Skip to content

Hide Navigation Hide TOC

SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3