{ "type": "Domain", "indicator": "cloud-apt.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloud-apt.net", "alexa": "http://www.alexa.com/siteinfo/cloud-apt.net", "indicator": "cloud-apt.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2236716026, "indicator": "cloud-apt.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "62987c8eafd38f2088986035", "name": "Analysis of SideWinder's new infrastructure and tool that narrows their reach to Pakistan", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T09:02:05.981000", "tags": [ "sidewinder", "pakistan", "apt" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" } ], "industries": [ "Military", "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 341, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 475, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 2, "hostname": 88 }, "indicator_count": 572, "is_author": false, "is_subscribing": null, "subscriber_count": 386557, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5f21d5b84d529ed134127a66", "name": "A Global Perspective of the SideWinder APT", "description": "AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years. Our findings are primarily focused on activity since 2017, however the group has been reportedly operating since at least 2012. Alien Labs along with other security researchers have assessed with low to medium confidence that the group is operates in support of India political interests based on targets, campaign timelines, technical characteristics of command and control (C2) infrastructure and malware, association with other known India interest APTs, in addition to past cyber threat intelligence reporting and our private telemetry.", "modified": "2021-09-21T18:18:13.593000", "created": "2020-07-29T20:02:00.852000", "tags": [ "implant", "trojan", "T-APT-04", "SideWinder", "Rattlesnake", "phishing", "India", "Royal Road", "APT" ], "references": [ "https://cybersecurity.att.com/blogs/labs-research/a-global-perspective-of-the-sidewinder-apt" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Qatar", "China", "Nepal", "Myanmar", "Afghanistan", "Bangladesh", "Pakistan", "Sri Lanka" ], "malware_families": [], "attack_ids": [], "industries": [ "Military", "Defense", "National Security", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 196, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 93, "FileHash-SHA256": 317, "hostname": 31, "FileHash-MD5": 130, "FileHash-SHA1": 125, "YARA": 3 }, "indicator_count": 700, "is_author": false, "is_subscribing": null, "subscriber_count": 386563, "modified_text": "1712 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62985f3690ace88f8dca0c6d", "name": "SideWinder AntiBot Script | Group-IB", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T06:56:54.767000", "tags": [ "sidewinder", "strong", "mimicry", "pakistan", "groupib", "screenshot", "groupib threat", "pakistani", "image", "intelligence", "team", "kill", "powershell", "canvas", "date" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 490, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 8, "email": 1, "hostname": 103 }, "indicator_count": 609, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecurity.att.com/blogs/labs-research/a-global-perspective-of-the-sidewinder-apt", "https://blog.group-ib.com/sidewinder-antibot" ], "related": { "alienvault": { "adversary": [ "SideWinder" ], "malware_families": [], "industries": [ "Defense", "Finance", "National security", "Military", "Government" ] }, "other": { "adversary": [ "SideWinder" ], "malware_families": [], "industries": [ "Military", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "62987c8eafd38f2088986035", "name": "Analysis of SideWinder's new infrastructure and tool that narrows their reach to Pakistan", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T09:02:05.981000", "tags": [ "sidewinder", "pakistan", "apt" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" } ], "industries": [ "Military", "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 341, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 475, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 2, "hostname": 88 }, "indicator_count": 572, "is_author": false, "is_subscribing": null, "subscriber_count": 386557, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5f21d5b84d529ed134127a66", "name": "A Global Perspective of the SideWinder APT", "description": "AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years. Our findings are primarily focused on activity since 2017, however the group has been reportedly operating since at least 2012. Alien Labs along with other security researchers have assessed with low to medium confidence that the group is operates in support of India political interests based on targets, campaign timelines, technical characteristics of command and control (C2) infrastructure and malware, association with other known India interest APTs, in addition to past cyber threat intelligence reporting and our private telemetry.", "modified": "2021-09-21T18:18:13.593000", "created": "2020-07-29T20:02:00.852000", "tags": [ "implant", "trojan", "T-APT-04", "SideWinder", "Rattlesnake", "phishing", "India", "Royal Road", "APT" ], "references": [ "https://cybersecurity.att.com/blogs/labs-research/a-global-perspective-of-the-sidewinder-apt" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Qatar", "China", "Nepal", "Myanmar", "Afghanistan", "Bangladesh", "Pakistan", "Sri Lanka" ], "malware_families": [], "attack_ids": [], "industries": [ "Military", "Defense", "National Security", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 196, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 93, "FileHash-SHA256": 317, "hostname": 31, "FileHash-MD5": 130, "FileHash-SHA1": 125, "YARA": 3 }, "indicator_count": 700, "is_author": false, "is_subscribing": null, "subscriber_count": 386563, "modified_text": "1712 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62985f3690ace88f8dca0c6d", "name": "SideWinder AntiBot Script | Group-IB", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T06:56:54.767000", "tags": [ "sidewinder", "strong", "mimicry", "pakistan", "groupib", "screenshot", "groupib threat", "pakistani", "image", "intelligence", "team", "kill", "powershell", "canvas", "date" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 490, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 8, "email": 1, "hostname": 103 }, "indicator_count": 609, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloud-apt.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloud-apt.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780249296.6770282 }