The India-aligned APT SideWinder is using a variety of social engineering techniques to target Pakistani government and military entities, according to researchers at Group-IB. The threat actor is using phishing emails as well as a malicious VPN app placed in the Google Play Store.

“The SideWinder APT is believed to be an Indian nation-state threat actor. In their attacks, SideWinder was seen targeting government, military, and economic sectors in Southeast Asia: in Afghanistan, Nepal, Sri Lanka, Bhutan, Myanmar, the Philippines, Bangladesh, Singapore, and China,” the researchers write. “However, since the discovery of the group in 2012, Pakistan has been the primary target of SideWinder. In the last year alone, several SideWinder’s attacks targeting Pakistan have been detected. SideWinder was particularly interested in the Pakistani military targets.”

SideWinder is using a phishing domain, “pakgov[.]net,” in order to impersonate multiple Pakistani government entities. The threat actor also posted links on Facebook leading to a malicious website that purported to offer enrollment for COVID-19 vaccinations.

“Once the victim clicks on the link, an archive with a malicious .LNK file or RTF document is downloaded,” Group-IB says. “In the case of LNK, the files have a Microsoft Word icon, making it appear more legitimate, encouraging people to open. Whether the initial vector was a phishing email or a phishing link posted on social media, the malicious payload is always launched using the DLL side-loading technique, which provides persistence and has RAT functionality.”

The threat actor is using a script that deflects users who don’t have a Pakistani IP address, in order to minimize their footprint.

“[W]hen a client visits this link, which the anti-bot script does not like, the script redirects to a legitimate document located on a legitimate resource: finance.gov.pk,” the researchers write. “And, the script won’t even work if the client’s IP address differs from Pakistan’s – the client will automatically be redirected to the legitimate resource. These are common techniques that are used to avoid detection by threat researchers.”