SideCopy

Description

(Seqrite) Operation SideCopy is active from early 2019, till date. This cyber-operation has been only targeting Indian defence forces and armed forces personnel. Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data. Actors are keeping track of malware detections and updating modules when detected by AV. Almost all CnC belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report. This threat actor is misleading the security community by copying TTPs that point at SideWinder, Rattlesnake APT group. We suspect this threat actor has links with Transparent Tribe, APT 36 APT group.

Names

Name	Name-Giver
SideCopy	Seqrite
UNC2269	Mandiant
White Dev 55	PWC
Mocking Draco	Palo Alto

Country

• Pakistan

Motivation

• Information theft and espionage

First Seen

2019

Observed Countries

• India

Tools

• ActionRAT
• Allakore RAT
• AresRAT
• CetaRAT
• DetaRAT
• EpicenterRAT
• Lilith RAT
• MargulasRAT
• njRAT
• ReverseRAT

Operations

• 2021-07: InSideCopy: How this APT continues to evolve its arsenal https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388
• 2023-02: APT SideCopy Targeting Indian Government Entities https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/
• 2023-03: Notorious SideCopy APT group sets sights on India’s DRDO https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/
• 2023-10: SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/
• 2024-12: Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/

Counter Operations

• 2021-08: Taking Action Against Hackers in Pakistan and Syria https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/

Information

• https://www.seqrite.com/blog/operation-sidecopy/
• https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/

Mitre Attack

• https://attack.mitre.org/groups/G1008/

Other Information

Uuid

9fd705e5-6b3c-4e0b-b21c-ebb9dc854fc3

Last Card Change

2025-06-27