Menu
Browse

Cyber Incident Victim: Arg

Date:

Dec 2020

Location:

Afghanistan

Summary

SideWinder APT launched a phishing and malware campaign that used convincing email‑credentials lures, emailed backdoors and malicious mobile apps to compromise military and government targets in Nepal and Afghanistan, exploiting recent territorial disputes between China, India, Nepal and Pakistan as bait to gather sensitive information. The operation employed spear‑phishing messages that appeared to originate from trusted regional entities, delivering payloads that established persistent access and exfiltrated documents, communications and credentials.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

On December 9, 2020, researchers reported that the SideWinder APT group had initiated a fresh phishing and malware campaign.
The campaign was described as a wide‑ranging spy operation targeting Nepal and Afghanistan.
SideWinder used recent territorial disputes involving China, India, Nepal, and Pakistan as social‑engineering lures.
The attackers distributed convincing emails designed to harvest credentials from recipients.

Cyber Incident Image

These phishing emails contained malicious attachments or links that delivered emailed backdoors when opened.
In addition to email, SideWinder disseminated mobile applications that appeared legitimate but contained malicious functionality.
The mobile apps were used to establish persistence on compromised devices and exfiltrate data.
Primary victims of the operation were military and government organizations in the targeted countries.

The stated goal of the campaign was to gather sensitive information from those targets.
The activity was observed in late 2020, coinciding with the heightened territorial tensions used as lures.
No specific details about the volume of compromised systems or the exact data stolen were disclosed in the report.
The report highlighted the continued use of credential phishing, backdoors, and mobile malware by the SideWinder group.

Sources
Sources available to members
1 source