Windshift
Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[1][2][3]
Associated Group Descriptions
| Name | Description |
|---|---|
| Bahamut |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1189 | Drive-by Compromise |
Windshift has used compromised websites to register custom URL schemes on a remote system.[2] |
|
| Enterprise | T1036 | Masquerading |
Windshift has used icons mimicking MS Office files to mask malicious executables.[2] |
|
| .001 | Invalid Code Signature |
Windshift has used revoked certificates to sign malware.[2][1] |
||
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[1] |
| .001 | Phishing: Spearphishing Attachment |
Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.[1] |
||
| .003 | Phishing: Spearphishing via Service |
Windshift has used fake personas on social media to engage and target victims.[1] |
||
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Windshift has used e-mail attachments to lure victims into executing malicious code.[1] |
| .001 | User Execution: Malicious Link |
Windshift has used links embedded in e-mails to lure victims into executing malicious code.[1] |
||