{ "id": "b2d74279-299e-4d1f-a0f0-464f8bfd89be", "created_at": "2026-04-06T00:14:35.53772Z", "updated_at": "2026-04-10T03:37:20.318239Z", "deleted_at": null, "sha1_hash": "1c8a5f7b3b82774e02ab27ae72b610e5a935a817", "title": "Cyble - Notorious SideCopy APT Group Sets Sights On India's DRDO", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1222128, "plain_text": "Cyble - Notorious SideCopy APT Group Sets Sights On India's DRDO\r\nPublished: 2023-03-21 · Archived: 2026-04-05 16:39:41 UTC\r\nCRIL analyzes an ongoing campaign by SideCopy APT group targeting the Defense Research and Development\r\nOrganization(DRDO) of the Indian government.\r\nThreat Actors Use DLL Sideloading to Fly Under the Radar\r\nSideCopy APT is a Threat Actor(TA) from Pakistan that has been active since 2019, focusing on targeting South Asian\r\nnations, especially India and Afghanistan. The SideCopy APT gets its name from the infection chain, which imitates that of\r\nthe SideWinder APT. Some reports suggest that this actor shares characteristics with Transparent Tribe (APT36) and could\r\npotentially be a sub-group of that threat actor.\r\nRecently, Cyble Research and Intelligence Labs (CRIL) came across a Twitter post of an ongoing campaign by SideCopy\r\nAPT against the “Defence Research and Development Organisation” of the Indian government.\r\nWorld's Best AI-Native Threat Intelligence\r\nDRDO is a government agency tasked with researching and developing advanced technologies for use by the Indian Armed\r\nForces. Its focus includes creating cutting-edge defense systems such as missiles, radars, electronic warfare and\r\ncommunication systems, naval and aerospace systems. The agency plays a significant role in India’s defense industry,\r\ncontributing to the country’s military strength and self-sufficiency in defense technology.\r\nThe initial infection starts with a spam email containing the link to the malicious file hosted on the compromised website.\r\nThe link allows users to download a ZIP file containing a LNK file named “DRDO – K4 Missile Clean room.pptx.lnk” from\r\nthe below URL:\r\nhxxps[:]//www[.]cornerstonebeverly[.]org/js/files/DRDO-K4-Missile-Clean-room[.]zip\r\nThe delivery mechanism of the SideCopy APT attack via a spam email is illustrated in the figure below.\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 1 of 10\n\nFigure 1 – Infection chain\r\nInitial Infection\r\nThe infection process begins with the user extracting a zip file and then running the .lnk file on their machine.\r\nOnce the .lnk file is executed, it triggers a command that launches “mshta.exe” to connect to a specific URL, shown in the\r\nfigure below.\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 2 of 10\n\nFigure 2 – Target command to launch MSHTA\r\nAfter redirection, the URL eventually establishes a connection with the following URL:\r\nhxxps[:]//www[.]cornerstonebeverly[.]org/js/files/docufentososo/doecumentosoneso/pantomime[.]hta\r\nSubsequently, the hta file is downloaded and executed in the path mentioned below:\r\nc:\\users\\\u003cAdmin\u003e\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\nxzxrd2m\\pantomime.hta\r\nThe figure below displays a code snippet from the “pantomime.hta” file, including the compressed Microsoft PowerPoint\r\nfile encoded in Base64 format.\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 3 of 10\n\nFigure 3 – Code snippet of pantomime.hta file\r\nAfter execution, the hta file decodes and decompresses the PPT file encoded in Base64 format. Consequently, it saves the\r\ndecompressed Microsoft PowerPoint file in the “%temp%” folder under the name “DRDO – K4 Missile Clean room.pptx”\r\nand launches it, as shown in Figure 4.  The TAs are enticing users with a DRDO PowerPoint document and covertly\r\nengaging in malicious activities in the background through the “pantomime.hta” file.\r\nFigure 4 – DRDO – K4 Missile Clean room MS PowerPoint slides\r\nThe hta file, aside from dropping the PPT file, carries out a concatenation operation and decodes the Base64-encoded\r\ncontent of the DLL file named, “hta.dll”. When the decoding is complete, the DLL file is loaded into memory and triggered\r\nusing the DynamicInvoke method. This method creates an instance of a class called “WorkInProgress”.\r\nUpon execution, the “hta.dll” file drops another .hta file named “jquery.hta” under the directory “C:\\ProgramData\\HP” and\r\nexecutes it through “mshta.exe”.\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 4 of 10\n\nWhen executed, the “jquery.hta” file carries out the concatenation operation and decodes the Base64-encoded content of the\r\nloader DLL file named “PreBotHta.dll”, as it did before for “hta.dll”. Once decoded, the “PreBotHta.dll” file is loaded into\r\nthe memory and invoked using the DynamicInvoke method. This method creates an instance of a class called “DraftingPad.”\r\nIt also uses a WMI query, specifically “Select * From AntiVirus,” to gather the names of installed antivirus products.\r\nThe below figure shows the code snippet of “jquery.hta” file.\r\nFigure 5 – Code snippet of jquery.hta file\r\nFinally, the “jquery.hta” file executes the PinkAgain() function of the loader “PreBotHta.dll” file, passing AntiVirus names\r\nand a Base64 encoded payload called “DUser.dll” as arguments.\r\nThe below figure shows the code snippet of the loaded “PreBotHta.dll” file.\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 5 of 10\n\nFigure 6 – Loaded PreBotHta.dll file in memory\r\nDLL SideLoading\r\nThe PinkAgain() function has code to copy the legitimate and essential “credwiz.exe” file, which is a part of the Windows\r\noperating system, and copies it to the following location as “cridviz.exe”. The legitimate file “credwiz.exe” is primarily used\r\nto create and restore Windows user account credentials backups. Typically, it loads a legitimate file named “Duser.dll.”\r\nHowever, in this case, the malware takes Base64 encoded argument, decodes it, and saves it as “Duser.dll” in the location\r\nwhere “cridviz.exe” was dropped previously.  The dropped malicious file “Duser.dll” is a variant of the Action Rat Malware\r\nfamily responsible for performing malicious activities in the victim’s machine. During its execution, the loader drops both\r\nfiles in the below directory.\r\nC:\\\\Users\\\\Public\\\\hp\\\\cridviz.exe\r\nC:\\\\Users\\\\Public\\\\hp\\\\DUser.dll\r\nFurthermore, the loader utilizes various directories to drop the files “credwiz.exe” and “DUser.dll” using different names\r\nbased on the type of AntiVirus software installed on the victim’s machine. TAs commonly use the tactic to increase the\r\neffectiveness of their attacks and avoid detection by security software.\r\nThe specific directories and filenames used by the loader, as indicated below.\r\nC:\\\\Users\\\\Public\\\\hp\\\\rekeywiz.exe\r\nC:\\\\Users\\\\Public\\\\hp\\\\rech.dat \r\nC:\\\\ProgramData\\\\Intel\\\\cridviz.exe\r\nC:\\\\ProgramData\\\\Intel\\\\DUser.dll \r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 6 of 10\n\nFigure 7 – Files dropped by PreBotHta.dll\r\nOnce the necessary files have been dropped onto the victim’s system, the “cridviz.exe” process is initiated, which then\r\nproceeds to sideload the malicious payload “Duser.dll”, as shown in the figure below.\r\nFigure 8 – cridviz.exe side loading DUser.dll\r\nAction RAT Payload\r\nTo begin its malicious operation, the RAT first gathers information about the victim’s machine, such as its hostname,\r\nusername, operating system version, and installed antivirus products. This data is then transmitted to the Command-and-Control(C\u0026C) server via HTTP request, as below.\r\nhxxp[:]//144[.]91[.]72[.]17:8080/streamcmd?AV=[Redacted]\u0026OS=[Redacted]\u0026Vesrion=[Redacted]\u0026detail=\r\n[Redacted]\r\nAfterward, the malicious process enters a loop and remains idle until it receives commands from the server, which it\r\nexecutes. The RAT possesses the ability to perform any of the following operations upon receiving commands from the\r\nC\u0026C:\r\nExecute: Carry out commands sent from the server\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 7 of 10\n\nDownload: Retrieve and install additional payloads\r\nDrives: Obtain information about the available drives\r\nGetFiles: Retrieve information about specific files\r\nExecute: Launch a designated payload using CreateProcessW()\r\nUpload: Transmit files to the server\r\nIn addition, the loader DLL was utilized to deploy a recently developed information-stealing malware called AuTo Stealer.\r\nThis malware can gather PDF documents, Office/text/database files, and images and transmit the stolen information via\r\nHTTP or TCP.\r\nPersistence\r\nThis loader DLL file also drops a batch file named “test.bat” in the %temp% directory, which creates an auto startup entry\r\nfor the “cridviz.exe” file using the “reg.exe” utility, as shown in the figure below.\r\nFigure 9 – Run entry for Persistence\r\nConclusion\r\nSideCopy is an APT group that emulates the tactics of the Sidewinder APT to distribute its own malware. Its attack patterns\r\ntypically involve the use of malicious LNK files to initiate a complex chain of infection using multiple HTAs and loader\r\nDLLs, ultimately leading to the deployment of final payloads. This group has been observed to target government and\r\nmilitary officials in India and Afghanistan specifically. The APT group continuously evolves its techniques while\r\nincorporating new tools into its arsenal.\r\nCRIL continues to monitor the most recent APT attacks, phishing attacks, or malware strains in circulation and regularly\r\npublishes informative blog posts with practical insights to help protect users from these well-known attacks.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices as mentioned below:  \r\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube,\r\ntorrent sites, etc., mainly contains such malware.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.\r\nUse a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and\r\nmobile.\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nEducate employees on protecting themselves from threats like phishing/untrusted URLs.\r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 8 of 10\n\nTactic  Technique ID  Technique Name \r\nInitial Access  T1566 Spearphishing Attachment\r\nExecution \r\nT1204 \r\nT1047\r\nT1170\r\nT1129\r\nUser Execution\r\nWindows Management Instrumentation\r\nMshta\r\nShared Modules\r\nDefense Evasion \r\nT1036\r\nT1218\r\nMasquerading\r\nSystem Binary Proxy Execution\r\nPersistence T1547 Registry Run Keys / Startup Folder\r\nDiscovery   \r\nT1016\r\nT1057\r\nSystem Network Configuration\r\nDiscovery Process Discovery\r\nCollection T1185 Browser Session Hijacking\r\nCommand and\r\nControl   \r\nT1071\r\nT1105\r\nApplication Layer Protocol   \r\nIngress Tool Transfer\r\nIndicators Of Compromise\r\nIndicators \r\nIndicator\r\ntype \r\nDescripti\r\n0725318b4f5c312eeaf5ec9795a7e919\r\n9902348fc5dffe10a94a3f4be219dc42330ed480\r\n9aed0c5a047959ef38ec0555ccb647688c67557a6f8f60f691ab0ec096833cce\r\nMD5\r\nSHA1\r\nSHA256\r\nDRDO-K\r\nMissile-C\r\nroom.zip\r\nab11b91f97d7672da1c5b42c9ecc6d2e\r\nfeeadc91373732d65883c8351a6454a77a063ff5\r\na2e55cbd385971904abf619404be7ee8078ce9e3e46226d4d86d96ff31f6bb9a\r\nMD5\r\nSHA1\r\nSHA256\r\nDRDO –\r\nMissile C\r\nroom.pptx\r\ncbaa7fc86e4f1a30a155f60323fdb72a\r\nd7dcea1c35475caa85e9298e44b63d3ce43fb2f0\r\ne88835e21c431d00a9b465d2e8bed746b6369892e33be10bc7ebbda6e8185819\r\nMD5\r\nSHA1\r\nSHA256\r\npantomim\r\n(Stage 1)\r\n036da574b5967c71951f4e14d000398c\r\ne612dbb34e01b41e46359019db9340e17e0390b8\r\n85faf414ed0ba9c58b9e7d4dc7388ba5597598c93b701d367d8382717fb485ec\r\nMD5\r\nSHA1\r\nSHA256\r\njquery.hta\r\n(Stage 2)\r\n2e19b7a2bbdc8082024d259e27e86911\r\n3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5\r\n865e041b41b9c370a4eed91a9a407bd44a94e16e236e07be05e87de319a4486c\r\nMD5\r\nSHA1\r\nSHA256\r\nDUser.dll\r\n(Action R\r\nhxxps[:]//www[.]cornerstonebeverly[.]org/js/files/DRDO-K4-Missile-Clean-room[.]zip URL\r\nMalicious\r\nZIP file\r\ndownload\r\nhxxps[:]//www[.]cornerstonebeverly[.]org/js/files/docufentososo/doecumentosoneso URL\r\nTarget\r\ncommand\r\nURL in L\r\nfile\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 9 of 10\n\nhxxps[:]//www[.]cornerstonebeverly[.]org/js/files/docufentososo/doecumentosoneso/pantomime.hta URL\r\nRedirect U\r\ndownload\r\nHTA file\r\n144[.]91[.]72[.]17:8080 IP:Port C\u0026C\r\nSource: https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nhttps://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/" ], "report_names": [ "notorious-sidecopy-apt-group-sets-sights-on-indias-drdo" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434475, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c8a5f7b3b82774e02ab27ae72b610e5a935a817.pdf", "text": "https://archive.orkl.eu/1c8a5f7b3b82774e02ab27ae72b610e5a935a817.txt", "img": "https://archive.orkl.eu/1c8a5f7b3b82774e02ab27ae72b610e5a935a817.jpg" } }