Suspected Indian state-sponsored threat operation SideWinder has been discovered to have an attack infrastructure with 55 phishing domains and IP addresses impersonating organizations in the government, news media, financial, and telecommunications sectors, according to The Hacker News.
China, Pakistan, Afghanistan, Sri Lanka, Bangladesh, Singapore, Myanmar, Qatar, and the Philippines were the most frequent targets of SideWinder, which was observed to use domains masquerading Chinese, Pakistani, and Indian government agencies to deploy next-stage payloads, a joint Group-IB and Bridewell report revealed. SideWinder has also leveraged LNK files that facilitate the deployment of HTML applications impersonating a Nepalese government website and Tsinghua University's email system.
Moreover, a malicious Android APK file masquerading as a Ludo Game has also been used by the operation to enable device access and act as spyware.
"Like many other APT groups, SideWinder relies on targeted spear-phishing as the initial vector. It is therefore important for organizations to deploy business email protection solutions that detonate malicious content," said researchers.
Impacted by different levels of log disruption were Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform, according to Microsoft.
Attacks involved the display of fraudulent Google Meet popup alerts, which would download the StealC or Rhadamanthys infostealers for Windows users and the AMOS Stealer payload for macOS users, according to a Sekoia analysis.
Malicious spear-phishing messages have been leveraged by RomCom to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan.