Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting. SideWinder is an APT group that’s been active since at least 2012, believed to be an actor of Indian origin with a relatively high level of sophistication.
Security researchers at Kaspersky attributed close to 1,000 attacks to this group in the past two years. Among its primary targets are organizations in Pakistan, China, Nepal, and Afghanistan.
The adversary relies on a fairly large infrastructure with that includes more than 92 IP addresses, mainly for phishing attacks, hosting hundreds of domains and subdomains used as command and control servers.