Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
Razor Tiger
Threat Actor Profile

Razor Tiger

Razor Tiger, also known as SideWinder, APT-C-17, and Rattlesnake, is a nation-state-sponsored threat actor active since at least 2012. Believed to operate from India, the group specializes in cyber-espionage targeting military, government, and maritime sectors. Razor Tiger employs spear-phishing, fileless malware, and advanced infrastructure to achieve its objectives.


Threat Actor Profile

Razor Tiger

Country of Origin

Razor Tiger is strongly suspected to originate from India, based on linguistic, operational, and geopolitical indicators. However, definitive attribution remains challenging.

Members

The exact size and composition of Razor Tiger are unclear. The group is believed to operate as a tightly-knit unit with access to significant resources, suggesting state sponsorship.

Leadership

The leadership of Razor Tiger remains unknown.

Razor Tiger TTPs

Tactics

The group focuses on intelligence gathering, targeting national defense, diplomatic, and critical infrastructure sectors.

Techniques

Razor Tiger leverages spear-phishing emails, malicious Office documents, and fileless malware to infiltrate targets. Exploited vulnerabilities include CVE-2017-11882 and CVE-2017-0199.

Procedures

The group uses multi-stage loaders, obfuscated JavaScript, and modular implants like StealerBot and WarHawk. Command-and-control (C2) infrastructure includes over 400 domains and dynamic subdomains.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Indicators of Compromise (IoCs)

  • IPs: 2.58.15[.]61, 89.150.40[.]43

  • Domains: hyat[.]tech, fia-gov[.]net

  • Hashes: 9345d52abd5bab4320c1273eb2c90161

Key Victims

Razor Tiger has targeted:

  • Military and government entities in Pakistan and China

  • Maritime facilities in Egypt and Sri Lanka

  • Nuclear and logistics sectors in South Asia

Notable Cyberattacks

  • 2013: Phishing attack on the Indian Embassy in Kabul, leading to data exfiltration.

  • 2024: Targeted maritime facilities in the Mediterranean using geofenced payloads.

  • 2025: Breach of Pakistan's Cabinet Division with kernel-level malware.

Law Enforcement & Arrests

No arrests or direct law enforcement actions against Razor Tiger have been reported.

Glitch effectGlitch effect

How to Defend Against Razor Tiger

1

Monitor IOCs: Regularly update threat intelligence feeds.

2

Patch Systems: Address vulnerabilities like CVE-2017-11882.

3

Use Multi-Factor Authentication to Strengthen Access Controls.



References

Glitch effectGlitch effect

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free