← All Threat Actors
Threat Actor Profile

WindShift

Bahamut G0112 Windy Phoenix
▲ High Threat
In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.
Origin

Known TTPs

Process Discovery
Drive-by Compromise
Visual Basic
Security Software Discovery
Spearphishing Attachment
Malicious Link
Spearphishing via Service
Registry Run Keys / Startup Folder
Software Discovery
Spearphishing Link
Invalid Code Signature
Obfuscated Files or Information
Web Protocols
Masquerading
Ingress Tool Transfer
Windows Management Instrumentation
System Owner/User Discovery
System Information Discovery
Malicious File

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD