{ "type": "Domain", "indicator": "ziptec.info", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ziptec.info", "alexa": "http://www.alexa.com/siteinfo/ziptec.info", "indicator": "ziptec.info", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4045047558, "indicator": "ziptec.info", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "67cebdf90f3d662d90cb0701", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-10T11:53:33.338000", "created": "2025-03-10T10:24:57.506000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386606, "modified_text": "447 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6897447b49f0971e56200788", "name": "SideWinder Updated IoC List", "description": "", "modified": "2025-09-08T12:02:50.283000", "created": "2025-08-09T12:52:11.392000", "tags": [ "h31l0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 94, "FileHash-SHA256": 187, "domain": 156, "hostname": 141, "URL": 38 }, "indicator_count": 738, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d039d64c7f33a5584793bd", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder\u2019s post-exploitation activities and described a new sophisticated implant designed specifically for espionage.", "modified": "2025-03-11T13:25:42.395000", "created": "2025-03-11T13:25:42.395000", "tags": [ ".net", "apt", "defense evasion", "hta", "javascript", "malware", "malware descriptions", "malware technologies", "shellcode", "sidewinder", "spear phishing", "targeted attacks", "backdoor", "loader", "stealerbot", "africa", "pakistan", "sri lanka", "china", "nepal", "southeast asia", "cve201711882", "downloader", "installer", "implant", "indonesia", "philippines" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 3, "domain": 34, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "446 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfd9280c0fe8aea2c9acc7", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "", "modified": "2025-03-11T06:33:12.125000", "created": "2025-03-11T06:33:12.125000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "446 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfa30c419d7b59f521304c", "name": "IOC - SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-11T02:42:44.657000", "created": "2025-03-11T02:42:20.250000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cee3cde0f1e08023e0aa46", "name": "SideWinder Targets the Maritime and Nuclear Sectors with an Updated Toolset", "description": "", "modified": "2025-03-10T13:06:21.629000", "created": "2025-03-10T13:06:21.629000", "tags": [ "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 35 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/", "IOC.pdf" ], "related": { "alienvault": { "adversary": [ "RAZOR TIGER" ], "malware_families": [ "Stealerbot", "Module installer", "Downloader module" ], "industries": [ "Energy", "Transportation", "Telecommunications", "Defense", "Government" ] }, "other": { "adversary": [ "Multiple Threat Actors", "SideWinder" ], "malware_families": [ "Stealerbot", "Module installer", "Downloader module" ], "industries": [ "Energy", "Transportation", "Telecommunications", "Defense", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "67cebdf90f3d662d90cb0701", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-10T11:53:33.338000", "created": "2025-03-10T10:24:57.506000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386606, "modified_text": "447 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6897447b49f0971e56200788", "name": "SideWinder Updated IoC List", "description": "", "modified": "2025-09-08T12:02:50.283000", "created": "2025-08-09T12:52:11.392000", "tags": [ "h31l0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 94, "FileHash-SHA256": 187, "domain": 156, "hostname": 141, "URL": 38 }, "indicator_count": 738, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d039d64c7f33a5584793bd", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder\u2019s post-exploitation activities and described a new sophisticated implant designed specifically for espionage.", "modified": "2025-03-11T13:25:42.395000", "created": "2025-03-11T13:25:42.395000", "tags": [ ".net", "apt", "defense evasion", "hta", "javascript", "malware", "malware descriptions", "malware technologies", "shellcode", "sidewinder", "spear phishing", "targeted attacks", "backdoor", "loader", "stealerbot", "africa", "pakistan", "sri lanka", "china", "nepal", "southeast asia", "cve201711882", "downloader", "installer", "implant", "indonesia", "philippines" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 3, "domain": 34, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "446 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfd9280c0fe8aea2c9acc7", "name": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "", "modified": "2025-03-11T06:33:12.125000", "created": "2025-03-11T06:33:12.125000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "446 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cfa30c419d7b59f521304c", "name": "IOC - SideWinder targets the maritime and nuclear sectors with an updated toolset", "description": "The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.", "modified": "2025-03-11T02:42:44.657000", "created": "2025-03-11T02:42:20.250000", "tags": [ "downloader module", "cve-2017-11882", "south asia", "rtf exploit", "nuclear", "africa", "stealerbot", "javascript", "backdoor loader", "apt", "module installer", "maritime", "spear-phishing" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Afghanistan", "Algeria", "Austria", "Bangladesh", "British Indian Ocean Territory", "Bulgaria", "Cambodia", "China", "Djibouti", "Egypt", "India", "Indonesia", "Maldives", "Mozambique", "Myanmar", "Nepal", "Pakistan", "Philippines", "Rwanda", "Saudi Arabia", "Sri Lanka", "Uganda", "United Arab Emirates" ], "malware_families": [ { "id": "StealerBot", "display_name": "StealerBot", "target": null }, { "id": "Downloader Module", "display_name": "Downloader Module", "target": null }, { "id": "Module Installer", "display_name": "Module Installer", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [ "Government", "Defense", "Energy", "Transportation", "Telecommunications" ], "TLP": "white", "cloned_from": "67cebdf90f3d662d90cb0701", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 34, "hostname": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cee3cde0f1e08023e0aa46", "name": "SideWinder Targets the Maritime and Nuclear Sectors with an Updated Toolset", "description": "", "modified": "2025-03-10T13:06:21.629000", "created": "2025-03-10T13:06:21.629000", "tags": [ "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 35 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ziptec.info", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ziptec.info", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780284853.1812336 }