{ "type": "Domain", "indicator": "session-out.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/session-out.com", "alexa": "http://www.alexa.com/siteinfo/session-out.com", "indicator": "session-out.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3928458160, "indicator": "session-out.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "67cebdf90f3d662d90cb0701", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-10T11:53:33.338000", "created": "2025-03-10T10:24:57.506000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386669, "modified_text": "448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a9093cc37e48ed693820e8", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and maritime facilities in the Indian Ocean and Mediterranean Sea regions through espionage and intelligence gathering activities. The attack chain involves exploiting vulnerabilities in Microsoft Office and downloading malicious JavaScript payloads from the group's infrastructure. SideWinder continuously evolves its tactics, making it an ongoing threat.", "modified": "2024-08-29T15:01:08.353000", "created": "2024-07-30T15:39:40.941000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 248, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386669, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6897447b49f0971e56200788", "name": "SideWinder Updated IoC List", "description": "", "modified": "2025-09-08T12:02:50.283000", "created": "2025-08-09T12:52:11.392000", "tags": [ "h31l0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 94, "FileHash-SHA256": 187, "domain": 156, "hostname": 141, "URL": 38 }, "indicator_count": 738, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d039d64c7f33a5584793bd", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder\u2019s post-exploitation activities and described a new sophisticated implant designed specifically for espionage.", "modified": "2025-03-11T13:25:42.395000", "created": "2025-03-11T13:25:42.395000", "tags": [ ".net", "apt", "defense evasion", "hta", "javascript", "malware", "malware descriptions", "malware technologies", "shellcode", "sidewinder", "spear phishing", "targeted attacks", "backdoor", "loader", "stealerbot", "africa", "pakistan", "sri lanka", "china", "nepal", "southeast asia", "cve201711882", "downloader", "installer", "implant", "indonesia", "philippines" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 3, "domain": 34, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "446 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfd9280c0fe8aea2c9acc7", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "", "modified": "2025-03-11T06:33:12.125000", "created": "2025-03-11T06:33:12.125000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfa30c419d7b59f521304c", "name": "IOC - SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-11T02:42:44.657000", "created": "2025-03-11T02:42:20.250000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cee3cde0f1e08023e0aa46", "name": "SideWinder Targets the Maritime and Nuclear Sectors with an Updated Toolset", "description": "", "modified": "2025-03-10T13:06:21.629000", "created": "2025-03-10T13:06:21.629000", "tags": [ "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 35 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "448 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6788c5dbca349ef48a63c3af", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2025-01-16T08:39:55.556000", "created": "2025-01-16T08:39:55.556000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66ab1a4815443e2d4c0f3322", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "501 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66aa94b5d10a450efd39788d", "name": "New SideWinder Attacks Target Maritime Facilities", "description": "Hashes (SHA256) - \u00c2\u00a31.5m - are subject to security and privacy concerns, according to the Department of Homeland Security (DHS) and the Office of National Statistics (ONS).", "modified": "2024-08-30T19:04:11.845000", "created": "2024-07-31T19:47:01.362000", "tags": [ "hashes", "sha256", "urls", "classification", "confidential" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "URL": 9, "domain": 4, "hostname": 17 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ab1a4815443e2d4c0f3322", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2024-08-29T15:01:08.353000", "created": "2024-08-01T05:16:56.476000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66a9093cc37e48ed693820e8", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a8d6a02d0e18be9d911c0b", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "A new campaign by the nation-state threat actor SideWinder is targeting ports and maritime facilities in the Mediterranean Sea and Indian Ocean, according to BlackBerry Research and Intelligence. \u00c2\u00a31.", "modified": "2024-08-29T12:02:08.339000", "created": "2024-07-30T12:03:44.193000", "tags": [ "cybersecurity", "sidewinder", "sri lanka", "javascript", "pdns", "stage", "research", "appendix", "cylanceendpoint", "shellcode", "october" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Nepal", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Maldives", "Afghanistan", "China" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a36b111ef3f39641ec764f", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2024-08-25T09:02:03.829000", "created": "2024-07-26T09:23:29.013000", "tags": [ "cybersecurity", "sidewinder", "sri lanka", "javascript", "pdns", "stage", "research", "appendix", "cylanceendpoint", "shellcode", "october" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/", "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea", "IOC.pdf" ], "related": { "alienvault": { "adversary": [ "RAZOR TIGER" ], "malware_families": [ "Module installer", "Downloader module", "Stealerbot" ], "industries": [ "Energy", "Defense", "Telecommunications", "Transportation", "Government" ] }, "other": { "adversary": [ "Multiple Threat Actors", "SideWinder" ], "malware_families": [ "Module installer", "Downloader module", "Stealerbot" ], "industries": [ "Energy", "Defense", "Telecommunications", "Transportation", "Government", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "67cebdf90f3d662d90cb0701", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-10T11:53:33.338000", "created": "2025-03-10T10:24:57.506000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386669, "modified_text": "448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a9093cc37e48ed693820e8", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and maritime facilities in the Indian Ocean and Mediterranean Sea regions through espionage and intelligence gathering activities. The attack chain involves exploiting vulnerabilities in Microsoft Office and downloading malicious JavaScript payloads from the group's infrastructure. SideWinder continuously evolves its tactics, making it an ongoing threat.", "modified": "2024-08-29T15:01:08.353000", "created": "2024-07-30T15:39:40.941000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 248, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386669, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6897447b49f0971e56200788", "name": "SideWinder Updated IoC List", "description": "", "modified": "2025-09-08T12:02:50.283000", "created": "2025-08-09T12:52:11.392000", "tags": [ "h31l0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 94, "FileHash-SHA256": 187, "domain": 156, "hostname": 141, "URL": 38 }, "indicator_count": 738, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d039d64c7f33a5584793bd", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder\u2019s post-exploitation activities and described a new sophisticated implant designed specifically for espionage.", "modified": "2025-03-11T13:25:42.395000", "created": "2025-03-11T13:25:42.395000", "tags": [ ".net", "apt", "defense evasion", "hta", "javascript", "malware", "malware descriptions", "malware technologies", "shellcode", "sidewinder", "spear phishing", "targeted attacks", "backdoor", "loader", "stealerbot", "africa", "pakistan", "sri lanka", "china", "nepal", "southeast asia", "cve201711882", "downloader", "installer", "implant", "indonesia", "philippines" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 3, "domain": 34, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "446 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfd9280c0fe8aea2c9acc7", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "", "modified": "2025-03-11T06:33:12.125000", "created": "2025-03-11T06:33:12.125000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfa30c419d7b59f521304c", "name": "IOC - SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-11T02:42:44.657000", "created": "2025-03-11T02:42:20.250000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cee3cde0f1e08023e0aa46", "name": "SideWinder Targets the Maritime and Nuclear Sectors with an Updated Toolset", "description": "", "modified": "2025-03-10T13:06:21.629000", "created": "2025-03-10T13:06:21.629000", "tags": [ "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 35 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "448 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6788c5dbca349ef48a63c3af", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2025-01-16T08:39:55.556000", "created": "2025-01-16T08:39:55.556000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66ab1a4815443e2d4c0f3322", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "501 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "session-out.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "session-out.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780320112.1013024 }