SYMBOLCOMMON_NAMEaka. SYNONYMS

WindShift  (Back to overview)

aka: Windy Phoenix

In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.


Associated Families
osx.windtail

References
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:windy:66f5597, author = {Unit 42}, title = {{Windy Phoenix}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/windyphoenix/}, language = {English}, urldate = {2022-07-29} } Windy Phoenix
WindShift
2019-12-12Virus BulletinPatrick Wardle
@online{wardle:20191212:cyber:50cf0cd, author = {Patrick Wardle}, title = {{Cyber espionage in the Middle East: unravelling OSX.WindTail}}, date = {2019-12-12}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/}, language = {English}, urldate = {2020-04-08} } Cyber espionage in the Middle East: unravelling OSX.WindTail
WindTail
2019-04-24SpecterOpsRichie Cyrus
@online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail
2019-04-08SANS Cyber Security SummitTaha Karim
@techreport{karim:20190408:trails:83a8378, author = {Taha Karim}, title = {{Trails of WindShift}}, date = {2019-04-08}, institution = {SANS Cyber Security Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf}, language = {English}, urldate = {2020-01-20} } Trails of WindShift
WindTail ZhMimikatz
2019-02-21Palo Alto Networks Unit 42Adran McCabe
@online{mccabe:20190221:shifting:2ea5e4a, author = {Adran McCabe}, title = {{Shifting in the Wind: WINDSHIFT Attacks Target Middle Eastern Governments}}, date = {2019-02-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/}, language = {English}, urldate = {2020-01-10} } Shifting in the Wind: WINDSHIFT Attacks Target Middle Eastern Governments
WindShift
2019-01-15Obective SeePatrick Wardle
@online{wardle:20190115:middle:687dc1d, author = {Patrick Wardle}, title = {{Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail (part 2)}}, date = {2019-01-15}, organization = {Obective See}, url = {https://objective-see.com/blog/blog_0x3D.html}, language = {English}, urldate = {2019-12-18} } Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail (part 2)
WindTail
2018-12-20Objective-SeePatrick Wardle
@online{wardle:20181220:middle:a318acb, author = {Patrick Wardle}, title = {{Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail (part 1)}}, date = {2018-12-20}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x3B.html}, language = {English}, urldate = {2020-01-07} } Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail (part 1)
WindTail
2018-08-30ForbesThomas Brewster
@online{brewster:20180830:hackers:d006ceb, author = {Thomas Brewster}, title = {{Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage}}, date = {2018-08-30}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/}, language = {English}, urldate = {2019-11-26} } Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage
WindTail
2018DarkMatterTaha K.
@techreport{k:2018:in:87e5693, author = {Taha K.}, title = {{IN THE TRAILS OF WINDSHIFTAPT}}, date = {2018}, institution = {DarkMatter}, url = {https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf}, language = {English}, urldate = {2020-01-08} } IN THE TRAILS OF WINDSHIFTAPT
WindTail WindShift

Credits: MISP Project