The Pakistan-linked Advanced Persistent Threat (APT) group known as SideCopy has significantly expanded its targeting scope since late December 2024.
Initially, the group focused on infiltrating India’s government, defense, maritime sectors, and university students.
Recent developments indicate an inclusion of crucial sectors like railways, oil & gas, and external affairs ministries into their cyber activities.
.png
)
Seqrite Labs APT team has been pivotal in uncovering the evolution of SideCopy’s tactics, which now involve impersonating government officials to evade detection.
Strategic Deployment of Malicious Payloads
SideCopy has begun utilizing Microsoft Installer (MSI) packages as a staging mechanism, shifting from their previous use of HTML Application (HTA) files.
This method facilitates evasion techniques such as DLL side-loading and multi-platform intrusions, enhancing their ability to deliver payloads discreetly.
Moreover, the group has repurposed open-source tools, modifying and enhancing functionalities of tools like Xeno RAT and Spark RAT, aligning them with Async RAT to fit their strategic objectives.
Phishing and Credential Theft
The campaign began with phishing emails under the guise of official communications from the National Defence College (NDC), India.
These emails, dated January 13 and 15, 2025, contained malware-laden attachments or links named “NDC65-Updated-Schedule.pdf” and “2024-National-Holidays-RH-PER_N-1.zip,” respectively.
Users were deceived into downloading these files, which, upon execution, initiated the download of MSI packages that leveraged legitimate applications to execute malicious code.
To establish persistence, SideCopy uses compromised official domains like “nhp.mowr.gov.in” and fake domains mimicking e-governance services to host and deliver their payloads.
These domains were created with GoDaddy.com, LLC, and target various systems when a user logs in, from webmail to staff safety management, potentially under the Right to Public Services Act.
After initial infection, SideCopy employs techniques such as reflective loading and AES/RC4 decryption of code sections to deploy their custom RATs.
For example, CurlBack RAT registers the victim’s machine with the command and control (C2) server using a UUID and supports file transfers using curl.
A modified version of open-source XenoRAT, which was initially used by North Korean-linked groups, has been repurposed by SideCopy for HVNC, live microphone access, keylogging, and other espionage activities.
The malware communicates with the C2 server (79.141.161.58:1256), suggesting a deep level of customization to evade detection.
SideCopy’s operations rely on a complex infrastructure, with staging domains often registered through GoDaddy.com, LLC.
These domains have been active since June 2023 and are designed to cater to multiple Indian City Municipal Corporations through fake login pages for credential phishing.
According to the Report, C2 servers are hosted on IPs associated with Cloudflare and HZ Hosting Limited, known for its use in previous SideCopy campaigns.
The group also engages in honey-trap themed campaigns, observed in January 2025, which coincide with the arrest of a government employee accused of espionage.
Furthermore, SideCopy has reactivated a previously compromised education portal with new URLs targeting university students using themes like “Climate Change” and “Professional Development.”
The evolution of SideCopy’s tactics from using HTA files to adopting MSI packages, alongside their adoption of open-source tools and advanced evasion techniques, highlights their adaptability to increase the effectiveness of their espionage operations.
This sophisticated approach not only increases their potential to compromise critical infrastructure but also underscores the urgent need for enhanced cybersecurity measures across targeted sectors to mitigate these persistent threats.
The continued development in SideCopy’s strategies necessitates a proactive and versatile approach to cybersecurity within government and strategic sectors.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 group known as SideCopy has significantly expanded its targeting scope.){kind=link}