SideCopy

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applications to initiate attacks. The group's infection chain involves multiple steps, each meticulously executed to ensure successful compromise. SideCopy has also been identified as a suspected subordinate element within Transparent Tribe, another Pakistan-linked APT group. Tactical overlaps have been found between SideCopy and Transparent Tribe, further strengthening the connection. In recent operations, SideCopy has exploited a WinRAR vulnerability to target Indian government entities, aiming to deliver various remote access trojans (RATs) such as AllaKore RAT, Ares RAT, and DRat. The group has also used a new Stealer and a Loader to drop and load an executable (credbiz.exe) which side-loads the Stealer. This strategy was notably effective in stealing several Office documents and databases associated with the Government of Afghanistan. Additionally, APT36, another threat actor, has been observed sharing its Linux stagers with SideCopy to deploy an open-source Python RAT called Ares. SideCopy's consistent targeting of Indian defense organizations using various RATs, including the exploitation of zero-day vulnerabilities, underscores its persistent threat. All compromised domains used by SideCopy this year were registered with GoDaddy and hosted on HostGator servers. Despite efforts from cybersecurity industry, groups like SideCopy, Kimsuky, Donot, and Emotet continue to rely on macro-based Office documents to launch attacks and distribute their payloads, demonstrating the ongoing challenge posed by these sophisticated threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT36
3
APT36, also known as Transparent Tribe and Earth Karkaddan, is a notorious threat actor believed to be based in Pakistan. The group has been involved in cyberespionage activities primarily targeting India, with a focus on government, military, defense, aerospace, and education sectors. Their campaig
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Rat
India
Windows
Phishing
Decoy
Linux
Facebook
Vulnerability
Backdoor
Esentire
Malwarebytes
WinRAR
Loader
Government
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Action RATUnspecified
2
Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RAT
BacknetUnspecified
1
None
More_eggsUnspecified
1
More_eggs, also known as Golden Chickens, is a malware suite utilized by financially motivated cybercrime actors such as Cobalt Group and FIN6. This malware-as-a-service (MaaS) offering has been identified as the "cyber weapon of choice" by Russia-based cyber gangs. It was first seen in email campai
AuTo StealerUnspecified
1
AuTo Stealer is a malicious software (malware) developed in C++ and has been utilized by the Pakistani threat actor SideCopy since December 2021. The primary targets of this malware are government agencies and personnel located in India and Afghanistan. The deployment strategy involves the use of ro
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
RaindropUnspecified
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
Allakore RatUnspecified
1
The AllaKore Remote Access Trojan (RAT) is a dangerous form of malware known for its ability to steal system information, record keystrokes, take screenshots, upload and download files, and remotely access the victim's machine. This RAT has been used in multiple campaigns by threat actors, including
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Transparent TribeUnspecified
3
Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
SidewinderUnspecified
3
The Sidewinder threat actor group, also known as Rattlesnake, BabyElephant, APT Q4, APT Q39, Hardcore Nationalist, HN2, RAZOR Tiger, and GroupA21, is a significant cybersecurity concern with a history of malicious activities dating back to 2012. This report investigates a recent campaign by Sidewind
BahamutUnspecified
1
Bahamut is a threat actor group known for its sophisticated cyber-espionage operations, targeting primarily South Asia. Meta's Adversarial Threat Report from the first quarter of 2023 identified Bahamut as one of three major groups involved in cyber espionage operations in the region, alongside Patc
KimsukyUnspecified
1
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SideCopy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities
CERT-EU
8 months ago
Asian tech roundup: Chips ahoy
CERT-EU
8 months ago
Cambodian government subjected to Chinese APT attacks
CERT-EU
8 months ago
Novel undetectable cryptominer developed via Azure exploit
CERT-EU
9 months ago
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities – GIXtools
CERT-EU
9 months ago
SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU
10 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Indian two-factor authentication tool Kavach
CERT-EU
10 months ago
How Next-Gen Threats Are Taking a Page From APTs
CERT-EU
a year ago
Why Pakistani Hackers Are Now Targeting IITs, NITs: All Details | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Pakistan-based hackers target Indian Army, IITs; chat apps used, dangerous file names and more | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
MITRE
a year ago
SideCopy APT: Connecting lures to victims, payloads to infrastructure
BankInfoSecurity
a year ago
SideCopy APT Targets India's Premier Defense Research Agency
CERT-EU
a year ago
Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
CERT-EU
a year ago
SideCopy маскируется под презентацию о ракете К-4 - Индийская оборона под угрозой
Fortinet
a year ago
Are Internet Macros Dead or Alive? | FortiGuard labs
BankInfoSecurity
a year ago
APT36 Running Espionage Ops Against India's Education Sector
Flashpoint
a year ago
No title
CERT-EU
a year ago
Hacker’s Playbook Threat Coverage Roundup: April 25, 2023 | #ransomware | #cybercrime – National Cyber Security Consulting
Fortinet
a year ago
Clean Rooms, Nuclear Missiles, and SideCopy, Oh My! | FortiGuard Labs
CERT-EU
a year ago
Meta Cracks Down on South Asian Cyberespionage Groups