The SideWinder advanced persistent threat (APT) group, active since 2012 and known for targeting government, military, and business entities throughout Asia, primarily Pakistan, China, Nepal, and Afghanistan, has struck once again.

This time around, the threat actors updated their toolset and created new infrastructure to spread malware and control compromised systems. They also significantly increased attacks against maritime and logistics companies notably in Djibouti and Egypt and nuclear power plants in South Asia and Africa.

Securelist identified 35 domains as indicators of compromise (IoCs) in connection with the latest SideWinder attack. WhoisXML API jumped off their list of IoCs in a bid to find more connected artifacts through an expansion analysis and uncovered:

• 35 email-connected domains
• Two IP addresses, one of which turned out to be malicious
• 10 IP-connected domains
• 532 string-connected domains, 16 of which have already figured in cyber attacks

A sample of the additional artifacts obtained from our analysis is available for download on our website.

On the Flipside of the SideWinder IoCs

We started our analysis of the most recent SideWinder attack by looking more closely at IoCs.

A Bulk WHOIS API query for the 35 domains identified as IoCs revealed that only 34 of them had current WHOIS records. The results also showed that:

• The 34 domains were all created in 2024.
• They were administered by six registrars led by Hostinger Operations and PDR, which accounted for nine domains each. Namecheap took the second spot with eight domains. NameSilo placed third with six domains. Finally, Hosting Concepts and InterNetX administered one domain each.

  

• They were registered in 12 countries topped by the U.S., which accounted for 17 domains. Four were registered in Iceland while two each were registered in Estonia, the Netherlands, and the U.K. Finally, one domain each was registered in Australia, Greenland, Mauritania, New Zealand, Norway, Saint Barthélemy, and Switzerland.

  

We then queried the 35 domains tagged as IoCs on DNS Chronicle API and found that only 32 of them had historical domain-to-IP address resolutions. In fact, they had 146 resolutions in all. The domain documentviewer[.]info posted the oldest resolution date—3 April 2020. Given that documentviewer[.]info was created on 8 August 2024 according to its current WHOIS record, it could have been reregistered specifically for the SideWinder attack.

Take a look at details for five other domains identified as IoCs below.

SideWinder Attack IoC List Expansion Findings

We kicked off our analysis by querying the 35 domains identified as IoCs on WHOIS History API, which showed that six of them had 10 email addresses in their current WHOIS records after filtering out duplicates. Two of the 10 email addresses were public.

Next, we queried the two public email addresses on Reverse WHOIS API and found that while they did not appear in the current WHOIS records of any domain, they did so in the historical records of 35 email-connected domains after duplicates and those already identified as IoCs were filtered out.

We then queried the 35 domains identified as IoCs on DNS Lookup API. Two of them had active domain-to-IP address resolutions. Specifically, two domains resolved to two unique IP addresses.

A Threat Intelligence API query for the two IP addresses revealed that one of them—91[.]195[.]240[.]12—has already been weaponized in connection with generic threats, phishing, command and control (C&C), attacks, malware distribution, and suspicious activity.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.