ETDA ThaiCERT
Report
Search
Home > List all groups > WindShift

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: WindShift

NamesWindShift (DarkMatter)
Country[Unknown]
MotivationInformation theft and espionage
First seen2018
Description(Palo Alto) In August of 2018, DarkMatter released a report entitled “In the Trails of WindShift APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WindShift samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WindShift attack as it unfolded at a Middle Eastern government agency.
ObservedSectors: Government.
Countries: Middle East.
Tools usedWindTail.
Information<https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/>
<https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=windshift>

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Previous: WildPressure
Next: Winnti Group, Blackfly, Wicked Panda

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key