sidewinder
6 min read
FreeSideWinder's Click Once campaign - independent validation with ClusterHawk
We confirm Trellix's reporting on SideWinder's PDF ClickOnce chain and targets. Testing the method, we pivoted on VirusTotal-communicated IPs and separated CDN/search noise (about 85%) from a compact nginx micro-cluster (about 15%), then built ready-to-run SIEM/Sigma and Shodan/Censys hunts.
By Chawkr Reports
02/11/2025
SideWinder's Click Once campaign - independent validation with ClusterHawk
TL;DR: We confirm Trellix's reporting on SideWinder's PDF → ClickOnce chain and targeting. We then intentionally added all "communicated-with" IPs linked to the verified malicious domains/IPs to see whether clustering could separate benign enrichment noise from real infrastructure. The result: about ~85% CDN/search baseline and a compact nginx micro-cluster (~15%) that's worth watching. Below are ready-to-run hunts (SIEM/Sigma + Shodan/Censys) and cluster fingerprints you can reuse as predictive seeds. (trellix.com)
What Trellix reported
- Waves & targets: multi-wave operation in Mar-Sep 2025, including a European embassy (New Delhi) and public-sector entities in Sri Lanka, Pakistan, Bangladesh.
- Tradecraft: a new PDF → ClickOnce infection chain (besides historic CVE-2017-0199/RTF), geofenced/time-locked stages, per-victim URLs & hashes, delivering ModuleInstaller → StealerBot.
- Infra families (examples):
hajjtraining2025.moragovt[.]net,cadetcollege.adobeglobal[.]com,hajjmedicalteam.adobeglobal[.]com,pimec-paknavy.updates-installer[.]store,cabinet-gov-pk.dytt888[.]net,adobe.pdf-downlod[.]com; C2exosel[.]info&ostcone[.]site; sender*.pk-mail[.]org. (trellix.com)
Bottom line: Trellix is our content/TTP authority. We validated (and then enhanced) the infra picture by running their published IOCs through ClusterHawk's automatic pipelines and manually reviewing the results.
Dataset & the deliberate VT-pivot test
We combined Trellix-published SideWinder IOCs with a wide set of VT "communicated-with" IPs on purpose to test whether clustering can separate enrichment noise from real signal.
What ClusterHawk (Intermediate) produced:
- Total clustered assets: 47 (plus 6 NIL excluded, these had no information available).
- Five clusters, all with Good stability.
- Distribution:
- Cluster 0 (Akamai CDN): 20/47 (42.55%)
- Clusters 1, 3, 4 (Google frontends): 10/47 (21.28%), 7/47 (14.89%), 3/47 (6.38%)
- Cluster 2 (nginx micro-cluster): 7/47 (14.89%) → Legit baselines ≈ 85%, suspicious leads ≈ 15%.
Anomaly engine: 3/47 (6.4%) flagged: CRITICAL: 184.28.81.200; HIGH: 192.178.209.138,
184.30.148.76, all on Akamai/Google edges (monitor, don't enforce).
Did VT "communicated-with" IPs overlap real IOCs? Yes. 10/53 VT IPs overlapped the verified set: 5.230.33.233,
75.2.115.196, 84.32.84.32, 84.32.84.33, 89.46.233.190, 89.150.57.220, 91.195.240.19, 91.242.163.218,
198.177.120.54, 199.59.243.228.
Interpretation: great as pivot fuel, but most of the VT list fell into Akamai/Google baselines, exactly the behavior our method is designed to separate: pivot wide → filter with clustering.
Cluster profiles you can actually hunt
Cluster 0: Akamai CDN baseline (42.55%, 20 assets)
- Server/WAF:
AkamaiGHost+ Kona SiteDefender (100%). - TLS/certs: TLS 1.3; JA3S
09eeaa98d62f95fb7de5342ec4f7a55e; JARM27d27d27d29d27d21c42d42d000000996c218236a1fd203fd29824aa76026c; cert DigiCert TLS Hybrid ECC SHA384 2020 CA1; subjecta248.e.akamai.net. - HTTP:
400 Bad Requeston :80 (100%). - Global match: ~158,980 hosts (at time of analysis, ~Oct-Nov 2025) → not an IOC; use as allow-list fingerprint.
Pivotable seeds (copy/paste):
- Elastic/Splunk (baseline allow-list):
product:"AkamaiGHost" AND http.waf:"Kona SiteDefender (Akamai)" AND tls.ja3s:"09eeaa98d62f95fb7de5342ec4f7a55e" AND destination.port:443 - Shodan/Censys (context discovery):
product:AkamaiGHost http.waf:"Kona SiteDefender (Akamai)" org:"Akamai Technologies, Inc." ssl.ja3s:09eeaa98d62f95fb7de5342ec4f7a55e port:443
Clusters 1/3/4: Google frontends baseline (10/7/3 assets)
- Traits: Google web server, HTTP 301 on :80 → :443; TLS 1.3; JA3S
66e33336e3e99f75410126f42d44cc81; JARM29d3fd00029d29d21c42d43d00041df61f6b5fa6973e9fa14c8155669c6633; security.txt (Google VRP). - Global match: ~30,528 hosts (at time of analysis, ~Oct-Nov 2025) → baseline, not IOCs. Use to detect impersonation outside AS15169.
Pivotable seeds:
- Impersonation hunt (Elastic/Splunk):
tls.ja3s:"66e33336e3e99f75410126f42d44cc81" AND NOT dest.asn:"AS15169" AND NOT destination.domain:*.1e100.net - Shodan/Censys (HTTP-only variant with 301 + VRP text):
http.status:301 http.securitytxt:"Contact: https://g.co/vulnz" org:"Google LLC" http.favicon.hash:708578229
Cluster 2: nginx micro-cluster (lead bucket) (14.89%, 7 assets)
- What it looks like:
nginxon port 80 with a strong 403/400 response bias, no TLS on 86% of assets, and no DNS hostnames observed (100%). - When TLS is present: TLS 1.3 + AES-GCM with JA3S
b210411e648f206db393c31561686aeaand JARM3fd3fd00000000000043d43d00043dc3b2afa8a5ec09b510a8559aff7899fb. - Where it lives: mainly on Sedo Domain Parking, IONOS SE, and UAB Nacionalinis Telekomunikacijų Tinklas.
- How we read it: Based on manual review, roughly ~40% looks like potentially malicious infra (throwaway staging/relay/C2) and ~60% looks like parking/misconfig. Treat these as lead candidates, not hard IOCs, and correlate hits with SideWinder-linked domains/paths.
Pivotable seeds (run these now):
-
Elastic KQL / Splunk (tripwire: investigation-only, no shorthand):
destination.ip:* AND not cidrmatch(destination.ip, ["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","127.0.0.0/8"]) AND http.response.status_code: (400 OR 403) AND http.response.headers.server: "nginx" AND NOT (http.request.headers.host:* OR tls.server_name:*)Optional strengthening: also require no recent DNS A/AAAA resolution to that
destination.ipin your DNS index (±10-30 min). -
Sigma (portable)
title: Nginx_Anonymous_403_400_NoHost_NoSNI status: experimental logsource: category: network detection: sel_err: http.status|contains: - 400 - 403 sel_server: http.server: nginx sel_nohost: http.host|absent: true sel_nosni: tls.server_name|absent: true sel_public: destination.ip|cidr: - "!10.0.0.0/8" - "!172.16.0.0/12" - "!192.168.0.0/16" - "!127.0.0.0/8" condition: sel_err and sel_server and sel_nohost and sel_nosni and sel_public level: high tags: - attack.t1071.001 - sidewinder.cluster2 - infrastructure.anonymous falsepositives: - enterprise egress proxies stripping SNI/Host - benign scanners (add allowlist) -
Shodan/Censys (internet pivot):
product:nginx (http.status:400 OR http.status:403) -ssl.cert.subject:* -dns:*(Tighten with the JA3S/JARM above when TLS appears.)
What matched Trellix
- Same delivery/C2 families present in the Trellix IOC set and our verified set:
adobe.pdf-downlod[.]com,cadetcollege.adobeglobal[.]com,hajjmedicalteam.adobeglobal[.]com,hajjtraining2025.moragovt[.]net,pimec-paknavy.updates-installer[.]store,cabinet-gov-pk.dytt888[.]net,mos-gov-bd.snagdrive[.]com,mofa-gov-bd.filenest[.]live, plus C2exosel[.]info,ostcone[.]site, and sender*.pk-mail[.]org. Confirmed. - Why IP-only fails: Trellix shows geofenced, per-victim, short-lived URLs/hashes in a PDF→ClickOnce chain, so domain/URL-first enforcement is required; CDN/search IPs ≠ IOCs and should be enrichment only. (trellix.com)
What we added beyond Trellix
Building only on Trellix's published IOCs and campaign details, ClusterHawk contributed:
- Quantified separation: 47 clustered / 6 NIL / 5 clusters, with Akamai+Google ≈ 85% baseline vs nginx 15% leads; 3 anomalies on CDN/search (monitor).
- Provider fingerprints you can paste (Akamai & Google JA3S/JARM + headers/certs) to reduce FPs without trusting every CDN-hosted domain.
- Unique tripwire for the nginx pocket (no Host header + no TLS SNI + 400/403; optionally no recent DNS): zero global matches in our scan space → high-precision lead generator when SideWinder rotates.
Threat actor & infrastructure preferences
- Targets: diplomats/public sector in IN (embassy in New Delhi), LK, PK, BD; Mar-Sep 2025 waves.
- Delivery: PDF → ClickOnce (plus RTF/CVE-2017-0199 fallback); geofenced/time-locked second stages; per-victim URLs & hashes; ModuleInstaller → StealerBot toolset.
- Infra tastes: disposable look-alike domains on commodity hosting/CDNs; sender
*.pk-mail[.]org; plus a tiny anonymous nginx pocket (Cluster 2) that likely serves throwaway staging or abandoned/parked boxes. Infra sophistication: 3/10 (Low-Moderate).
Ready-to-use detections & playbooks
1. Baseline / Allow-list (noise control, not trust)
Akamai allow-list:
AkamaiGHost+ Kona SiteDefender, TLS 1.3, cert subjecta248.e.akamai.net, JA3S09eeaa…, JARM27d27d….
Google allow-list (baseline) + impersonation context:
- Legit baseline:
1e100.net, HTTP 301→443, TLS 1.3, JA3S66e333…, JARM29d3fd…, security.txt present.
2. Hunting queries (investigate hits)
- Impersonation hunt (Elastic/Splunk): same Google JA3S/JARM outside AS15169 and not
*.1e100.net→ triage. - Nginx tripwire: use the KQL/Sigma/Shodan pivots from Cluster 2 above as investigation triggers, not block lists.
3. High-confidence escalation conditions
Escalate the nginx tripwire when:
- It co-occurs with known families
adobeglobal / moragovt / dytt888 / updates-installer / snagdrive / filenestor withexosel.info/ostcone.site, or - It shows per-victim URL entropy and short-lived paths consistent with Trellix's ClickOnce flow.
Trellix IOC box (input to our pipeline)
Delivery/C2: adobe.pdf-downlod.com, cadetcollege.adobeglobal.com, hajjmedicalteam.adobeglobal.com,
hajjtraining2025.moragovt.net, pimec-paknavy.updates-installer.store, cabinet-gov-pk.dytt888.net,
mofa-gov-bd.filenest.live, mos-gov-bd.snagdrive.com, exosel.info, ostcone.site
Sender: mod.gov.bd.pk-mail.org (and related *.pk-mail.org addresses)
Note: Treat Akamai/Google/IONOS/Sedo IPs as context; enforce on domain/URL + behavior. (trellix.com)
Conclusion
- Alignment: Our results confirm Trellix's story: same delivery/C2 families and ClickOnce tradecraft; IP reputation alone won't catch this.
- Methodology proof: The VT pivot produced many edges; clustering baselined ~85% (Akamai/Google) and preserved a unique nginx lead cluster (~15%). That's exactly what ClusterHawk is meant to do.
- What's new & usable: concrete pivot queries, baseline fingerprints, and a rare nginx signature that can catch the next rotation with high precision.
Reference we validated against
- Trellix ARC: "SideWinder's Shifting Sands: Click Once for Espionage" (Oct 22, 2025). (trellix.com)
