{ "id": "af6867e7-bb8e-4957-bc96-cf2e02f14cf1", "created_at": "2026-04-06T00:07:22.400393Z", "updated_at": "2026-04-10T03:37:20.354518Z", "deleted_at": null, "sha1_hash": "e36dbe737ae2961dc9db8b0ee7bee70c3d9356a3", "title": "InSideCopy: How this APT continues to evolve its arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 137392, "plain_text": "InSideCopy: How this APT continues to evolve its arsenal\r\nBy Asheer Malhotra\r\nPublished: 2021-07-07 · Archived: 2026-04-02 10:39:43 UTC\r\nWednesday, July 7, 2021 08:01\r\nBy Asheer Malhotra and Justin Thattil.\r\nCisco Talos is tracking an increase in SideCopy's activities targeting government personnel in India using\r\nthemes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).\r\nSideCopy is an APT group that mimics the Sidewinder APT's infection chains to deliver its own set of\r\nmalware.\r\nWe've discovered multiple infection chains delivering bespoke and commodity remote access trojans\r\n(RATs) such as CetaRAT, Allakore and njRAT.\r\nApart from the three known malware families utilized by SideCopy, Talos also discovered the usage of four\r\nnew custom RAT families and two other commodity RATs known as \"Lilith\" and \"Epicenter.\"\r\nPost-infection activities by SideCopy consist of deploying a variety of plugins, ranging from file\r\nenumerators to credential-stealers and keyloggers.\r\nTalos is releasing a new, detailed paper on SideCopy's operations today, which you can read here.\r\nWhat’s new?\r\nCisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India.\r\nIn the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT.\r\nWe are calling this malware “CetaRAT.” SideCopy also relies heavily on the use of Allakore RAT, a publicly\r\navailable Delphi-based RAT.\r\nhttps://blog.talosintelligence.com/2021/07/sidecopy.html\r\nPage 1 of 3\n\nRecent activity from the group, however, signals a boost in their development operations. Talos has discovered\r\nmultiple new RAT families and plugins currently used in SideCopy infection chains.\r\nTargeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the\r\nTransparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational\r\ndocuments belonging to the military and think tanks and honeytrap-based infections.\r\nHow did it work?\r\nSideCopy’s infection chains have remained relatively consistent with minor variations — using malicious LNK\r\nfiles as entry points, followed by a convoluted infection chain involving multiple HTAs and loader DLLs to\r\ndeliver the final payloads.\r\nTalos also discovered the usage of other new RATs and plugins. These include DetaRAT, ReverseRAT,\r\nMargulasRAT and ActionRAT. We’ve also discovered the use of commodity RATs such as njRAT, Lilith and\r\nEpicenter by this group since as early as 2019.\r\nSuccessful infection of a victim results in the installation of independent plugins to serve specific purposes such as\r\nfile enumeration, browser password stealing and keylogging.\r\nSo what?\r\nThese campaigns provide insights into the adversary’s operations:\r\nTheir preliminary infection chains involve delivering their staple RATs.\r\nSuccessful infection of a victim leads to the introduction of a variety of modular plugins.\r\nThe development of new RATs is an indication that this group of attackers is rapidly evolving its malware\r\narsenal and post-infection tools since 2019.\r\nThe group’s current infrastructure setup indicates a special interest in victims in Pakistan and India.\r\nAnalyses and IOCs\r\nYou can read a detailed analysis of Sidecopy operations in our new research paper here.\r\nYou can also find a detailed list of IOCs here and here.\r\nCoverage\r\nThe following Snort SIDs can be used for coverage and protection: 57842 - 57849.\r\nFor specific OSqueries on this threat, click the links below:\r\nLilith\r\nEpicenterRAT\r\nnjRAT\r\nThe following ClamAV signatures have been authored for this threat:\r\nhttps://blog.talosintelligence.com/2021/07/sidecopy.html\r\nPage 2 of 3\n\nWin.Dropper.njRAT-9876129-0\r\nWin.Downloader.FList-9875630-0\r\nWin.Downloader.FileSearcher-9875631-0\r\nWin.Downloader.UPirate-9875632-0\r\nWin.Trojan.Johnnie-9875495-0\r\nWin.Trojan.Zapchast-9875496-0\r\nWin.Trojan.Zapchast-9875497-0\r\nWin.Keylogger.Xeytan-9875498-0\r\nWin.Keylogger.Lagger-9875499-0\r\nWin.Trojan.DetaRAT-9875325-0\r\nWin.Trojan.EpicenterRAT-9875326-0\r\nWin.Trojan.ReverseRAT-9875329-0\r\nWin.Trojan.Meterpreter-9875304-0\r\nWin.Trojan.Lilith-9875305-0\r\nWin.Trojan.PasswordStealer-9875308-0\r\nWin.Trojan.Chromer-9875310-0\r\nWin.Trojan.AllakoreRAT-9875300-0\r\nWin.Trojan.AllakoreRAT-9875301-0\r\nWin.Trojan.ActionRAT-9874905-0\r\nWin.Trojan.AllaKoreRAT-9874917-0\r\nWin.Malware.Generic-9874177-0\r\nWin.Packed.Trojanx-9874176-0\r\nSource: https://blog.talosintelligence.com/2021/07/sidecopy.html\r\nhttps://blog.talosintelligence.com/2021/07/sidecopy.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2021/07/sidecopy.html" ], "report_names": [ "sidecopy.html" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434042, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e36dbe737ae2961dc9db8b0ee7bee70c3d9356a3.pdf", "text": "https://archive.orkl.eu/e36dbe737ae2961dc9db8b0ee7bee70c3d9356a3.txt", "img": "https://archive.orkl.eu/e36dbe737ae2961dc9db8b0ee7bee70c3d9356a3.jpg" } }