Skip to content

Hide Navigation Hide TOC

SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710) Intrusion Set 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 2
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware 2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern 2
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware 2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3