Names | SideCopy (Seqrite) | |
Country | Pakistan | |
Motivation | Information theft and espionage | |
First seen | 2019 | |
Description | (Seqrite) Operation SideCopy is active from early 2019, till date. This cyber-operation has been only targeting Indian defence forces and armed forces personnel. Malware modules seen are constantly under development and updated modules are released after a reconnaissance of victim data. Actors are keeping track of malware detections and updating modules when detected by AV. Almost all CnC belongs to Contabo GmbH and server names are similar to machine names found in the Transparent Tribe report. This threat actor is misleading the security community by copying TTPs that point at SideWinder, Rattlesnake APT group. We suspect this threat actor has links with Transparent Tribe, APT 36 APT group. | |
Observed | Countries: India. | |
Tools used | ActionRAT, Allakore RAT, AresRAT, CetaRAT, DetaRAT, EpicenterRAT, Lilith RAT, MargulasRAT, njRAT, ReverseRAT. | |
Operations performed | Jul 2021 | InSideCopy: How this APT continues to evolve its arsenal <https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388> |
Feb 2023 | APT SideCopy Targeting Indian Government Entities <https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/> | |
Mar 2023 | Notorious SideCopy APT group sets sights on India’s DRDO <https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/> | |
Oct 2023 | SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT <https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/> | |
Counter operations | Aug 2021 | Taking Action Against Hackers in Pakistan and Syria <https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/> |
Information | <https://www.seqrite.com/blog/operation-sidecopy/> <https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G1008/> |
Last change to this card: 29 November 2023
Download this actor card in PDF or JSON format
Previous: ShroudedSnooper
Next: SideWinder, Rattlesnake
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |