Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
In its latest campaign, the Advanced Persistent Threat (APT) group has expanded its targets to include the Indian Ministry of Railways, Oil & Gas, External Affairs, Defense establishments, and academic institutions.
Seqrite Labs APT researchers report that SideCopy has transitioned from utilizing HTML Application (HTA) files to Microsoft Installer (MSI) packages as its primary staging mechanism.
This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading, AES encryption via PowerShell, and extensive misuse of open-source tools like XenoRAT.
Open-Source Tools Weaponized: From XenoRAT to SparkRAT
SideCopy’s adoption of open-source tools underscores its ongoing strategic innovation. The group customizes tools like XenoRAT and SparkRAT to enhance penetration and exploit capabilities.
For instance, XenoRAT, originally an open-source variant offering remote access functionalities such as HVNC and keylogging, is being deployed in customized versions.
These variants exhibit added obfuscation techniques, further aiding stealth operations.
Additionally, SideCopy has employed a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks and register compromised systems with its command-and-control (C2) servers.
By repurposing the multi-platform SparkRAT for Linux systems, the campaign showcases SideCopy’s cross-platform capabilities.
The RAT utilizes WebSocket protocols for communication and implements features including process monitoring, file management, network activity tracking, and remote desktop control.
These open-source tools allow for not only exfiltration but potential system manipulation in high-value targets.
SideCopy’s recent campaigns demonstrate an increasingly elaborate use of phishing emails masquerading as government officials to deliver malicious payloads.
For example, the campaign targeting the Indian Ministry of Defense involved phishing emails sent on January 13, 2025, with subjects like “Update schedule for NDC 65” containing infected links.
The malicious archive files camouflaged as operational and training documents automatically downloaded decoy content to distract users while executing malware.
Additionally, a fake domain impersonating an e-governance platform has been identified, hosting payloads and credential phishing pages.
This infrastructure exploits 13 subdomains and mimics login portals for City Municipal Corporations in Maharashtra.
Subdomains like “gadchiroli.egovservice[.]in” and “pen.egovservice[.]in” host phishing pages affiliated with services such as payroll management, safety systems, and municipal governance.
A significant compromise of the official domain of the National Hydrology Project (NHP) under the Ministry of Water Resources has also been reported.
This domain, exploited for payload delivery, demonstrates SideCopy’s broader infrastructure manipulation capabilities.
Sophisticated Payload Delivery Mechanisms
The transition from HTA files to MSI packages reflects SideCopy’s intent to evade detection while maintaining sophisticated infection chains.
The MSI files distribute multiple payloads, including the custom CurlBack RAT, achieving persistence through methods such as scheduled task creation and registry manipulation.
CurlBack RAT initiates operations by checking anti-virtual machine (VM) commands and capturing system and USB device information.
The malware uses reverse-engineered strings to communicate with C2 servers, ensuring commands like data extraction, privilege elevation, and file transfers are executed seamlessly.
For Linux environments, the infection chain begins with malicious archive files, delivering SparkRAT through crontab persistence mechanisms.
The attacker’s deployment of Golang binaries highlights the systematic cross-platform approach in targeting both Windows and Linux environments.
SideCopy’s recent campaigns align with the group’s historical targeting of Indian defense and maritime sectors.
However, the inclusion of strategic economic sectors like railways and petroleum emphasizes its expansion into critical infrastructure.
Seqrite researchers attribute these campaigns to SideCopy with high confidence based on technical indicators like phishing themes, staging domains, and DNS infrastructure linked to previous operations.
The use of fake identities and domains, compromised government sites, and open directories points to a coordinated, large-scale threat.
The analysis also highlights connections to SideCopy’s parent group, APT36, and infrastructure overlaps with other threat groups such as Transparent Tribe.
SideCopy continues its evolution as one of the most concerning APT groups targeting India’s critical sectors.
By leveraging open-source tools such as XenoRAT and SparkRAT, along with deploying newly identified payloads like CurlBack RAT, the group has intensified its efforts to evade detection and establish persistence.
This campaign underscores the importance of enhanced cyber vigilance and proactive measures against sophisticated adversaries targeting national security and economic infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
