SideCopy

Threat Actor updated 2 months ago (2024-09-25T14:01:44.019Z)

Download STIX

Preview STIX

SideCopy is a Pakistani threat actor, or Advanced Persistent Threat (APT), that has been active since at least 2019, predominantly targeting South Asian countries, specifically India and Afghanistan. Its modus operandi includes the use of archive files embedded with Lnk, Microsoft Publisher, or Trojanized Applications as lures. The group's infection chain involves multiple steps, each carefully designed to ensure successful compromise. In addition to this, it has been observed that SideCopy shares tactical overlaps with other groups such as Transparent Tribe, indicating a possible subordinate relationship. In recent operations, SideCopy has demonstrated its capability to exploit security vulnerabilities to further its objectives. Notably, in November 2023, it leveraged a WinRAR vulnerability to target Indian government entities, deploying various remote access trojans like AllaKore RAT, Ares RAT, and DRat. This attack was part of two new campaigns against Indian government organizations' Windows and Linux systems. Furthermore, the group has been seen expanding its Linux arsenal, sharing Linux stagers with APT36 to deploy an open-source Python RAT called Ares. The impact of SideCopy's activities is significant, with the group successfully stealing several Office documents and databases associated with the Government of Afghanistan. Macro-based Office documents continue to be a common vector for initiating attacks and distributing payloads among APT groups, including SideCopy. As the group continues to evolve and expand its capabilities, particularly through the use of zero-day vulnerabilities, it poses an ongoing threat to defense organizations in India and other targeted regions.

Description last updated: 2024-09-25T13:20:28.910Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT36 is a possible alias for SideCopy. APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco T	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Rat

India

Phishing

Decoy

Facebook

Windows

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Action RAT Malware is associated with SideCopy. Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RAT	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Transparent Tribe Threat Actor is associated with SideCopy. Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has	Unspecified	3
The Sidewinder Threat Actor is associated with SideCopy. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its u	Unspecified	3

Source Document References

Information about the SideCopy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	2 months ago	10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More - Check Point Research
CERT-EU	a year ago	Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities
CERT-EU	a year ago	Asian tech roundup: Chips ahoy
CERT-EU	a year ago	Cambodian government subjected to Chinese APT attacks
CERT-EU	a year ago	Novel undetectable cryptominer developed via Azure exploit
CERT-EU	a year ago	SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities – GIXtools
CERT-EU	a year ago	SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Indian two-factor authentication tool Kavach
CERT-EU	a year ago	How Next-Gen Threats Are Taking a Page From APTs
CERT-EU	a year ago	Why Pakistani Hackers Are Now Targeting IITs, NITs: All Details \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Pakistan-based hackers target Indian Army, IITs; chat apps used, dangerous file names and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
MITRE	2 years ago	SideCopy APT: Connecting lures to victims, payloads to infrastructure
BankInfoSecurity	2 years ago	SideCopy APT Targets India's Premier Defense Research Agency
CERT-EU	2 years ago	Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
CERT-EU	2 years ago	SideCopy маскируется под презентацию о ракете К-4 - Индийская оборона под угрозой
Fortinet	2 years ago	Are Internet Macros Dead or Alive? \| FortiGuard labs
BankInfoSecurity	2 years ago	APT36 Running Espionage Ops Against India's Education Sector
Flashpoint	2 years ago	No title
CERT-EU	2 years ago	Hacker’s Playbook Threat Coverage Roundup: April 25, 2023 \| #ransomware \| #cybercrime – National Cyber Security Consulting
Fortinet	2 years ago	Clean Rooms, Nuclear Missiles, and SideCopy, Oh My! \| FortiGuard Labs