{ "id": "94589184-59d5-498f-8982-79300b1af997", "created_at": "2026-04-06T01:30:09.826774Z", "updated_at": "2026-04-10T03:37:20.34646Z", "deleted_at": null, "sha1_hash": "61badf982230a7be17883d02811f2bbca5462972", "title": "AllaKore(d) the SideCopy Train", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 939407, "plain_text": "AllaKore(d) the SideCopy Train\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-06 00:16:50 UTC\r\nIdentifying Connected Infrastructure and Management Activities\r\nIntroduction\r\nThis blog post seeks to build on recent public reporting on campaigns attributed to SideCopy, a Pakistani-linked\r\nthreat group. SideCopy has been active since 2019, primarily targeting South Asian countries, with a focus on\r\nIndia and Afghanistan. The group's name comes from its use of an infection chain that mimics that of SideWinder\r\nAPT, an Indian-linked threat group.\r\nThe distinction between SideWinder and SideCopy was first made by security researcher @Sebdraven and is\r\ndocumented here.\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 1 of 8\n\nSome reports suggest that SideCopy may be a subdivision of Transparent Tribe (APT36), with similar tactics and\r\ntechniques observed.\r\nThe S2 Research Team has blogged previously on the activities of Transparent Tribe:\r\nTransparent Tribe APT Infrastructure Mapping - Part One\r\nTransparent Tribe APT Infrastructure Mapping - Part Two\r\nIn this post we share the discoveries of our S2 Threat Research Team after examining analysis by the Chinese\r\ncyber security company QiAnXin, published on 20 March 2023, which detailed a SideCopy attack chain used to\r\ndeploy AllaKore RAT. AllaKore RAT is an open-source remote access tool which has been modified for the\r\npurposes of SideCopy operations, and is commonly observed in their intrusions.\r\nKey Findings\r\nIdentification of additional malware samples and C2 infrastructure associated with SideCopy targeting of\r\nthe Indian Ministry of Defense\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 2 of 8\n\nEvidence of management activity sourced from mobile IPs located in Pakistan, centered around a key IP\r\naddress (66.219.22.252) connected to SideCopy’s use of Action RAT\r\nFurther credence provided to the assessment that SideCopy is a Pakistani-linked threat actor group,\r\ninvolved state-level espionage activities\r\nIndia in the Crosshairs\r\nAs discussed in the analysis by QiAnXin, spear phishing was used as the initial delivery method for this\r\ncampaign. Examining the lures involved, the targets appear to be users in India, specifically in the Ministry of\r\nDefence.\r\nFigure 1: Example PDF Lure (https://twitter.com/jaydinbas/status/1629149627848044550)\r\nIn a bid to further understanding of this campaign, we will not seek to repeat analysis of the infection chain.\r\nInstead we will focus on the two tools which were ultimately dropped, examining threat telemetry surrounding\r\ntheir associated command and control (C2) infrastructure.\r\nDUser.dll (Action RAT)\r\nThe first tool, identified as Action RAT in analysis by Cyble, is dropped onto the victim machine alongside a\r\nbenign executable which is used to sideload it, in order to avoid detection. Action RAT’s capabilities include the\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 3 of 8\n\nability to receive commands from the C2 server, to retrieve information from the victim machine, to execute\r\nfurther payloads, and to upload information back to the C2.\r\nWe found two samples of Action RAT (loaded as DUser.dll), including the sample analyzed by Cyble.\r\nCyble Sample\r\nStage 1: feeadc91373732d65883c8351a6454a77a063ff5 (DRDO - K4 Missile Clean room.pptx.lnk)C2:\r\nwww.cornerstonebeverly[.]orgAction RAT: 3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5 (DUser.dll)\r\nC2: 144.91.72.17:8080 (Contabo GmbH)\r\nSample Two\r\nStage 1: 0d68a135b1f4be18481cf44ed02bcbf82aeb542e (Cyber Advisory - Profiles (Pic and Mob No) of\r\nPIOs.docx.lnk)C2: www.kwalityproducts[.]comAction RAT: cb031561fd76643885671922db7d5b840060334d\r\n(DUser.dll)\r\nC2: 84.46.250.78:8080 (Contabo GmbH)\r\nExamining threat telemetry for the two C2 IPs 144.91.72.17 and 84.46.250.78 we observed initial victim\r\nconnections on 06 February 2023 and 15 March 2023 respectively.\r\nIn total we observed 18 distinct victims, all located in India, connecting to the C2 servers - highlighting the\r\ntargeted nature of the campaign.\r\nFurther to this activity we also observed 37 distinct IPs (again all located in India) connecting to\r\n144.91.72.17:9468 in activity which commenced on 07 January 2023. Of the 37 IPs, two were observed\r\nconnecting to the Action RAT port (TCP/8080).\r\nWe were unable to identify a sample talking to TCP/9468 of 144.91.72.17, however we would hypothesize that\r\nthis IP was used for C2 communications with another tool associated with SideCopy activities.\r\nManagement Hints?\r\nExamining outbound activity from 144.91.72.17 and 84.46.250.78, we observed connections from 84.46.250.78 to\r\n66.219.22.252:82 (IMMEDION, US). Whilst 66.219.22.252 is assigned to an American provider, WHOIS data\r\nplaces it in Pakistan.\r\nFurther examining connections to 66.219.22.252:82, we observed communications sourced from 17 distinct IPs\r\nassigned to Pakistani mobile providers and four Proton VPN nodes during the period of interest.\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 4 of 8\n\nAll of the Proton VPN nodes and all but three of the Pakistani mobile IPs were also observed connecting to\r\n66.219.22.252:3389 within the same time period. Port 3389 (RDP) is often observed open on SideCopy (and\r\nTransparent Tribe) C2 servers, and is believed to be utilized for management purposes by the threat actors.\r\nThese findings are therefore indicative of management of 66.219.22.252 by actors likely located in Pakistan, in\r\naddition to actors unknown accessing via Proton VPN infrastructure.\r\nExamining the communications sourced from the Pakistani mobile IPs, to 66.219.22.252:82 and\r\n66.219.22.252:3389, we can start to build a general pattern of life, illustrated in Figure 2 below.\r\nFigure 2: Pattern of Life for Management of 66.219.22.252\r\nThe timings in Figure 2 shown above are based on UTC, which is 5 hours behind Pakistan Standard Time.\r\nTherefore, Figure 2 demonstrates that management of 66.219.22.252 occurs between Monday to Saturday, from\r\nroughly 10AM to 7PM - with some exceptions on Thursdays.\r\nThese data points are potentially indicative of the threat actors accessing their infrastructure within a typical\r\nworking week cadence, suggesting that management is undertaken professionally.\r\nFinally, when analyzing threat telemetry data for 66.219.22.252, we also observed inbound connections to\r\nTCP/8080 and TCP/9467 sourced from IP addresses assigned to Indian providers. TCP/9467 is noteworthy given\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 5 of 8\n\nits similarity to the activity observed on 144.91.72.17:9468 which we assess to be indicative of SideCopy C2\r\ncommunications.\r\nThe findings in this section derived from threat telemetry data are summarized below in Figure 2.\r\nFigure 3: Threat Telemetry Data Associated with the Action RAT C2s\r\nAllaKore RAT\r\nAccording to QiAnXin’s analysis, DUser.dll is also used to load and execute a version of AllaKore RAT, which is\r\ndropped on the victim machine via separate infrastructure. AllaKore RAT’s capabilities include functionality\r\nwhich allows for keylogging, screenshotting, and remote access of the victim machine, with an ability to also\r\nupload stolen information to the C2 server.\r\nWe found two samples of AllaKore RAT, both of which were referenced by QiAnXin.\r\nSample OneDropped via: f369ee5fc8dcf5a9e95d85dadff5a095a0e3a760 (hta.dll)C2:\r\nwww.kcps[.]edu[.]inAllaKore RAT: ea844939dc428e6fdb6624d717d0286e4dcae9b1 (simsre.exe)C2:\r\n89.117.63.146:9921\r\nSample TwoDropped via: f369ee5fc8dcf5a9e95d85dadff5a095a0e3a760 (hta.dll)C2:\r\nwww.kcps[.]edu[.]inAllaKore RAT: 972d85b5736ae8bdf06a9d74f2a3356829ce2095 (sicsmdb.exe)C2:\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 6 of 8\n\n185.229.119.60:9134\r\nExamining threat telemetry data for the two C2 IPs 89.117.63.146 and 185.229.119.60 we observed initial victim\r\nconnections on 06 January 2023 and 22 February 2023 respectively.\r\nIn total we observed 236 distinct victims, all located in India, connecting to the C2 servers. When compared to the\r\nvictim numbers for the Action RAT C2s, it could be assessed that AllaKore RAT is deployed more widely and via\r\nother means outside of the scope of the infection chain described by QiAnXin.\r\nFurther to this activity we also observed 455 distinct IPs (again all located in India) connecting to\r\n89.117.63.146:7439 and 185.229.119.60:7469 in activity which commenced at the same time as the activity on the\r\nports associated with the AllaKore RAT samples.\r\nWe were unable to identify samples talking to TCP/7439 of 89.117.63.146 and TCP/7469 of 185.229.119.60,\r\nhowever as previously we would hypothesize that this IP was used for C2 communications with another tool\r\nassociated with SideCopy activities.\r\nConclusion\r\nIn this blog post we have sought to illustrate the following points:\r\nWe have good evidence to demonstrate this particular SideCopy campaign, highlighted first by others in\r\nthe industry, was successful in targeting Indian users. This finding is based on observations within our\r\nthreat telemetry data, indicating victim connections to the C2 servers.\r\nVictim activity predated the public reporting of this campaign, in some cases by several months. This\r\ncontinues to support the statistics about attacker dwell time, and highlights the importance of retrospective\r\nanalysis of data logs.\r\nThere is specific evidence to demonstrate that the Action RAT infrastructure, connected to SideCopy, is\r\nmanaged by users accessing the Internet from Pakistan.\r\nPivots on known threat actor infrastructure can lead to the identification of further, previously unknown\r\ninfrastructure, in addition to hints at attribution and management.\r\nRecommendations\r\nWe would recommend that cyber defenders, particularly those located in countries / regions which\r\nSideCopy operations are known to target, use the IOCs mentioned in this blog to hunt against their own\r\ndata holdings (including historical logs), and to preemptively block malicious activity.\r\nUsers of Pure Signal Recon can examine this campaign by querying against the domains and IP addresses\r\nreferenced in the IOC section below. Further pivots into other currently unknown infrastructure may be\r\npossible as this threat actor undertakes future campaigns.\r\nIndicators of Compromise\r\nMalware Hashes (SHA1)\r\n0d68a135b1f4be18481cf44ed02bcbf82aeb542e\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 7 of 8\n\n3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5\r\n972d85b5736ae8bdf06a9d74f2a3356829ce2095\r\ncb031561fd76643885671922db7d5b840060334d\r\nea844939dc428e6fdb6624d717d0286e4dcae9b1\r\nf369ee5fc8dcf5a9e95d85dadff5a095a0e3a760\r\nf369ee5fc8dcf5a9e95d85dadff5a095a0e3a760\r\nfeeadc91373732d65883c8351a6454a77a063ff5\r\nDomains\r\nwww.cornerstonebeverly[.]org\r\nwww.kwalityproducts[.]com\r\nwww.kcps[.]edu[.]in\r\nIP Addresses (with port pairings 🍷)\r\n144.91.72.17:8080\r\n144.91.72.17:9468\r\n185.229.119.60:9134\r\n66.219.22.252:8080\r\n66.219.22.252:9467\r\n84.46.250.78:8080\r\n89.117.63.146:9921\r\nSource: https://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nhttps://www.team-cymru.com/post/allakore-d-the-sidecopy-train\r\nPage 8 of 8\n\nworking week Finally, when cadence, suggesting analyzing threat that management telemetry data is undertaken for 66.219.22.252, professionally. we also observed inbound connections to\nTCP/8080 and TCP/9467 sourced from IP addresses assigned to Indian providers. TCP/9467 is noteworthy given\n Page 5 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.team-cymru.com/post/allakore-d-the-sidecopy-train" ], "report_names": [ "allakore-d-the-sidecopy-train" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439009, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/61badf982230a7be17883d02811f2bbca5462972.pdf", "text": "https://archive.orkl.eu/61badf982230a7be17883d02811f2bbca5462972.txt", "img": "https://archive.orkl.eu/61badf982230a7be17883d02811f2bbca5462972.jpg" } }