SideCopy  (Back to overview)

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.

---

Associated Families

---

References

2023-02-16 ⋅ ThreatMon ⋅ ThreatMon Malware Research Team, seyitsec @online{team:20230216:sidecopy:86a53bb, author = {ThreatMon Malware Research Team and seyitsec}, title = {{APT SideCopy Targeting Indian Government Entities - Analysis of the new version of ReverseRAT}}, date = {2023-02-16}, organization = {ThreatMon}, url = {https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/}, language = {English}, urldate = {2023-02-17} } APT SideCopy Targeting Indian Government Entities - Analysis of the new version of ReverseRAT Unidentified 005 (Sidecopy) ReverseRAT

2022-01-18 ⋅ Qianxin ⋅ Red Raindrop Team @online{team:20220118:sidecopy:862ebbd, author = {Red Raindrop Team}, title = {{SideCopy Arsenal Update: Golang-based Linux stealth tools surface}}, date = {2022-01-18}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/}, language = {Chinese}, urldate = {2022-01-25} } SideCopy Arsenal Update: Golang-based Linux stealth tools surface Unidentified 005 (Sidecopy)

2022-01-05 ⋅ Telsy ⋅ Claudio Di Giuseppe @online{giuseppe:20220105:sidecopy:546a0eb, author = {Claudio Di Giuseppe}, title = {{SIDECOPY APT: From Windows to *nix}}, date = {2022-01-05}, organization = {Telsy}, url = {https://www.telsy.com/sidecopy-apt-from-windows-to-nix/}, language = {English}, urldate = {2022-01-10} } SIDECOPY APT: From Windows to *nix SideCopy

2021-12-02 ⋅ Malwarebytes ⋅ Hossein Jazi, Threat Intelligence Team @online{jazi:20211202:sidecopy:9e7363c, author = {Hossein Jazi and Threat Intelligence Team}, title = {{SideCopy APT: Connecting lures to victims, payloads to infrastructure}}, date = {2021-12-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/}, language = {English}, urldate = {2021-12-06} } SideCopy APT: Connecting lures to victims, payloads to infrastructure SideCopy

2021-11-16 ⋅ META ⋅ Mike Dvilyanski, David Agranovich @online{dvilyanski:20211116:taking:7d056cc, author = {Mike Dvilyanski and David Agranovich}, title = {{Taking Action Against Hackers in Pakistan and Syria}}, date = {2021-11-16}, organization = {META}, url = {https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/}, language = {English}, urldate = {2021-11-17} } Taking Action Against Hackers in Pakistan and Syria SideCopy

2021-07-07 ⋅ Talos Intelligence ⋅ Asheer Malhotra, Justin Thattil @online{malhotra:20210707:insidecopy:eca169d, author = {Asheer Malhotra and Justin Thattil}, title = {{InSideCopy: How this APT continues to evolve its arsenal}}, date = {2021-07-07}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2021/07/sidecopy.html}, language = {English}, urldate = {2021-07-08} } InSideCopy: How this APT continues to evolve its arsenal AllaKore NjRAT SideCopy

2020-09-23 ⋅ Seqrite ⋅ Kalpesh Mantri @online{mantri:20200923:operation:7e7788f, author = {Kalpesh Mantri}, title = {{Operation SideCopy!}}, date = {2020-09-23}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-sidecopy/}, language = {English}, urldate = {2022-01-10} } Operation SideCopy! SideCopy

---

Credits: MISP Project