SideWinder Targets Pakistani Entities With Phishing Attacks

SideWinder Targets Pakistani Entities With Phishing AttacksThe India-aligned APT SideWinder is using a variety of social engineering techniques to target Pakistani government and military entities, according to researchers at Group-IB. The threat actor is using phishing emails as well as a malicious VPN app placed in the Google Play Store.

“The SideWinder APT is believed to be an Indian nation-state threat actor. In their attacks, SideWinder was seen targeting government, military, and economic sectors in Southeast Asia: in Afghanistan, Nepal, Sri Lanka, Bhutan, Myanmar, the Philippines, Bangladesh, Singapore, and China,” the researchers write. “However, since the discovery of the group in 2012, Pakistan has been the primary target of SideWinder. In the last year alone, several SideWinder’s attacks targeting Pakistan have been detected. SideWinder was particularly interested in the Pakistani military targets.”

SideWinder is using a phishing domain, “pakgov[.]net,” in order to impersonate multiple Pakistani government entities. The threat actor also posted links on Facebook leading to a malicious website that purported to offer enrollment for COVID-19 vaccinations.

“Once the victim clicks on the link, an archive with a malicious .LNK file or RTF document is downloaded,” Group-IB says. “In the case of LNK, the files have a Microsoft Word icon, making it appear more legitimate, encouraging people to open. Whether the initial vector was a phishing email or a phishing link posted on social media, the malicious payload is always launched using the DLL side-loading technique, which provides persistence and has RAT functionality.”

The threat actor is using a script that deflects users who don’t have a Pakistani IP address, in order to minimize their footprint.

“[W]hen a client visits this link, which the anti-bot script does not like, the script redirects to a legitimate document located on a legitimate resource:,” the researchers write. “And, the script won't even work if the client's IP address differs from Pakistan's - the client will automatically be redirected to the legitimate resource. These are common techniques that are used to avoid detection by threat researchers.”

New-school security awareness training can enable your employees to thwart social engineering attacks.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews