SideCopy’s Cyber Assault: How a Pakistan-Linked APT Group Is Escalating Attacks on India’s Critical Sectors

Listen to this Post

In the ever-evolving landscape of cyber warfare, a Pakistan-affiliated hacking group known as SideCopy is ramping up its operations, shifting tactics, and broadening its range of targets. Once primarily known for focusing on military sectors, SideCopy has now set its sights on India’s railways, petroleum, external affairs, defense, and even educational institutions. This dramatic escalation reveals not just a hunger for intelligence but a strategic effort to compromise the digital skeleton of a nation.

The group, reportedly linked to the notorious APT36, has moved beyond simple malware delivery methods, now employing MSI packages, reflective DLL loading, and PowerShell encryption as part of its attack infrastructure. Notably, its campaigns are now powered by modified open-source remote access tools like XenoRAT and SparkRAT, which are being retrofitted for stealth and persistence across both Windows and Linux environments.

What’s especially disturbing is the group’s use of phishing attacks, fake government platforms, and even the compromise of official Indian government domains, all to embed its spyware and establish long-term control. These developments signal an era where national infrastructure, from water projects to city municipalities, are under sustained cyber siege.

What You Need to Know About SideCopy’s Expanding Campaign (30-line breakdown)

  • Target Expansion: SideCopy is no longer limited to defense; it’s now targeting railways, oil & gas, and academic institutions.
  • Evolved Tactics: Shift from traditional HTA files to MSI packages demonstrates its desire to bypass detection tools.
  • Sophisticated Payloads: Use of CurlBack RAT, a Golang-based malware, allows DLL side-loading and detailed system surveillance.
  • Abuse of Open Source: SideCopy has weaponized XenoRAT and SparkRAT, tailoring them for deep system infiltration and long-term control.
  • Cross-Platform Attacks: Both Linux and Windows systems are vulnerable, showing a strategic, multi-OS infection model.
  • Custom RAT Tools: CurlBack initiates anti-VM checks, extracts data, and establishes C2 (Command and Control) connections.
  • Social Engineering: Deceptive phishing emails impersonate government personnel, masking malicious payloads under operational documents.
  • Credential Harvesting: Fake portals that imitate municipal governance logins steal user credentials and host malware.
  • Infrastructure Hijack: Indian government’s National Hydrology Project domain was repurposed to deliver SideCopy’s malicious code.
  • Persistence Mechanisms: Attackers create scheduled tasks, registry changes, and crontab entries to ensure malware resilience.
  • Fake Domains: 13+ subdomains mimic municipal websites (e.g., gadchiroli.egovservice.in) to spread phishing content.
  • Obfuscation & Encryption: Use of AES-encrypted PowerShell scripts and advanced obfuscation hides malicious behavior.
  • Military & Civilian Targets: Past campaigns focused on defense; current strategy includes civil infrastructure and economic sectors.
  • APT Attribution: Security experts at Seqrite Labs confidently link the tactics and tools to SideCopy’s known methodologies.
  • Linked to APT36: Connections to the larger APT36/Transparent Tribe ecosystem highlight coordinated state-sponsored activities.
  • Timeline of Attacks: A major campaign occurred on January 13, 2025, targeting India’s Ministry of Defense with infected links.
  • Government Impersonation: Phishing attempts used e-governance themes to trick users into installing RATs.
  • C2 Server Communication: RATs use WebSocket protocols for real-time control, data exfiltration, and remote surveillance.
  • Strategic Goal: Long-term infiltration of India’s economic and defense infrastructure for intelligence and sabotage.
  • Research Backing: Attribution backed by phishing templates, infrastructure overlaps, and payload signatures.
  • Threat Evolution: Transition to more refined and covert attack chains indicates growing technical maturity.
  • Threat Severity: The campaign is part of a large-scale coordinated operation, not isolated incidents.
  • Cyber Hygiene Reminder: These events underscore the importance of employee training, endpoint detection, and phishing awareness.
  • Geopolitical Implications: Cyber campaigns like this are modern warfare tools aimed at disrupting national security.
  • Tool Modularity: Open-source tools allow attackers to customize functions for keylogging, file theft, and remote desktop access.
  • Global Threat Echo: The use of SparkRAT and other cross-platform tools mirrors tactics of other international APTs.
  • Digital Infiltration: Infected devices may be used as entry points into wider organizational networks, amplifying risk.
  • National Resilience: India must strengthen its cyber resilience strategy across sectors to mitigate such threats.
  • APT Branding: SideCopy operates with a clearly structured method, marking it as a methodical and persistent adversary.
  • Cybersecurity Collaboration: The importance of public-private cooperation is paramount in defending against these rising threats.

What Undercode Say:

SideCopy’s new wave of attacks is a case study in the dangerous evolution of cyber adversaries. The shift from using relatively basic HTA files to more advanced MSI-based payloads shows a deliberate strategy to outmaneuver modern detection systems. By leveraging tools like XenoRAT and SparkRAT, SideCopy isn’t reinventing the wheel—they’re simply building a more armored version of it. These open-source platforms are not inherently malicious, but their versatility makes them ideal vessels for custom modifications that suit stealth, persistence, and broad control.

The introduction of CurlBack RAT, written in Golang, demonstrates another layer of this strategic sophistication. Not only is Golang cross-platform, but it also complicates reverse engineering, which adds an extra layer of resilience against counter-analysis. This adaptability in using programming languages and exploiting both Linux and Windows ecosystems underscores a high degree of operational maturity within the group.

Phishing continues to serve as the primary attack vector, and SideCopy’s execution is alarmingly polished. The ability to convincingly impersonate government agencies and plant malware in what appears to be legitimate documentation reflects detailed reconnaissance. This isn’t an opportunistic actor casting a wide net—this is targeted espionage, likely with backing from state-level entities.

Compromising the domain of a real government entity like the National Hydrology Project takes the threat from digital to institutional. The psychological impact of seeing a legitimate government domain serve malware is immense—it breeds distrust in public systems and can destabilize confidence in e-governance platforms.

Another particularly noteworthy aspect is the attack on city municipal corporations through fake e-governance portals. This indicates a possible intent to manipulate localized services or test broader exploitability at grassroots administrative levels.

By using scheduled tasks, obfuscated code, reverse-engineered PowerShell commands, and robust persistence methods, SideCopy showcases a toolkit engineered for endurance. These aren’t hit-and-run attacks. These are long-term digital occupations designed to monitor, extract, and potentially manipulate data at scale.

Their infrastructure also echoes other APTs in the region, especially Transparent Tribe, blurring attribution and complicating international cyber diplomacy. The DNS overlaps, phishing themes, and behavioral patterns show shared resources or a coordinated alliance, further muddying the waters between individual hacker groups and their potential nation-state patrons.

For India, these developments represent not just a threat but a wake-up call. Critical infrastructure must be shielded not just with tech, but with policy, awareness training, and inter-departmental cybersecurity integration. The battlefront has shifted. The enemy is invisible, but the damage can be tangible—shutdowns, data theft, sabotage, or worse.

SideCopy’s campaign serves as a sharp reminder: open-source doesn’t always mean open-hearted, and even publicly available tools can become weapons in the wrong hands.

Fact Checker Results

  • Technical Evidence Supports Attribution: Analysis of payloads, phishing tactics, and staging domains solidly connect this campaign to SideCopy.
  • Legitimate Sources Used for Infrastructure Hijack: Compromised government platforms like the NHP’s domain are verified by cybersecurity researchers.
  • Cross-Platform Attacks Confirmed: Use of Golang-based malware and Linux-compatible tools has been validated by multiple security vendors.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image