Zscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities through fraudulent “Income Tax Department” portals, representing a significant evolution in the SideWinder APT’s operational tradecraft.
The threat actor, also known as Rattlesnake or APT-C-17, has refined its arsenal to bypass enterprise detection systems by leveraging DLL side-loading techniques with legitimate Microsoft binaries and mimicking Chinese enterprise software protocols.
The campaign demonstrates surgical precision in targeting. Zscaler researchers observed distinct geofencing behavior where the malware queries the victim’s timezone via timeapi.io and worldtimeapi.org, proceeding only when systems report South Asian timezones (UTC+5:30), confirming a hyper-targeted focus on India.
Enterprise victims span critical sectors, including Services, Retail, Telecommunications, and Healthcare, across Asia Pacific, making this a strategic intelligence-collection operation rather than opportunistic cybercrime.
Deceptive Distribution Chain
The attack lifecycle begins with phishing emails containing a call-to-action that redirects victims through the surl li URL shortener to a fraudulent portal (gfmqvip.vip) impersonating India’s Income Tax Department.
Victims are prompted to download “Inspection.zip,” containing a trojanized package: a legitimate Microsoft Defender executable (SenseCE.exe), a malicious MpGear.dll library, and decoy certificates to maintain the deception.
This distribution model exploits trusted infrastructure public cloud storage via GoFile and legitimate URL shorteners to evade reputation-based detection systems that typically whitelist these services.
The technical sophistication centers on Windows DLL hijacking. When victims execute the innocent-appearing “Inspection Document Review.exe,” it automatically loads the malicious MpGear.dll from the same directory.
Zscaler’s Zero Trust Exchange, inspecting 500 billion daily transactions, correlates these disparate signals across SSL/TLS traffic, cloud activity, and web browsing to reconstruct complete attack chains invisible to siloed endpoint tools.
Because SenseCE.exe is a legitimate, signed Microsoft binary, security products and endpoint detection and response (EDR) systems trust the parent process implicitly.
Command-and-Control Architecture
Following environment checks and sandbox evasion via 3.5-minute sleep timers, the malware connects to 8.217.152.225 to retrieve shellcode loader (/1bin).
The final resident agent (mysetup.exe) is deployed to C:install, configured via YTSysConfig.ini with beacon instructions to 180.178.56.230.
Notably, this C2 protocol mimics the proprietary communication scheme of Anqi Shen, a legitimate Chinese endpoint management tool, further obscuring malicious traffic as routine corporate software communications.
The actual malicious code executes entirely in memory without touching disk, rendering traditional file-scanning engines ineffective.
SideWinder’s tradecraft exploits a critical visibility gap in traditional endpoint security. While EDR tools focus on process execution and file activity, they miss the crucial context: initial browser redirection to phishing portals, archive downloads, and subsequent beaconing patterns.
This “living off the land” approach forces organizations into an impossible choice: blacklist critical Windows components or accept the risk.
This campaign underscores how state-sponsored threat actors continue evolving their methodologies to evade defenses by weaponizing legitimate infrastructure and trusted binaries a sobering reminder that advanced persistent threats operate in the gaps between security tools.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.