SideCopy

Threat Actor updated a month ago (2024-11-29T13:56:14.934Z)
Download STIX
Preview STIX
SideCopy is a Pakistani threat actor, or Advanced Persistent Threat (APT), that has been active since at least 2019, predominantly targeting South Asian countries, specifically India and Afghanistan. Its modus operandi includes the use of archive files embedded with Lnk, Microsoft Publisher, or Trojanized Applications as lures. The group's infection chain involves multiple steps, each carefully designed to ensure successful compromise. In addition to this, it has been observed that SideCopy shares tactical overlaps with other groups such as Transparent Tribe, indicating a possible subordinate relationship. In recent operations, SideCopy has demonstrated its capability to exploit security vulnerabilities to further its objectives. Notably, in November 2023, it leveraged a WinRAR vulnerability to target Indian government entities, deploying various remote access trojans like AllaKore RAT, Ares RAT, and DRat. This attack was part of two new campaigns against Indian government organizations' Windows and Linux systems. Furthermore, the group has been seen expanding its Linux arsenal, sharing Linux stagers with APT36 to deploy an open-source Python RAT called Ares. The impact of SideCopy's activities is significant, with the group successfully stealing several Office documents and databases associated with the Government of Afghanistan. Macro-based Office documents continue to be a common vector for initiating attacks and distributing payloads among APT groups, including SideCopy. As the group continues to evolve and expand its capabilities, particularly through the use of zero-day vulnerabilities, it poses an ongoing threat to defense organizations in India and other targeted regions.
Description last updated: 2024-09-25T13:20:28.910Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT36 is a possible alias for SideCopy. APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco T
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Rat
India
Phishing
Decoy
Facebook
Windows
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Action RAT Malware is associated with SideCopy. Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RATUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Transparent Tribe Threat Actor is associated with SideCopy. Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has Unspecified
3
The Sidewinder Threat Actor is associated with SideCopy. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its uUnspecified
3
Source Document References
Information about the SideCopy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
3 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
MITRE
2 years ago
BankInfoSecurity
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Fortinet
2 years ago
BankInfoSecurity
2 years ago
Flashpoint
2 years ago
CERT-EU
2 years ago
Fortinet
2 years ago