The adversary relies on a fairly large infrastructure with that includes more than 92 IP addresses, mainly for phishing attacks, hosting hundreds of domains and subdomains used as command and control servers. A recent phishing campaign attributed to SideWinder (a.k.a. RattleSnake, Razor Tiger, T-APT-04, APT-C-17, Hardcore Nationalist) targeted organizations in Pakistan in both the public and private sector.
The recent phishing campaign also used this method against targets, as the actor set up multiple websites that mimicked legitimate domains of the Pakistani government:
A phoney VPN programme for Android smartphones was uploaded on Google Play Store, coupled with a bespoke tool that selects users for improved targeting, in phishing attacks ascribed to an advanced threat actor known as SideWinder. SideWinder is an APT organisation that has been operating since at least 2012, and is thought to be an Indian actor with a high level of expertise. Over 1,000 assaults have been ascribed to this gang in the last two years, according to Kaspersky security analysts. Organizations in Pakistan, China, Nepal, and Afghanistan are among its key objectives.
Researchers at cybersecurity company Group-IB earlier this year detected a phishing document luring victims with a document proposing “a formal discussion of the impact of US withdrawal from Afghanistan on maritime security.” In a report shared with BleepingComputer, Group-IB says that SideWinder has also been observed in the past cloning government website (e.g. government portal in Sri Lanka) to steal user credentials.