Cyber Threat Actor: SideCopy APT
| Actor Type | Location | Known Incidents |
Spy
|
Pakistan
|
2 incidents |
|---|
Profile
SideCopy APT, also known simply as SideCopy, is a Pakistani cyberespionage group that has been observed conducting targeted operations against Indian government and military institutions. The group’s activity is characterized by the use of spear‑phishing emails that carry malicious ZIP attachments containing decoy documents designed to lure victims into executing embedded LNK files. Once the LNK file is launched, it triggers a multi‑stage infection chain that begins with an HTML application, proceeds through a series of concatenated HTA scripts, and ultimately drops a variant of the Action Rat malware onto the compromised system. Action Rat provides the attackers with the ability to enumerate drives and files, gather system information, install additional payloads, and exfiltrate collected data to command‑and‑control servers. The group has been noted for mimicking legitimate Windows component names when placing its malware files, a tactic intended to evade detection. SideCopy’s TTPs show clear overlap with those of the Sidewinder APT, indicating that it adopts and adapts techniques from other threat actors while continuously evolving its toolset.
In terms of targeting, SideCopy has focused on defense research organizations, such as India’s Defense Research and Development Organization, as well as the Indian Army, the National Cadet Corps, and the National Council of Educational Research and Training. The group’s strategic objective appears to be espionage, seeking to steal sensitive military secrets and technical data related to advanced weapons systems, exemplified by its use of decoy material on the K‑4 missile in a 2023 campaign. Geographic focus has been primarily on Indian targets, with occasional references to Afghan entities, reflecting a regional interest in South Asian security affairs. While the group is publicly described as a Pakistani cyberespionage actor, the sources do not provide explicit details about state sponsorship or affiliations beyond its national origin.
Representative operations include the March 2023 spear‑phishing attack on DRDO that employed a malicious ZIP containing a LNK file disguised as a K‑4 missile presentation, and earlier campaigns in 2021 that used decoy PDFs titled “Email facility address list of the ERE units” and “Living the values, a value‑narrative to grass‑root leadership” to target Indian Army and NCERT personnel, respectively. These incidents illustrate SideCopy’s reliance on social engineering, document‑based lures, and a staged delivery mechanism to establish footholds within high‑value networks and sustain long‑term data collection efforts.
