APT Hackers Attack Retails Firms in U.S Using SideWalk Backdoor

The security researchers of the antivirus company ESET have recently detected the SideWalk modular backdoor, this backdoor has been used by an APT group named SparklingGoblin. 

After detecting this backdoor the analysts have started their investigation, and they noticed that the Sidewalk backdoor has a lot in common with the CROSSWALK backdoor used by the group.

SideWalk: A New Modular Backdoor

This new SideWalk backdoor is a modular backdoor that can load additional modules that are sent from the C&C server dynamically. 

The threat actors group has also used Google Docs to stimulate the next stage of the attack as well as the Cloudflare Workers program as the C&C server.

The most interesting and notable point of the Sidewalk backdoor is that it handles proxy communication precisely. 

After investigating all the details they found that the SideWalk backdoor is ChaCha20-encrypted shellcode, which implies that it is packed from disk by SparklingGoblin’s InstallUtil-based .NET loaders.

However, this loader generally helps in reading the encrypted shellcode from the disk, and at the same time, it also helps in decrypting it and inserting it into a legal process by using the following method.


This is not the first time that the APT group SparklingGoblin has been conducting attacks, as per the last report, the security authorities have stated that this APT group has been on this track since 2020 and it is still active with its operations.

According to the target list, the analysts have noticed that this group has mostly targeted the broad organization of East and Southeast Asia. 

Since there are many sectors that were attacked by this group, that’s why we have listed them below:-

  • Academic sectors in Macao, Hong Kong, and Taiwan
  • A religious organization in Taiwan
  • A computer and electronics manufacturer in Taiwan
  • Government organizations in Southeast Asia
  • An e-commerce platform in South Korea
  • The education sector in Canada
  • Media companies in India, Bahrain, and the USA
  • A computer retail company based in the USA
  • Local government in the country of Georgia
  • Unidentified organizations in South Korea and Singapore

Data Targeted by SparklingGoblin

The APT threat actor group SparklingGoblin has specifically targeted some data from the organization, and here we have mentioned below all the data that were being targeted by the SparklingGoblin group:-

  • IP configuration
  • OS version
  • Username
  • Computer name
  • Filenames
  • Current process ID
  • Current time

Apart from all this, the security researchers of ESET have labeled this group as APTs that generally practice constant, covert, and complicated hacking methods to obtain access to the organizations and to stay inside a system for long periods of time with probably destructive outcomes.

Follow us on LinkedinTwitterFacebook for daily Cybersecurity News & Updates

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.