1204.001 - Malicious Link

T1204.002 - Malicious File

T1189 - Drive-by Compromise

T1566.001 - Spearphishing Attachment

T1566.002 - Spearphishing Link

T1566.003 - Spearphishing via Service

T1547.001 - Registry Run Keys / Startup Folder

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (19)

Please wait…