ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > SideCopy

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: SideCopy

NamesSideCopy (Seqrite)
CountryPakistan Pakistan
MotivationInformation theft and espionage
First seen2019
Description(Seqrite) Operation SideCopy is active from early 2019, till date.
This cyber-operation has been only targeting Indian defence forces and armed forces personnel.
Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data.
Actors are keeping track of malware detections and updating modules when detected by AV.
Almost all CnC belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report.
This threat actor is misleading the security community by copying TTPs that point at SideWinder, Rattlesnake APT group.
We suspect this threat actor has links with Transparent Tribe, APT 36 APT group.
ObservedCountries: India.
Tools usedActionRAT, Allakore RAT, AresRAT, CetaRAT, DetaRAT, EpicenterRAT, Lilith RAT, MargulasRAT, njRAT, ReverseRAT.
Operations performedJul 2021InSideCopy: How this APT continues to evolve its arsenal
<https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388>
Feb 2023APT SideCopy Targeting Indian Government Entities
<https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/>
Mar 2023Notorious SideCopy APT group sets sights on India’s DRDO
<https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/>
Oct 2023SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
<https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/>
Counter operationsAug 2021Taking Action Against Hackers in Pakistan and Syria
<https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/>
Information<https://www.seqrite.com/blog/operation-sidecopy/>
<https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/>
MITRE ATT&CK<https://attack.mitre.org/groups/G1008/>

Last change to this card: 29 November 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]