SideCopy is a Pakistani advanced persistent threat (APT) group active since at least 2019, primarily targeting South Asian countries—most notably India and Afghanistan. Its operations are closely linked to Transparent Tribe (APT36), with many sources describing SideCopy as a sub-cluster or subdivision of APT36.
The name “SideCopy” comes from its infection chain, which mimics that of the Indian-linked SideWinder APT, possibly as a deception tactic. SideCopy is widely assessed as operating under or alongside Transparent Tribe (APT36), sharing infrastructure and techniques.
Target Sectors and Geography
• Primary Targets: Indian government, defense, and armed forces personnel.
• Expansion: Recently, the group has broadened its focus to include critical infrastructure sectors such as railways, oil and gas, and foreign ministries in India and Afghanistan.
• Attack Geography: Most attacks are concentrated in India, with some activity in Afghanistan and Bangladesh.
Tactics, Techniques, and Procedures (TTPs)
Initial Access
• Spear-phishing emails with malicious ZIP attachments or links to spoofed domains impersonating trusted entities.
• Use of LNK files disguised as documents, which execute malicious HTA (HTML Application) files.
Malware Delivery
• Shifted from HTA files to MSI installers for payload delivery.
• Uses DLL side-loading via living-off-the-land binaries (LOLBins).
Malware Arsenal
• Employs a wide range of commodity and custom Remote Access Trojans (RATs), including Allakore, njRAT, CetaRAT, MargulasRAT, DetaRAT, ReverseRAT, ActionRAT, and others.
• Deploys plugins for file enumeration, keylogging, credential stealing, and audio capture.
Persistence
• Achieved through registry modifications and scheduled tasks.
Evasion
• Uses AES encryption to obscure payloads and scripts. • Reflective loading to inject malicious code into memory, avoiding disk-based detection. • Command and Control (C2): • Infrastructure often attributed to Contabo GmbH, similar to Transparent Tribe. • Compromised domains used for C2 and malware staging.
Evolution and Sophistication
• SideCopy rapidly updates its malware modules in response to detection, demonstrating agility and adaptability in its campaigns.
• Infection chains have become more complex, using multiple stages and adapting to the victim’s security environment (e.g., deploying different files based on detected antivirus software).
• The group leverages decoy documents and phishing portals mimicking Indian government webmail to increase the success of their campaigns.
| Aspect | Details |
|---|---|
| Country of Origin | Pakistan |
| Primary Targets | Indian government, defense, critical infrastructure |
| First Observed | 2019 |
| Techniques | Spear-phishing, LNK/HTA/MSI chains, DLL side-loading, RAT deployment |
| RATs Used | Allakore, njRAT, CetaRAT, MargulasRAT, DetaRAT, ReverseRAT, ActionRAT |
| Persistence | Registry run keys, scheduled tasks |
| Evasion | AES encryption, reflective loading, LOLBins |
| C2 Infrastructure | Overlaps with Transparent Tribe, uses Contabo GmbH hosting |
| Notable Feature | Mimics SideWinder APT infection chain |