Saturday, April 26, 2025
HomeAPTSideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool

SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool

Published on

SIEM as a Service

Follow Us on Google News

The Pakistan-linked Advanced Persistent Threat (APT) group known as SideCopy has significantly expanded its targeting scope since late December 2024.

Initially, the group focused on infiltrating India’s government, defense, maritime sectors, and university students.

Recent developments indicate an inclusion of crucial sectors like railways, oil & gas, and external affairs ministries into their cyber activities.

- Advertisement - Google News

Seqrite Labs APT team has been pivotal in uncovering the evolution of SideCopy’s tactics, which now involve impersonating government officials to evade detection.

Strategic Deployment of Malicious Payloads

SideCopy has begun utilizing Microsoft Installer (MSI) packages as a staging mechanism, shifting from their previous use of HTML Application (HTA) files.

This method facilitates evasion techniques such as DLL side-loading and multi-platform intrusions, enhancing their ability to deliver payloads discreetly.

Moreover, the group has repurposed open-source tools, modifying and enhancing functionalities of tools like Xeno RAT and Spark RAT, aligning them with Async RAT to fit their strategic objectives.

XenoRAT Tool
NDC Phishing Email (1)

Phishing and Credential Theft

The campaign began with phishing emails under the guise of official communications from the National Defence College (NDC), India.

These emails, dated January 13 and 15, 2025, contained malware-laden attachments or links named “NDC65-Updated-Schedule.pdf” and “2024-National-Holidays-RH-PER_N-1.zip,” respectively.

XenoRAT Tool
 Holiday List Decoy [Railways]

Users were deceived into downloading these files, which, upon execution, initiated the download of MSI packages that leveraged legitimate applications to execute malicious code.

To establish persistence, SideCopy uses compromised official domains like “nhp.mowr.gov.in” and fake domains mimicking e-governance services to host and deliver their payloads.

These domains were created with GoDaddy.com, LLC, and target various systems when a user logs in, from webmail to staff safety management, potentially under the Right to Public Services Act.

After initial infection, SideCopy employs techniques such as reflective loading and AES/RC4 decryption of code sections to deploy their custom RATs.

For example, CurlBack RAT registers the victim’s machine with the command and control (C2) server using a UUID and supports file transfers using curl.

A modified version of open-source XenoRAT, which was initially used by North Korean-linked groups, has been repurposed by SideCopy for HVNC, live microphone access, keylogging, and other espionage activities.

The malware communicates with the C2 server (79.141.161.58:1256), suggesting a deep level of customization to evade detection.

SideCopy’s operations rely on a complex infrastructure, with staging domains often registered through GoDaddy.com, LLC.

These domains have been active since June 2023 and are designed to cater to multiple Indian City Municipal Corporations through fake login pages for credential phishing.

According to the Report, C2 servers are hosted on IPs associated with Cloudflare and HZ Hosting Limited, known for its use in previous SideCopy campaigns.

The group also engages in honey-trap themed campaigns, observed in January 2025, which coincide with the arrest of a government employee accused of espionage.

Furthermore, SideCopy has reactivated a previously compromised education portal with new URLs targeting university students using themes like “Climate Change” and “Professional Development.”

The evolution of SideCopy’s tactics from using HTA files to adopting MSI packages, alongside their adoption of open-source tools and advanced evasion techniques, highlights their adaptability to increase the effectiveness of their espionage operations.

This sophisticated approach not only increases their potential to compromise critical infrastructure but also underscores the urgent need for enhanced cybersecurity measures across targeted sectors to mitigate these persistent threats.

The continued development in SideCopy’s strategies necessitates a proactive and versatile approach to cybersecurity within government and strategic sectors.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

How to Develop a Strong Security Culture – Advice for CISOs and CSOs

Developing a strong security culture is one of the most critical responsibilities for today’s...

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...