SideWinder APT attacks in H2 2024
securelist.com
In this article, we discuss the tools and TTPs used in the SideWinder APT's attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors.

Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder’s post-exploitation activities and described a new sophisticated implant designed specifically for espionage.

We continued to monitor the group throughout the rest of the year, observing intense activity that included updates to SideWinder’s toolset and the creation of a massive new infrastructure to spread malware and control compromised systems. The targeted sectors were consistent with those we had seen in the first part of 2024, but we noticed a new and significant increase in attacks against maritime infrastructures and logistics companies.

In 2024, we initially observed a significant number of attacks in Djibouti. Subsequently, the attackers shifted their focus to other entities in Asia and showed a strong interest in targets within Egypt.

Moreover, we observed other attacks that indicated a specific interest in nuclear power plants and nuclear energy in South Asia and further expansion of activities into new countries, especially in Africa.