SYMBOLCOMMON_NAMEaka. SYNONYMS

WindShift  (Back to overview)

aka: Windy Phoenix

In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.


Associated Families
osx.windtail

References
2022-07-18Palo Alto Networks Unit 42Unit 42
Windy Phoenix
WindShift
2019-12-12Virus BulletinPatrick Wardle
Cyber espionage in the Middle East: unravelling OSX.WindTail
WindTail
2019-04-24SpecterOpsRichie Cyrus
Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail
2019-04-08SANS Cyber Security SummitTaha Karim
Trails of WindShift
WindTail ZhMimikatz
2019-02-21Palo Alto Networks Unit 42Adran McCabe
Shifting in the Wind: WINDSHIFT Attacks Target Middle Eastern Governments
WindShift
2019-01-15Obective SeePatrick Wardle
Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail (part 2)
WindTail
2018-12-20Objective-SeePatrick Wardle
Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail (part 1)
WindTail
2018-08-30ForbesThomas Brewster
Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage
WindTail
2018-01-01DarkMatterTaha K.
IN THE TRAILS OF WINDSHIFTAPT
WindTail WindShift

Credits: MISP Project