SideCopy Threat Actor Profile: Persistent Espionage in South Asia
- Suspected Origin
- Pakistan
- Motivation
- Espionage
- Aliases
- None documented
- Target Sectors
- Government, Defense, Military, Critical Infrastructure, Education
- Associated Malware
- Action RAT, Allakore RAT, Ares RAT, CetaRAT, ReverseRAT, Double Action RAT, XenoRAT, CurlBack RAT, Spark RAT, MargulasRAT, Rust-based malware
Overview
SideCopy (G1008) is a Pakistan-linked advanced persistent threat (APT) group that has been actively conducting cyber espionage campaigns since at least 2019. The group’s name stems from its observed tactic of mimicking the infection chains of Sidewinder, a suspected Indian threat group, a strategic move likely intended to mislead attribution and evade detection. SideCopy’s primary focus has consistently been on South Asian countries, particularly targeting Indian and Afghani government personnel, defense organizations, and military forces. More recently, their targeting scope has expanded to include critical infrastructure sectors such as railways, oil and gas, and foreign ministries, as well as educational institutions.
While SideCopy operates independently, there is strong evidence suggesting it functions as a sub-cluster or shares significant overlaps with the Transparent Tribe APT group (also known as APT36 or Mythic Leopard), another Pakistan-linked entity known for cyber espionage in South Asia. This association is supported by similarities in their tactics, techniques, and procedures (TTPs), shared infrastructure, and sometimes even code. SideCopy’s overarching motivation is cyber espionage, aiming to exfiltrate sensitive information, credentials, and documents from targeted entities for intelligence gathering purposes. The group demonstrates a high degree of adaptability, continuously evolving its malware arsenal and infection chains to maintain effectiveness against detection.
Tactics & Techniques
SideCopy’s operational methodology relies heavily on sophisticated social engineering and meticulously crafted spear-phishing campaigns to gain initial access. These campaigns often involve emails with enticing lures related to defense-related news, government affairs, or even “honey-trap” themes designed to exploit human vulnerabilities.
Their initial access vectors are varied and constantly updated:
- Malicious Attachments: Common attachments include ZIP archives containing malicious LNK files, HTA files, self-extracting RAR executables, or trojanized applications. They have also used Microsoft Office Publisher documents with embedded malicious macros.
- Vulnerability Exploitation: SideCopy has demonstrated the capability to exploit known vulnerabilities, notably the WinRAR security vulnerability (CVE-2023-38831) to deliver payloads. Earlier campaigns also leveraged the Equation Editor vulnerability (CVE-2017-11882).
- Malware Delivery Mechanisms: The infection chain typically involves several stages. Initially, LNK files might trigger a remote HTA file, which then downloads and executes a second-stage HTA, while simultaneously displaying a decoy document. Legitimate executables are often used to side-load malicious DLLs (e.g.,
credwiz.exesideloadingDuser.dll). A significant shift in late 2024 saw SideCopy transition from primarily using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism for malware delivery. PowerShell is frequently employed for remote execution, payload decryption, and evasion. The group also uses fileless payload execution to execute malicious code directly in memory, further complicating detection.
For persistence, SideCopy typically adds its malicious payloads to Windows registry keys or startup options, and on Linux systems, they establish persistence via cron jobs. They also create scheduled tasks to ensure continued access across system reboots.
Defense evasion is a critical aspect of SideCopy’s operations. They routinely obfuscate their malicious payloads and scripts to avoid detection by security tools. Payloads are often masqueraded as legitimate files, such as PDF or DOC documents, to trick victims into executing them. Reflective loading is used to inject malicious code directly into memory, bypassing disk-based detection. The group is known to monitor malware detections and promptly update their modules upon discovery by antivirus software.
Command and Control (C2) infrastructure often involves compromised domains used to host malicious files and communicate with victim machines. Hardcoded IP addresses are embedded within payloads. C2 servers are frequently attributed to providers like Contabo GmbH. SideCopy establishes secure communication channels that mimic legitimate traffic patterns, employing UUID-based registration and utilizing CURL for reliable data transfer over HTTP.
Regarding discovery and collection, once a system is compromised, SideCopy’s malware is designed to enumerate the device, collecting information such as browser data, installed antivirus products, operating system versions, country locations, and IP addresses. The primary objective is data exfiltration, with malware collecting sensitive information like access credentials, keylogs, screenshots, and documents. This stolen data is typically encrypted using algorithms like RC4 before being exfiltrated over the established C2 channel to remote servers controlled by the threat actors, or in some cases, to web-based service engines.
Notable Campaigns
SideCopy has a consistent history of launching targeted campaigns against South Asian entities:
- “Operation SideCopy” (2019-Present): This encompasses the group’s general and ongoing activities, primarily targeting Indian defense forces and armed forces personnel.
- “Operation RusticWeb” (October/December 2023): This campaign specifically targeted Indian government entities, utilizing new Rust-based malware and encrypted PowerShell commands to exfiltrate confidential documents.
- WinRAR Vulnerability Exploitation (Late 2023): SideCopy actively exploited the WinRAR vulnerability CVE-2023-38831 to deploy RATs like AllaKore and DRat against Indian government and defense entities. This campaign also saw the deployment of a Linux variant of Ares RAT.
- Expanded Critical Infrastructure Targeting (Late 2024): In late 2024, SideCopy significantly expanded its targeting beyond traditional government and defense sectors to include critical infrastructure, specifically entities under the railway, oil and gas, and external affairs ministries in India and Afghanistan. This period also marked a notable shift from HTA files to MSI packages for malware delivery.
- “Operation XENOFISCAL” (June 2026): One of their most recent documented campaigns, “Operation XENOFISCAL,” targeted Afghan finance systems. It involved spear-phishing emails deploying XenoRAT malware via a multi-stage infection chain that utilized obfuscated scripts and fileless loaders to evade detection and establish long-term persistence.
Associated Malware & Tools
SideCopy employs a diverse and continuously evolving set of malware and tools, often leveraging both custom-developed remote access trojans (RATs) and modified open-source or commercially available tools.
Key malware and tools include:
- Action RAT: A Delphi-written RAT, active since at least December 2021, used for targeting government personnel in India and Afghanistan.
- AllaKore RAT: A basic Delphi-developed RAT, frequently observed in SideCopy intrusions, capable of keylogging, screenshotting, and remote access.
- Ares RAT: An open-source Python-based RAT with capabilities such as executing shell commands, capturing screenshots, and downloading files. A Linux variant of Ares RAT has been observed, with code similarities to Transparent Tribe.
- CetaRAT: A custom C#-based RAT designed for user data extraction.
- ReverseRAT: A custom RAT, with newer versions featuring enhanced obfuscation and sleep calls to evade detection, used for device enumeration, data collection, and command execution.
- Double Action RAT: Another custom RAT frequently seen in their evolving arsenal.
- XenoRAT: An open-source RAT deployed in recent campaigns, establishing encrypted communications and offering extensive surveillance capabilities like keylogging, file theft, and remote system access.
- CurlBack RAT and Spark RAT: Identified as new customized open-source tools deployed by SideCopy since late 2024.
- MargulasRAT, DetaRAT, Lillith RAT, Epicenter RAT, njRAT: These are other custom or commercially available RATs that SideCopy has been observed using.
- .NET-based RATs and Rust-based Malware: The group continues to develop new malware families, including .NET-based RATs and the Rust-based malware observed in “Operation RusticWeb.”
Beyond RATs, SideCopy utilizes various legitimate system utilities and scripts (like PowerShell, mshta.exe, CreateProcessW) as living-off-the-land binaries (LOLBins) to execute malicious code and evade detection.
Current Status
SideCopy remains a highly active and continuously evolving threat actor group. Recent reporting confirms ongoing operations into 2026, demonstrating their persistent nature and commitment to cyber espionage. “Operation XENOFISCAL,” uncovered in June 2026, highlights their continued targeting of Afghan finance systems with new malware like XenoRAT. Broader activity observed in April 2025 indicated a shift in TTPs, moving from HTA files to MSI packages for malware delivery and introducing new custom RATs such as CurlBack and Spark RAT.
The group’s operational tempo is high, with new attack campaigns observed almost monthly and continuous updates to their malware modules following victim reconnaissance. This rapid development signifies their increased sophistication and ability to adapt their tools and tactics to counter evolving defensive measures. SideCopy’s targeting scope has also expanded, moving beyond traditional government and military entities to include critical infrastructure sectors and even university students, indicating a broader intelligence gathering mandate. Their unwavering focus on South Asian countries, particularly India and Afghanistan, underscores their strategic geopolitical objectives.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call