Skip to content

Hide Navigation Hide TOC

RAZOR TIGER (c4ce1174-9462-47e9-8038-794f40a184b3)

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.

Cluster A Galaxy A Cluster B Galaxy B Level
SideWinder (Windows) (3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8) Malpedia RAZOR TIGER (c4ce1174-9462-47e9-8038-794f40a184b3) Threat Actor 1
响尾蛇 - APT-C-24 (3dada716-34c3-506e-aa3a-1889bd975b4b) 360.net Threat Actors RAZOR TIGER (c4ce1174-9462-47e9-8038-794f40a184b3) Threat Actor 1
响尾蛇 - APT-C-24 (3dada716-34c3-506e-aa3a-1889bd975b4b) 360.net Threat Actors Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 2
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Sidewinder - G0121 (3fc023b2-c5cc-481d-9c3e-70141ae1a87e) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 4
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4) mitre-tool 4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 5
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 5
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 5
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5