Skip to content

Hide Navigation Hide TOC

RAZOR TIGER (c4ce1174-9462-47e9-8038-794f40a184b3)

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.

Cluster A Galaxy A Cluster B Galaxy B Level
响尾蛇 - APT-C-24 (3dada716-34c3-506e-aa3a-1889bd975b4b) 360.net Threat Actors RAZOR TIGER (c4ce1174-9462-47e9-8038-794f40a184b3) Threat Actor 1
RAZOR TIGER (c4ce1174-9462-47e9-8038-794f40a184b3) Threat Actor SideWinder (Windows) (3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8) Malpedia 1
响尾蛇 - APT-C-24 (3dada716-34c3-506e-aa3a-1889bd975b4b) 360.net Threat Actors Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 4
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 4
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 4
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 4
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 5
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 5
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 5
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 5
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 5
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5