Viper Carder
Legendary Vouched Carder♛
Staff member
Premium User
Support Staff
Verified Seller
♛ Forum Elite ♛
Registered
- Joined
- Feb 28, 2024
- Messages
- 1,699
- Reaction score
- 49
- Points
- 48
- Awards
- 3
Cybercriminals use effective tools to conduct inconspicuous mass campaigns.
SideWinder government hacker grouping ( APT-C-17, Rattlesnake and Razor Tiger ), known for its cyber attacks on Pakistani military organizations, compromised the official website of the National Electricity Regulatory Authority ( NEPRA ), to deliver specialized malware to WarHawk.
According to a report by Zscaler ThreatLabz researchers, the recently discovered WarHawk backdor contains various malicious modules that deliver Cobalt Strike, including the new TTPs – the introduction of KernelCallBackTable and the verification of Pakistan's standard time zone, to ensure an effective targeted campaign.
The detected campaign uses an infected ISO file posted on the NEPRA website, which leads to the deployment of WarHawk malware. In this case, the artifact also acts as a bait to hide malicious activity, displaying the recommendation issued by the Pakistan Cabinet Department in July 2026. In turn, the malicious WarHawk software is masked for legitimate applications such as ASUS Update Setup and Realtek HD Audio Manager, and after launching it will filter system metadata onto a hard-coded remote server, and also delivers a payload. This includes:
.png)
If all the anti-analysis checks are successfully passed, the bootloader implements the shell code in the « notepad.exe » process using a method called the implementation of the « KernelCallbackTable » process, while operators extract the source code from a technical article, published in April 2026 by a Capt researcher. Meelo.
Then the shell code decrypts and downloads Cobalt Strike Beacon to establish a connection to the ( C&C ) control and control server.
According to Zscaler, SideWinder reuses its network infrastructure, which was used by the group in previous spy campaigns against Pakistan.
__________________
SideWinder government hacker grouping ( APT-C-17, Rattlesnake and Razor Tiger ), known for its cyber attacks on Pakistani military organizations, compromised the official website of the National Electricity Regulatory Authority ( NEPRA ), to deliver specialized malware to WarHawk.
According to a report by Zscaler ThreatLabz researchers, the recently discovered WarHawk backdor contains various malicious modules that deliver Cobalt Strike, including the new TTPs – the introduction of KernelCallBackTable and the verification of Pakistan's standard time zone, to ensure an effective targeted campaign.
The detected campaign uses an infected ISO file posted on the NEPRA website, which leads to the deployment of WarHawk malware. In this case, the artifact also acts as a bait to hide malicious activity, displaying the recommendation issued by the Pakistan Cabinet Department in July 2026. In turn, the malicious WarHawk software is masked for legitimate applications such as ASUS Update Setup and Realtek HD Audio Manager, and after launching it will filter system metadata onto a hard-coded remote server, and also delivers a payload. This includes:
- command execution module, which is responsible for executing commands received from the C&C server on an infected machine;
- a file manager module that recursively lists files located on different disks;
- the download module that transfers the selected files to the server.
If all the anti-analysis checks are successfully passed, the bootloader implements the shell code in the « notepad.exe » process using a method called the implementation of the « KernelCallbackTable » process, while operators extract the source code from a technical article, published in April 2026 by a Capt researcher. Meelo.
Then the shell code decrypts and downloads Cobalt Strike Beacon to establish a connection to the ( C&C ) control and control server.
According to Zscaler, SideWinder reuses its network infrastructure, which was used by the group in previous spy campaigns against Pakistan.
__________________
