{ "id": "ff42f9c6-82d7-4491-95ed-cf34c08b2b50", "created_at": "2026-04-06T00:09:15.042296Z", "updated_at": "2026-04-10T03:35:38.046817Z", "deleted_at": null, "sha1_hash": "80aa237c13069511c89ff0c575af09473fb889a7", "title": "Double Action, Triple Infection, and a New RAT: SideCopy’s Persistent Targeting of Indian Defence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1022066, "plain_text": "Double Action, Triple Infection, and a New RAT: SideCopy’s\r\nPersistent Targeting of Indian Defence\r\nBy Sathwik Ram Prakki\r\nPublished: 2023-06-15 · Archived: 2026-04-05 19:25:27 UTC\r\nHome  /  Malware  /  Double Action, Triple Infection, and a New RAT: SideCopy’s Persistent Targeting of Indian\r\nDefence\r\n15 June 2023\r\nOverview\r\nA new attack campaign of SideCopy APT has been discovered targeting the Indian Defence sector. The group\r\nutilizes phishing email attachments \u0026 URLs as the infection vector to download malicious archive files leading to\r\nthe deployment of two different Action RAT payloads and a new .NET-based RAT. There are three infection\r\nchains with themes utilized: DRDO’s “Invitation Performa,” which is part of its Defence Procurement Procedure\r\n(DPP), a honeytrap lure, and also the Indian Military with “Selection of Officers for Foreign Assignments” theme.\r\nThe ongoing campaign came to light after a senior DRDO scientist was arrested for leaking sensitive information\r\nto Pakistani agents who honey trapped him. “Honey Trap” has increased significantly on social media platforms\r\nlike Facebook, Twitter, WhatsApp, etc., with millions of illegitimate accounts used as bots or baits.\r\nhttps://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nPage 1 of 7\n\nSimilarly, in March 2023, the same infection chain was utilized targeting DRDO, with the decoy theme being\r\n“HVAC Air Conditioning Design Basis Report” for its K4 Missile Clean Room. Another theme used in the same\r\nmonth was “Advisory on Grant of Risk \u0026 Hardship Allowance JCOs \u0026 ORs.” Even in April, they targeted\r\nDefence Ministry with the theme “Saudi Arabia Delegation with Indian Armed Forces Medical Officials.”\r\nSideCopy has been known for persistently targeting Indian Defence (Military and Armed Forces) since its\r\ndiscovery in 2019.\r\nKey Findings\r\nThree infection chains lead to the same payloads hosted on the domain elfinindia[.]com.\r\nThe infection chain is shown below, where an archive file contains a malicious shortcut (LNK) file\r\nmasqueraded as DOCX, PNG, and PDF, respectively. The LNK files trigger MSHTA to execute remote\r\nHTA files on this domain.\r\nhttps://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nPage 2 of 7\n\nFig. 1 – Infection Process\r\nThe deployment of two variants of Action RAT and a new .NET-based RAT that supports 18 C2 commands\r\nhas been observed.\r\nAction RAT downloads and executes a larger variant that exfiltrates all documents and images inside the\r\nDesktop, Documents, and Download directories. The legitimate ‘credwiz.exe’ file is utilized to sideload\r\nhttps://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nPage 3 of 7\n\nboth the RATs.\r\nC2 infra has a known hostname commonly found, and all the TTPs directly point to SideCopy’s known\r\ninfection throughout the years.\r\nSummary\r\nThis year, SideCopy has been actively targeting India, especially the defence sector. The same attack chain targets\r\nvictims in spear-phishing campaigns and honeytrap lures. As Pakistani agents have increasingly used honey traps\r\nto lure defence personnel, one can only anticipate the magnitude of damage it can cause. Hence, it is imperative to\r\ntake the necessary steps to end it. Pakistan and many other threat actors around the globe are using honeytraps,\r\nwith recent cases found stealing intelligence in this form of cyber espionage. An in-depth analysis of the latest\r\ninfection chain and a comparison with previous variants can be found in our whitepaper.\r\nIOC\r\nArchive\r\n05eb7152bc79936bea431a4d8c97fb7b Personal.zip\r\n4c926c0081f7d2bf6fc718e1969b05be Performa’s feedback.zip\r\ndb49c75c40951617c4025678eb0abe90 Asigma dated 22 May 23.zip\r\nLNK\r\n1afc64e248b3e6e675fa31d516f0ee63 pessonal pic.png.lnk\r\n49f3f2e28b9e284b4898fafa452322c0 Performa’s feedback.docx.lnk\r\nbecbf20da475d21e2eba3b1fe48148eb Asigma dated 22 May 23 .pdf.lnk\r\nHTA\r\nFCD0CD0E8F9E837CE40846457815CFC9 xml.hta\r\nBEC31F7EDC2032CF1B25EB19AAE23032 d.hta (Chain-1)\r\nC808F7C2C8B88C92ABF095F10AFAE803 d.hta (Chain-2)\r\n4559EF3F2D05AA31F017C02ABBE46FCB d.hta (Chain-3)\r\nF20267EC56D865008BA073DB494DB05E Auto_tcp.hta\r\n4F8D22C965DFB1A6A19B8DB202A24717 Auto_tcp.hta\r\nDLL\r\n86D4046E17D7191F7198D506F06B7854 preBotHta.dll (Stage-1)\r\nhttps://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nPage 4 of 7\n\n28B35C143CF63CA2939FB62229D31D71 preBotHta.dll (Stage-2) (New RAT)\r\n582C0913E00C0D95B5541F4F79F6EDD5 preBotHta.dll (Stage-3)\r\n8f670928bc503b6db60fb8f12e22916e DUser.dll (Action RAT)\r\n13D4E8754FEF340CF3CF4F5A68AC9CDD DUser.dll (Action RAT)\r\n5D5B1AFF4CBE03602DF102DF8262F565 DUser.dll (Action RAT)\r\nBAT\r\nD95A685F12B39484D64C58EB9867E751 test.bat\r\nBDA677D18E98D141BAB6C7BABD5ABD2B test.bat\r\nOthers\r\n5580052F2109E9A56A77A83587D7D6E2 d.txt\r\nE5D3F3D0F26A9596DA76D7F2463E611B h.txt\r\nDomain\r\nelfinindia[.]com Hosted Malicious files\r\nIP\r\n144.126.143[.]138:8080\r\n144.126.143[.]138:9813\r\n66.219.22[.]252:9467\r\n209.126.7[.]8:9467\r\nC2\r\nURL\r\nhxxps://elfinindia[.]com/wp-includes/files/\r\nhxxps://elfinindia[.]com/wp-includes/files/pictures/personal/Personal.zip\r\nhxxps://elfinindia[.]com/wp-includes/files/pictures/man/d.hta\r\nhxxps://elfinindia[.]com/wp-includes/files/man/d.hta\r\nhxxps://elfinindia[.]com/wp-includes/files/fa/d.hta\r\nhxxps://elfinindia[.]com/wp-includes/files/oth/hl/h.txt\r\nhxxps://elfinindia[.]com/wp-includes/files/oth/dl/d.txt\r\nhttps://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nPage 5 of 7\n\nhxxps://elfinindia[.]com/wp-includes/files/oth/av/\r\nPDB\r\nE:\\Packers\\CyberLink\\Latest Source\\Multithread Protocol Architecture\\side projects\\First Stage\\HTTP\r\nArsenal Main\\Clinet\\app\\Release\\app.pdb\r\nEXE (Legitimate)\r\n9B726550E4C82BBEB045150E75FEE720 cdrzip.exe / cridviz.exe\r\nDecoy Files\r\nC5C2D8EB9F359E33C4F487F0D938C90C Invitation Performa vis a vis feedback.docx\r\n2461F858671CBFFDF9088FA7E955F400 myPic.jpeg\r\nD77C15419409B315AC4E1CFAF9A02C87 2696 – 22 May 23.pdf\r\n Previous PostSupercharge your security operations with end-to-end visibility, ...\r\nNext Post  Delving Further: Analyzing Another XSS Vulnerability Found in the...\r\nSathwik Ram Prakki is working as a Security Researcher in Security Labs at Quick Heal. His focus areas are\r\nThreat Intelligence, Threat Hunting, and writing about...\r\nArticles by Sathwik Ram Prakki »\r\nRelated Posts\r\nhttps://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nPage 6 of 7\n\nSource: https://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nhttps://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence\r\nPage 7 of 7\n\n https://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence \nFig. 1-Infection Process \nThe deployment of two variants of Action RAT and a new .NET-based RAT that supports 18 C2 commands\nhas been observed. \nAction RAT downloads and executes a larger variant that exfiltrates all documents and images inside the\nDesktop, Documents, and Download directories. The legitimate ‘credwiz.exe’ file is utilized to sideload\n Page 3 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence" ], "report_names": [ "double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434155, "ts_updated_at": 1775792138, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80aa237c13069511c89ff0c575af09473fb889a7.pdf", "text": "https://archive.orkl.eu/80aa237c13069511c89ff0c575af09473fb889a7.txt", "img": "https://archive.orkl.eu/80aa237c13069511c89ff0c575af09473fb889a7.jpg" } }