G0112

WindShiftWindShift

Also known as: Windy Phoenix · WindShift

Known aliases
2

Profile

In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.

Aliases· 2

Windy PhoenixWindShift

MITRE ATT&CK Group crosswalk

G0112

References

  1. https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/
  2. https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf
  3. https://unit42.paloaltonetworks.com/atoms/windyphoenix/

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
DriftingCloud
Software
WindTail
Actor
Storm-1084
Actor
Bahamut
Actor
Velvet Tempest
Actor
APT39
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.