New Dehli, India|New Dehli, India
New Dehli, India|New Dehli, India

SideCopy cyber-espionage group targets Indian government, military

A cyber-espionage group has been observed targeting Indian targets with government and military-related lures in a broad campaign to infect victims with malware.

Tracked under the name of SideCopy, this cyber-espionage group has been active since 2019, according to Seqrite, Quick Heal's threat intelligence team, which first documented its spear-phishing campaigns last September.

But in a report published today, Cisco Talos, one of the networking giant's cybersecurity divisions, said the group did not retreat or stop its operations after having its attacks and tooling exposed last year.

In summary, Talos has found that:

  • SideCopy has continued to carry out spear-phishing email attacks that used Indian government and defense forces-related themes.
  • The emails came with malicious file attachments—ranging from LNK files to self-extracting RAR EXEs and MSI-based installers—that installed remote access trojans (RATs) on infected systems.
  • The group used both custom RATs (CetaRAT, DetaRAT, ReverseRAT, ActionRAT) but also commercially available RATs (njRAT, Allakore RAT, Lillith RAT, Epicenter RAT).
  • After infecting victims, SideCopy operators often deployed RAT plugins with various functionality, ranging from file enumerators to credential-stealers and keyloggers.
  • Many of SideCopy's operations posed a close resemblance to past campaigns carried out by APT36 (aka Mythic Leopard and Transparent Tribe), a group linked in previous years to Pakistan.

Cisco Talos researchers noted that these new attacks are important because SideCopy operators have shown the ability to develop new malware from scratch, a clear sign that they are gaining experience and becoming more sophisticated in their attacks.

This increased in sophistication was clearly visible in 2020 and 2021, compared to their early 2019 campaigns, researchers said.

The Talos report also confirms a recent spike in activity reported by Chinese security firm Rising.

In a broader political context, the activities of this new group don't bring anything new to the plate, as cyber-espionage efforts between India and Pakistan have been widely documented for more than half a decade, and the Cisco Talos report shows that the two countries are still keeping tabs on each other.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.