SideCopy

Threat Actor updated a month ago (2024-09-25T14:01:44.019Z)

Download STIX

Preview STIX

SideCopy is a Pakistani threat actor, or Advanced Persistent Threat (APT), that has been active since at least 2019, predominantly targeting South Asian countries, specifically India and Afghanistan. Its modus operandi includes the use of archive files embedded with Lnk, Microsoft Publisher, or Trojanized Applications as lures. The group's infection chain involves multiple steps, each carefully designed to ensure successful compromise. In addition to this, it has been observed that SideCopy shares tactical overlaps with other groups such as Transparent Tribe, indicating a possible subordinate relationship. In recent operations, SideCopy has demonstrated its capability to exploit security vulnerabilities to further its objectives. Notably, in November 2023, it leveraged a WinRAR vulnerability to target Indian government entities, deploying various remote access trojans like AllaKore RAT, Ares RAT, and DRat. This attack was part of two new campaigns against Indian government organizations' Windows and Linux systems. Furthermore, the group has been seen expanding its Linux arsenal, sharing Linux stagers with APT36 to deploy an open-source Python RAT called Ares. The impact of SideCopy's activities is significant, with the group successfully stealing several Office documents and databases associated with the Government of Afghanistan. Macro-based Office documents continue to be a common vector for initiating attacks and distributing payloads among APT groups, including SideCopy. As the group continues to evolve and expand its capabilities, particularly through the use of zero-day vulnerabilities, it poses an ongoing threat to defense organizations in India and other targeted regions.

Description last updated: 2024-09-25T13:20:28.910Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT36 is a possible alias for SideCopy. APT36, also known as Transparent Tribe and Earth Karkaddan, is a threat actor group that has historically targeted government agencies and defense firms in India with cyberattacks aimed at compromising Windows systems and Android devices. The group's activities have been tracked by various cybersecu	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Rat

India

Phishing

Decoy

Facebook

Windows

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Action RAT Malware is associated with SideCopy. Action RAT is a malicious software (malware) used by cyber threat actors to exploit and damage computer systems. This malware, written in Delphi and compiled on October 2, 2021, is part of an arsenal that includes other Remote Access Trojans (RATs) such as AllaKore RAT, Reverse RAT, and Margulas RAT	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Transparent Tribe Threat Actor is associated with SideCopy. Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has	Unspecified	3
The Sidewinder Threat Actor is associated with SideCopy. Sidewinder, an advanced persistent threat (APT) group believed to be of South Asian origin, has been identified as the orchestrator behind a series of sophisticated cyber threats targeting maritime facilities across multiple countries. Known for its use of public exploits, remote access Trojans (RAT	Unspecified	3

Source Document References

Information about the SideCopy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	a month ago	10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More - Check Point Research
CERT-EU	10 months ago	Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities
CERT-EU	a year ago	Asian tech roundup: Chips ahoy
CERT-EU	a year ago	Cambodian government subjected to Chinese APT attacks
CERT-EU	a year ago	Novel undetectable cryptominer developed via Azure exploit
CERT-EU	a year ago	SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities – GIXtools
CERT-EU	a year ago	SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Indian two-factor authentication tool Kavach
CERT-EU	a year ago	How Next-Gen Threats Are Taking a Page From APTs
CERT-EU	a year ago	Why Pakistani Hackers Are Now Targeting IITs, NITs: All Details \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Pakistan-based hackers target Indian Army, IITs; chat apps used, dangerous file names and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
MITRE	2 years ago	SideCopy APT: Connecting lures to victims, payloads to infrastructure
BankInfoSecurity	2 years ago	SideCopy APT Targets India's Premier Defense Research Agency
CERT-EU	2 years ago	Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
CERT-EU	2 years ago	SideCopy маскируется под презентацию о ракете К-4 - Индийская оборона под угрозой
Fortinet	2 years ago	Are Internet Macros Dead or Alive? \| FortiGuard labs
BankInfoSecurity	2 years ago	APT36 Running Espionage Ops Against India's Education Sector
Flashpoint	2 years ago	No title
CERT-EU	a year ago	Hacker’s Playbook Threat Coverage Roundup: April 25, 2023 \| #ransomware \| #cybercrime – National Cyber Security Consulting
Fortinet	a year ago	Clean Rooms, Nuclear Missiles, and SideCopy, Oh My! \| FortiGuard Labs