SideCopy

Threat Actor updated 4 months ago (2024-05-04T17:39:19.094Z)

Download STIX

Preview STIX

SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applications to initiate attacks. The group's infection chain involves multiple steps, each meticulously executed to ensure successful compromise. SideCopy has also been identified as a suspected subordinate element within Transparent Tribe, another Pakistan-linked APT group. Tactical overlaps have been found between SideCopy and Transparent Tribe, further strengthening the connection. In recent operations, SideCopy has exploited a WinRAR vulnerability to target Indian government entities, aiming to deliver various remote access trojans (RATs) such as AllaKore RAT, Ares RAT, and DRat. The group has also used a new Stealer and a Loader to drop and load an executable (credbiz.exe) which side-loads the Stealer. This strategy was notably effective in stealing several Office documents and databases associated with the Government of Afghanistan. Additionally, APT36, another threat actor, has been observed sharing its Linux stagers with SideCopy to deploy an open-source Python RAT called Ares. SideCopy's consistent targeting of Indian defense organizations using various RATs, including the exploitation of zero-day vulnerabilities, underscores its persistent threat. All compromised domains used by SideCopy this year were registered with GoDaddy and hosted on HostGator servers. Despite efforts from cybersecurity industry, groups like SideCopy, Kimsuky, Donot, and Emotet continue to rely on macro-based Office documents to launch attacks and distribute their payloads, demonstrating the ongoing challenge posed by these sophisticated threat actors.

Description last updated: 2024-05-04T17:06:40.490Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT36	3	APT36, also known as Transparent Tribe and Earth Karkaddan, is a threat actor group that has historically targeted government agencies and defense firms in India with cyberattacks aimed at compromising Windows systems and Android devices. The group's activities have been tracked by various cybersecu

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Rat

India

Phishing

Decoy

Facebook

Windows

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Action RAT	Unspecified	2	Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RAT

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Transparent Tribe	Unspecified	3	Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
Sidewinder	Unspecified	3	Sidewinder is a threat actor group that has been active since at least 2012, with possible origins in South Asia. The group has a history of malicious activities and has been linked to a variety of cyber threats, including the use of the Nim backdoor payload. Sidewinder has targeted entities in mult

Source Document References

Information about the SideCopy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities
CERT-EU	10 months ago	Asian tech roundup: Chips ahoy
CERT-EU	10 months ago	Cambodian government subjected to Chinese APT attacks
CERT-EU	10 months ago	Novel undetectable cryptominer developed via Azure exploit
CERT-EU	10 months ago	SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities – GIXtools
CERT-EU	10 months ago	SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Indian two-factor authentication tool Kavach
CERT-EU	a year ago	How Next-Gen Threats Are Taking a Page From APTs
CERT-EU	a year ago	Why Pakistani Hackers Are Now Targeting IITs, NITs: All Details \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Pakistan-based hackers target Indian Army, IITs; chat apps used, dangerous file names and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
MITRE	2 years ago	SideCopy APT: Connecting lures to victims, payloads to infrastructure
BankInfoSecurity	a year ago	SideCopy APT Targets India's Premier Defense Research Agency
CERT-EU	a year ago	Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
CERT-EU	a year ago	SideCopy маскируется под презентацию о ракете К-4 - Индийская оборона под угрозой
Fortinet	a year ago	Are Internet Macros Dead or Alive? \| FortiGuard labs
BankInfoSecurity	a year ago	APT36 Running Espionage Ops Against India's Education Sector
Flashpoint	a year ago	No title
CERT-EU	a year ago	Hacker’s Playbook Threat Coverage Roundup: April 25, 2023 \| #ransomware \| #cybercrime – National Cyber Security Consulting
Fortinet	a year ago	Clean Rooms, Nuclear Missiles, and SideCopy, Oh My! \| FortiGuard Labs
CERT-EU	a year ago	Meta Cracks Down on South Asian Cyberespionage Groups