Threat Intelligence Tarot
Vol. II · 120
China-aligned
G1022
risk 3/5
The Side Master
ToddyCat
Earth Berberoka · SideMaster
Asian and European governmentsDefenseTelecommunications
Active since ~2020 · Government espionage, Long-term collection
The Side Master prefers entrances no one is watching — the auxiliary mail server, the forgotten IIS host, the test environment that quietly mirrored production. It is a connoisseur of the half-deprecated.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1505.003
Web Shell
Persistence
T1059.001
PowerShell
Execution
T1071.001
Web Protocols
Command and Control
T1027
Obfuscated Files or Information
Defense Evasion
T1083
File and Directory Discovery
Discovery
Notable Operations
  • ProxyLogon Microsoft Exchange exploitation campaigns
  • Ninja malware framework deployment (Kaspersky disclosure)
  • Samurai backdoor against European and Asian governments
  • Custom passive backdoors for Exchange and IIS
Defenses
  • Continuous external attack surface management
    NIST CSF: ID.AM
  • Decommissioning policies for unused public-facing applications
    CIS Control 1
  • Exchange and IIS hardening with web shell scanning
    Microsoft Exchange Server Security Guide
  • PowerShell logging (script block + module + transcription)
    CIS Control 8
Reversed: Their Weakness
Decommissioning unused public surfaces and inventorying every internet-facing service starves this operator of the niche assets it favors.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Throne of DriversNext →The USB Serpent
Related Adversaries
The Dusty Archivist
Earth Lusca
5 shared TTPs
The Many-Headed Whisper
DarkHydrus
4 shared TTPs
The Tower of Sparrows
Earth Estries
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.