{
	"id": "6a567d69-4aac-4502-97f1-568164a06bd9",
	"created_at": "2026-04-06T00:15:19.472978Z",
	"updated_at": "2026-04-10T13:12:33.313336Z",
	"deleted_at": null,
	"sha1_hash": "0eb229d05054aa61c3bcb0f37bf5412b071865ee",
	"title": "SideCopy APT: from Windows to *nix - Telsy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 581940,
	"plain_text": "SideCopy APT: from Windows to *nix - Telsy\r\nBy Claudio Di Giuseppe\r\nPublished: 2022-01-05 · Archived: 2026-04-02 10:38:53 UTC\r\nTelsy Threat Intelligence team has observed a spear-phishing campaign conducted by cyber-espionage group\r\nSideCopy against critical government entities in India. \r\nSideCopy APT: from Windows to *nix\r\nAs previously published by “TALOS Cisco Security Research” also in this campaign, in addition to the military\r\nthemes, SideCopy used publications, invitations to submit documents/proposals and reproduced phishing portals\r\nposing as Indian government webmail to trick victims into divulging their e-mail credentials.\r\nSideCopy‘s delivery infrastructure consists of using compromised websites to deliver malicious artefacts to\r\nspecific victims. In this campaign, the portal “hxxp://assessment.mojochamps.com” was compromised, the\r\nWebShell named “WSO version 4.2.5” was uploaded, and the infection chain began to spread. \r\nThe infection chain for Windows systems has remained relatively consistent with minor variations, but unlike\r\nprevious observations an infection chain for *nix systems has been introduced.  SideCopy continued to send\r\nspear-phishing e-mails with malicious file attachments ranging from WEB links to LNKs that installed remote\r\naccess trojans (RATs) on infected systems.\r\nIn addition, SideCopy used the BackNet agent in some infection chains. BackNet is a Python Remote Access Tool.\r\nIt is made of two main programs:\r\n– A Command and Control server, which is a Web interface to administer the agents\r\n– An agent program, which is run on the compromised host, and ensures communication with the Command and\r\nControl. \r\nThe agent can be compiled to native executables using pyinstaller and is therefore compatible with both Windows\r\nand *nix operating systems.\r\nThe portal “hxxp://assessment.mojochamps.com”, compromised by the threat actor, had malconfigured open\r\ndirectories that allowed access to directories and files saved by the cyber-espionage group.\r\nThe analysis of the files on the compromised website made it possible to draw up a timeline of the activities\r\nconducted by the SideCopy group. Between the upload of the first WebShell and the last reported activity, which\r\nappears to be the creation of the Indian government’s webmail phishing page, there were various activities such as\r\nuploading PHP and ELF files along with decoy documents.\r\nThe following storyline omits the decoy documents upload. \r\nhttps://www.telsy.com/sidecopy-apt-from-windows-to-nix/\r\nPage 1 of 3\n\nDepending on the context and modus operandi, all PHP and other files are consistent with each other, which\r\nmakes it possible that the compromised site was used by the same threat actor to target only India.\r\nTypically, the purpose of the PHP pages was to record the source IP and user agent of the visitor in a text file and\r\nthen redirect the user to the malicious file or a decoy file depending on the purpose of the page.\r\nMap of visitors’ IPs\r\nAnalysis of the log files generated by the PHP pages was able to identify around 400 unique IPs, most of which\r\nwere concentrated in India. Some of these IPs were attributed to Indian governmental  and civil organisations by\r\nanalysing the information contained in the Whois registry databases. For example:\r\n– M.P. Power Management Company Limited\r\n– Power System Operation Corporation Limited\r\n– Inspector General of Police\r\nhttps://www.telsy.com/sidecopy-apt-from-windows-to-nix/\r\nPage 2 of 3\n\n– Chief of Naval Staff\r\n– National Remote Sensing Agency.\r\nMap of Indian visitor IPs\r\nFill the form below to download the full report\r\n[email-download download_id=”6114” contact_form_id=”4482”]\r\nCheck other cyber reports on our blog.\r\nThis report was produced by Telsy’s “Cyber Threat Intelligence” team with the help of its CTI platform, which\r\nallows to analyze and stay updated on adversaries and threats that could impact customers’ business.\r\nPost navigation\r\nSource: https://www.telsy.com/sidecopy-apt-from-windows-to-nix/\r\nhttps://www.telsy.com/sidecopy-apt-from-windows-to-nix/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.telsy.com/sidecopy-apt-from-windows-to-nix/"
	],
	"report_names": [
		"sidecopy-apt-from-windows-to-nix"
	],
	"threat_actors": [
		{
			"id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc",
			"created_at": "2022-10-27T08:27:12.955905Z",
			"updated_at": "2026-04-10T02:00:05.376527Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"SideCopy"
			],
			"source_name": "MITRE:SideCopy",
			"tools": [
				"AuTo Stealer",
				"Action RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00",
			"created_at": "2023-01-06T13:46:39.30167Z",
			"updated_at": "2026-04-10T02:00:03.280161Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [],
			"source_name": "MISPGALAXY:SideCopy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b584b10a-7d54-4d05-9e21-b223563df7b8",
			"created_at": "2022-10-25T16:07:24.181589Z",
			"updated_at": "2026-04-10T02:00:04.892659Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"G1008",
				"Mocking Draco",
				"TAG-140",
				"UNC2269",
				"White Dev 55"
			],
			"source_name": "ETDA:SideCopy",
			"tools": [
				"ActionRAT",
				"AllaKore",
				"Allakore RAT",
				"AresRAT",
				"Bladabindi",
				"CetaRAT",
				"DetaRAT",
				"EpicenterRAT",
				"Jorik",
				"Lilith",
				"Lilith RAT",
				"MargulasRAT",
				"ReverseRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434519,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0eb229d05054aa61c3bcb0f37bf5412b071865ee.pdf",
		"text": "https://archive.orkl.eu/0eb229d05054aa61c3bcb0f37bf5412b071865ee.txt",
		"img": "https://archive.orkl.eu/0eb229d05054aa61c3bcb0f37bf5412b071865ee.jpg"
	}
}