SideWinder APT — also referred to as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, or T-APT-04—has been operational since at least 2012 and continues to demonstrate a high degree of operational maturity, adaptability, and strategic intent. While historically focused on military and government entities in South Asia, SideWinder has significantly broadened its target profile over the past year. This expansion has seen aggressive campaigns against logistics firms, maritime infrastructure, diplomatic missions, and, more recently, nuclear energy organisations—spanning across South and Southeast Asia, the Middle East, and Africa.

These campaigns have employed refined spear-phishing techniques, leveraged well-known but still effective vulnerabilities such asCVE-2017-11882,CVE-2025-2783, and deployed bespoke implants designed for stealth and persistence within critical environments.

The targeting of maritime and nuclear infrastructure—combined with post-compromise activity that includes tailored malware deployment and advanced evasion tactics—suggests an intelligence-driven campaign with strategic geopolitical objectives. The group’s ability to retool within hours of detection, coupled with its use of complex infection chains and memory-resident payloads, reflects a threat actor that is not only technically sophisticated but also operationally agile.