Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign Suraj Mundalik (Zscaler)

IntroductionZscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities by masquerading as the Income Tax Department of India. By reconstructing the complete attack lifecycle from a deceptive “Inspection” lure to a reflectively loaded resident implant, Zscaler Threat Hunting has observed activity which is typically associated with SideWinder APT (also known as Rattlesnake or APT-C-17). Recently, Zscaler Threat Hunting has observed an evolution in the threat actor’s toolkit in an attempt to evade detection by mimicking Chinese enterprise software. This discovery underscores Zscaler’s ability to detect subtle, state-sponsored tradecraft within cloud-scale telemetry before it causes critical damage.Key TakeawaysThis campaign is hyper-targeted on regions across Asia Pacific with enterprises typically in Services, Retail, Telecommunication and Health Care sectors via fake “Income Tax Department” portals.The threat actor is using a DLL side-loading technique with legitimate Microsoft Defender binaries (SenseCE[.]exe) to bypass EDR.The use of public cloud storage (such as GoFile) and legitimate URL shorteners (surl[.]li) are utilized to evade reputation-based detections.Why We Started This HuntThis investigation was triggered by a hunt across Zscaler Internet Access (ZIA) telemetry showing a localized spike in traffic to the URL shortener surl[.]li originating from high-value Indian networks, immediately followed by connections to a commonly abused file hosting service (gofile[.]io). The correlation of bureaucratic lures (“Inspection”, “Tax”) with unusual DLL file movements bears a strong resemblance to activity previously attributed to APT operation, prompting Zscaler Threat Hunting to operationalize tailored hunts laser-focused on SideWinder TTPs.Threat OverviewWho uses the technique?APTs like SideWinder frequently leverage trusted system binaries to “live off the land.” By abusing signed Microsoft executables (SenseCE[.]exe), they force legitimate applications to load malicious libraries (MpGear[.]dll), blinding traditional security products that trust the parent process. SideWinder frequently relies on distributing malicious payloads through URL shorteners and commonly abused cloud storage services during their initial access phase.Why is this technique hard to catch?Organizations face a significant challenge in detecting Live Off Trusted Sites (LOTS) because blacklisting these often business-critical, trusted websites is not a viable option. Security products often whitelist signed Microsoft binaries. When SenseCE[.]exe runs, it looks like a routine Windows Defender operation. The actual malicious code resides in a hijacked DLL, which executes entirely in memory without triggering file-scanning engines. For a SOC, this looks like normal system maintenance traffic.What makes it relevant in Zscaler’s context?With the Zscaler Zero Trust Exchange™ inspecting SSL/TLS traffic, Zscaler Threat Hunting can see the context missed by endpoint tools: the initial redirect from a fake income tax website, the download of the .zip file, and the subsequent beaconing. This visibility allows Zscaler Threat Hunting to connect the dots between a users’ browser activity and a system-level incident.How Zscaler Threat Hunting Approaches the Investigation HypothesisZscaler Threat Hunting hypothesized that a sudden increase in “Inspection” and “Tax” related file downloads from non-government domains (gofile[.]io) redirected through commonly abused URL shortener services like surl[.]li indicated a targeted phishing campaign bypassing email gateways.MethodologyUsing the TRACER methodology, analysts:Triaged suspicious URL shortener redirects.Reconstructed the victim’s browsing session to identify the lure page (gfmqvip[.]vip).Analyzed the downloaded artifacts (Inspection[.]zip) to map the infection chain.Correlated the C2 traffic with known SideWinder infrastructure.Escalated the in-depth technical findings to the relevant customers.Revised hunting playbooks to detect newly identified patterns from this campaign, protecting more customers targeted by this campaign.Notable PatternsZscaler Threat Hunting observed a distinct geofencing behavior where the malware checked the victim’s timezone via timeapi[.]io and worldtimeapi[.]org. Only systems in South Asian timezones (UTC+5:30) proceeded to the next stage, corroborating evidence of a highly targeted regional focus on India.Zscaler Threat Hunting found SideWinder’s new implant because of the global visibility into the Zscaler’s Zero Trust Exchange and expert 24/7 threat hunting operations that specialize in finding weak signals inside a sea of telemetry.Zscaler Threat Hunting CoverageZscaler Threat Hunting stands at the forefront of proactive threat detection by combining global scale telemetry, advanced analytics, and the expertise of seasoned threat hunters. At the heart of this capability is Zscaler’s Zero Trust Exchange, which brokers every user connection to apps and data, providing unmatched visibility into real-time web traffic, SSL flows, and cloud activity. With over 500 billion transactions analyzed daily, Zscaler Threat Hunting harnesses this cloud-scale data to spot subtle behaviors and anomalies that would otherwise go undetected in siloed environments.Detection does not start with an alert, it starts with a hypothesis. Zscaler Threat Hunting analysts actively hunt for emerging tactics, techniques, and procedures (TTPs) of adversaries like SideWinder, guided by threat intelligence, observed tradecraft, and enriched anomaly detection. Analysts look for clues such as masqueraded file extension download, network connections to uncategorized or newly registered domains, and the use of trusted binaries for proxy execution.Zscaler Threat Hunting and Zscaler ThreatLabz work in close partnership to turn threat hunting findings into scalable protection. When the hunting team uncovers a new threat campaign, ThreatLabz provides continuous analysis to operationalize that intelligence into durable, platform-wide security controls where applicable. The indicators discussed in this blog are now part of the platform’s detection logic to safeguard customers.Key Findings / Indicators of Compromise (IOCs)Initial VectorMethod: Phishing email with a Call To Action (CTA).MITRE ATT&CK: T1566.002, T1204.001URL: surl[.]li/wuvdwi (Redirector).Lure: User is redirected to gfmqvip[.]vip, a fraudulent site impersonating the Income Tax Department of India.   Delivery / StagingPayload: Inspection[.]zip.MITRE ATT&CK: T1027.013, T1102.002, T1036.005Hostname: store10[.]gofile[.]io (Public file sharing).Contents: The .zip contains a legitimate-looking executable Inspection Document Review[.]exe (renamed SenseCE[.]exe), a malicious MpGear[.]dll, and decoy certificates (DMRootCA[.]crt).  Execution MechanismTechnique: DLL Side-Loading.MITRE ATT&CK: T1574.002, T1497.003, T1622, T1055Process: The user runs Inspection Document Review[.]exe. This legitimate Microsoft binary automatically loads the malicious MpGear[.]dll from the same folder.Evasion: The malware performs environment checks (Timezone via timeapi[.]io, Process enumeration) and sleeps for ~3.5 minutes to evade sandbox analysis.  Command-and-Control & PayloadStage 2: Connects to 8[.]217[.]152[.]225 to download a shellcode loader (/1bin).MITRE ATT&CK: T1071.001, T1132.001, T1614.001Final Payload: A resident agent (mysetup[.]exe) is dropped to C:install.Config: A file YTSysConfig[.]ini (or YTSTATUS[.]ini) is created, containing C2 instructions:C2: The agent beacons to 180[.]178[.]56[.]230 (mimicking the protocol of the Chinese “Anqi Shen” endpoint tool).  Recommended Defensive ActionsDetection OpportunitiesNetwork: Block traffic to known C2 IPs potentially associated with SideWinder APT. Monitor for unusual outbound connections to timeapi[.]io or worldtimeapi[.]org from non-browser processes in beaconing manner.Endpoint: Alert on the execution of SenseCE[.]exe (or any process named “Inspection…”) running from user profile directories (Downloads or Desktop) rather than Program Files.File System: Hunt for the creation of C:installmysetup[.]exe or YTSysConfig[.ini.Zscaler PreventionZIA: Ensure “Advanced Threat Protection” policies are enabled to block known C2 domains.Cloud Sandbox: Configure strict quarantine for archive files (.zip) originating from uncategorized or file-sharing domains (gofile[.]io).SSL Inspection: Enable full SSL inspection to allow detection of the C2 traffic hidden within HTTPS tunnels.ConclusionThis campaign highlights SideWinder’s evolving sophistication, blending targeted government lures with “living off the land” techniques to bypass traditional defenses. By mimicking legitimate administrative tools and leveraging public cloud infrastructure, they continue to threaten critical sectors in India and beyond.Organizations interested in adding expert-led threat hunting to their defense program can reach out for a technical briefing. If you’d like an updated list of TTPs for this campaign, reach out to your account executive.Uncovering threats like SideWinder requires more than alerts—it requires active hunting. The Zscaler Threat Hunting team works 24/7 to find hidden attackers in your environment before they can cause damage. Schedule a complimentary threat briefing with our experts to discuss how our methodology can be applied to your organization’s unique threat landscape.  

​[#item_full_content] IntroductionZscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities by masquerading as the Income Tax Department of India. By reconstructing the complete attack lifecycle from a deceptive “Inspection” lure to a reflectively loaded resident implant, Zscaler Threat Hunting has observed activity which is typically associated with SideWinder APT (also known as Rattlesnake or APT-C-17). Recently, Zscaler Threat Hunting has observed an evolution in the threat actor’s toolkit in an attempt to evade detection by mimicking Chinese enterprise software. This discovery underscores Zscaler’s ability to detect subtle, state-sponsored tradecraft within cloud-scale telemetry before it causes critical damage.Key TakeawaysThis campaign is hyper-targeted on regions across Asia Pacific with enterprises typically in Services, Retail, Telecommunication and Health Care sectors via fake “Income Tax Department” portals.The threat actor is using a DLL side-loading technique with legitimate Microsoft Defender binaries (SenseCE[.]exe) to bypass EDR.The use of public cloud storage (such as GoFile) and legitimate URL shorteners (surl[.]li) are utilized to evade reputation-based detections.Why We Started This HuntThis investigation was triggered by a hunt across Zscaler Internet Access (ZIA) telemetry showing a localized spike in traffic to the URL shortener surl[.]li originating from high-value Indian networks, immediately followed by connections to a commonly abused file hosting service (gofile[.]io). The correlation of bureaucratic lures (“Inspection”, “Tax”) with unusual DLL file movements bears a strong resemblance to activity previously attributed to APT operation, prompting Zscaler Threat Hunting to operationalize tailored hunts laser-focused on SideWinder TTPs.Threat OverviewWho uses the technique?APTs like SideWinder frequently leverage trusted system binaries to “live off the land.” By abusing signed Microsoft executables (SenseCE[.]exe), they force legitimate applications to load malicious libraries (MpGear[.]dll), blinding traditional security products that trust the parent process. SideWinder frequently relies on distributing malicious payloads through URL shorteners and commonly abused cloud storage services during their initial access phase.Why is this technique hard to catch?Organizations face a significant challenge in detecting Live Off Trusted Sites (LOTS) because blacklisting these often business-critical, trusted websites is not a viable option. Security products often whitelist signed Microsoft binaries. When SenseCE[.]exe runs, it looks like a routine Windows Defender operation. The actual malicious code resides in a hijacked DLL, which executes entirely in memory without triggering file-scanning engines. For a SOC, this looks like normal system maintenance traffic.What makes it relevant in Zscaler’s context?With the Zscaler Zero Trust Exchange™ inspecting SSL/TLS traffic, Zscaler Threat Hunting can see the context missed by endpoint tools: the initial redirect from a fake income tax website, the download of the .zip file, and the subsequent beaconing. This visibility allows Zscaler Threat Hunting to connect the dots between a users’ browser activity and a system-level incident.How Zscaler Threat Hunting Approaches the Investigation HypothesisZscaler Threat Hunting hypothesized that a sudden increase in “Inspection” and “Tax” related file downloads from non-government domains (gofile[.]io) redirected through commonly abused URL shortener services like surl[.]li indicated a targeted phishing campaign bypassing email gateways.MethodologyUsing the TRACER methodology, analysts:Triaged suspicious URL shortener redirects.Reconstructed the victim’s browsing session to identify the lure page (gfmqvip[.]vip).Analyzed the downloaded artifacts (Inspection[.]zip) to map the infection chain.Correlated the C2 traffic with known SideWinder infrastructure.Escalated the in-depth technical findings to the relevant customers.Revised hunting playbooks to detect newly identified patterns from this campaign, protecting more customers targeted by this campaign.Notable PatternsZscaler Threat Hunting observed a distinct geofencing behavior where the malware checked the victim’s timezone via timeapi[.]io and worldtimeapi[.]org. Only systems in South Asian timezones (UTC+5:30) proceeded to the next stage, corroborating evidence of a highly targeted regional focus on India.Zscaler Threat Hunting found SideWinder’s new implant because of the global visibility into the Zscaler’s Zero Trust Exchange and expert 24/7 threat hunting operations that specialize in finding weak signals inside a sea of telemetry.Zscaler Threat Hunting CoverageZscaler Threat Hunting stands at the forefront of proactive threat detection by combining global scale telemetry, advanced analytics, and the expertise of seasoned threat hunters. At the heart of this capability is Zscaler’s Zero Trust Exchange, which brokers every user connection to apps and data, providing unmatched visibility into real-time web traffic, SSL flows, and cloud activity. With over 500 billion transactions analyzed daily, Zscaler Threat Hunting harnesses this cloud-scale data to spot subtle behaviors and anomalies that would otherwise go undetected in siloed environments.Detection does not start with an alert, it starts with a hypothesis. Zscaler Threat Hunting analysts actively hunt for emerging tactics, techniques, and procedures (TTPs) of adversaries like SideWinder, guided by threat intelligence, observed tradecraft, and enriched anomaly detection. Analysts look for clues such as masqueraded file extension download, network connections to uncategorized or newly registered domains, and the use of trusted binaries for proxy execution.Zscaler Threat Hunting and Zscaler ThreatLabz work in close partnership to turn threat hunting findings into scalable protection. When the hunting team uncovers a new threat campaign, ThreatLabz provides continuous analysis to operationalize that intelligence into durable, platform-wide security controls where applicable. The indicators discussed in this blog are now part of the platform’s detection logic to safeguard customers.Key Findings / Indicators of Compromise (IOCs)Initial VectorMethod: Phishing email with a Call To Action (CTA).MITRE ATT&CK: T1566.002, T1204.001URL: surl[.]li/wuvdwi (Redirector).Lure: User is redirected to gfmqvip[.]vip, a fraudulent site impersonating the Income Tax Department of India.   Delivery / StagingPayload: Inspection[.]zip.MITRE ATT&CK: T1027.013, T1102.002, T1036.005Hostname: store10[.]gofile[.]io (Public file sharing).Contents: The .zip contains a legitimate-looking executable Inspection Document Review[.]exe (renamed SenseCE[.]exe), a malicious MpGear[.]dll, and decoy certificates (DMRootCA[.]crt).  Execution MechanismTechnique: DLL Side-Loading.MITRE ATT&CK: T1574.002, T1497.003, T1622, T1055Process: The user runs Inspection Document Review[.]exe. This legitimate Microsoft binary automatically loads the malicious MpGear[.]dll from the same folder.Evasion: The malware performs environment checks (Timezone via timeapi[.]io, Process enumeration) and sleeps for ~3.5 minutes to evade sandbox analysis.  Command-and-Control & PayloadStage 2: Connects to 8[.]217[.]152[.]225 to download a shellcode loader (/1bin).MITRE ATT&CK: T1071.001, T1132.001, T1614.001Final Payload: A resident agent (mysetup[.]exe) is dropped to C:install.Config: A file YTSysConfig[.]ini (or YTSTATUS[.]ini) is created, containing C2 instructions:C2: The agent beacons to 180[.]178[.]56[.]230 (mimicking the protocol of the Chinese “Anqi Shen” endpoint tool).  Recommended Defensive ActionsDetection OpportunitiesNetwork: Block traffic to known C2 IPs potentially associated with SideWinder APT. Monitor for unusual outbound connections to timeapi[.]io or worldtimeapi[.]org from non-browser processes in beaconing manner.Endpoint: Alert on the execution of SenseCE[.]exe (or any process named “Inspection…”) running from user profile directories (Downloads or Desktop) rather than Program Files.File System: Hunt for the creation of C:installmysetup[.]exe or YTSysConfig[.ini.Zscaler PreventionZIA: Ensure “Advanced Threat Protection” policies are enabled to block known C2 domains.Cloud Sandbox: Configure strict quarantine for archive files (.zip) originating from uncategorized or file-sharing domains (gofile[.]io).SSL Inspection: Enable full SSL inspection to allow detection of the C2 traffic hidden within HTTPS tunnels.ConclusionThis campaign highlights SideWinder’s evolving sophistication, blending targeted government lures with “living off the land” techniques to bypass traditional defenses. By mimicking legitimate administrative tools and leveraging public cloud infrastructure, they continue to threaten critical sectors in India and beyond.Organizations interested in adding expert-led threat hunting to their defense program can reach out for a technical briefing. If you’d like an updated list of TTPs for this campaign, reach out to your account executive.Uncovering threats like SideWinder requires more than alerts—it requires active hunting. The Zscaler Threat Hunting team works 24/7 to find hidden attackers in your environment before they can cause damage. Schedule a complimentary threat briefing with our experts to discuss how our methodology can be applied to your organization’s unique threat landscape.