Observed activity associated with Sidewinder APT. Lure document: No.9374.docx, 64f2681ad0940e6c2c9c76e6834117bf. Observed C2 infrastructure: update[.]ms-office[.]app
Recent activity has been detected linked to the Sidewinder advanced persistent threat group. The campaign utilizes a malicious document named No.9374.docx with the hash value 64f2681ad0940e6c2c9c76e6834117bf as a lure mechanism. The infrastructure supporting command and control operations includes the domain update[.]ms-office[.]app. This observation indicates ongoing operations by Sidewinder, a threat actor known for targeting specific regions and sectors. The use of weaponized documents and deceptive domains mimicking legitimate Microsoft services demonstrates continued sophisticated social engineering tactics employed by this group.
AI Analysis
Technical Summary
Sidewinder APT has been observed conducting operations using a weaponized document (No.9374.docx) identified by hash 64f2681ad0940e6c2c9c76e6834117bf. The group leverages a deceptive C2 domain update.ms-office.app to manage command and control communications. This campaign demonstrates continued use of social engineering and phishing techniques (T1204.002, T1566.001) alongside network communication tactics (T1071, T1090) and code execution methods (T1059). The activity indicates ongoing targeted operations by Sidewinder, also known as RAZOR TIGER, but no direct exploit or vulnerability details are provided. No known exploits in the wild or patches are documented.
Potential Impact
The campaign enables Sidewinder to potentially execute malicious code on victim systems via a weaponized document and maintain persistent command and control through a deceptive domain. This can lead to unauthorized access, data exfiltration, and further compromise of targeted networks. However, no specific software vulnerabilities or exploits are identified in this report.
Mitigation Recommendations
No official patches or fixes are indicated for this campaign. Defenders should focus on detecting and blocking the identified malicious document hash (64f2681ad0940e6c2c9c76e6834117bf) and the C2 domain update.ms-office.app. Awareness and training to recognize phishing and social engineering attempts are recommended. Monitor for indicators of compromise related to Sidewinder activity. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for any emerging remediation guidance.
Indicators of Compromise
- hash: 64f2681ad0940e6c2c9c76e6834117bf
Observed activity associated with Sidewinder APT. Lure document: No.9374.docx, 64f2681ad0940e6c2c9c76e6834117bf. Observed C2 infrastructure: update[.]ms-office[.]app
Description
Recent activity has been detected linked to the Sidewinder advanced persistent threat group. The campaign utilizes a malicious document named No.9374.docx with the hash value 64f2681ad0940e6c2c9c76e6834117bf as a lure mechanism. The infrastructure supporting command and control operations includes the domain update[.]ms-office[.]app. This observation indicates ongoing operations by Sidewinder, a threat actor known for targeting specific regions and sectors. The use of weaponized documents and deceptive domains mimicking legitimate Microsoft services demonstrates continued sophisticated social engineering tactics employed by this group.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sidewinder APT has been observed conducting operations using a weaponized document (No.9374.docx) identified by hash 64f2681ad0940e6c2c9c76e6834117bf. The group leverages a deceptive C2 domain update.ms-office.app to manage command and control communications. This campaign demonstrates continued use of social engineering and phishing techniques (T1204.002, T1566.001) alongside network communication tactics (T1071, T1090) and code execution methods (T1059). The activity indicates ongoing targeted operations by Sidewinder, also known as RAZOR TIGER, but no direct exploit or vulnerability details are provided. No known exploits in the wild or patches are documented.
Potential Impact
The campaign enables Sidewinder to potentially execute malicious code on victim systems via a weaponized document and maintain persistent command and control through a deceptive domain. This can lead to unauthorized access, data exfiltration, and further compromise of targeted networks. However, no specific software vulnerabilities or exploits are identified in this report.
Mitigation Recommendations
No official patches or fixes are indicated for this campaign. Defenders should focus on detecting and blocking the identified malicious document hash (64f2681ad0940e6c2c9c76e6834117bf) and the C2 domain update.ms-office.app. Awareness and training to recognize phishing and social engineering attempts are recommended. Monitor for indicators of compromise related to Sidewinder activity. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for any emerging remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://x.com/suyog41/status/2069306035496776105"]
- Adversary
- RAZOR TIGER
- Pulse Id
- 6a3b4e5dc7cef5136c49c364
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash64f2681ad0940e6c2c9c76e6834117bf | — |
Threat ID: 6a3c12bceed863c81e3015f6
Added to database: 06/24/2026, 17:24:12 UTC
Last enriched: 06/24/2026, 17:39:13 UTC
Last updated: 06/24/2026, 18:25:57 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.