SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	SideCopy - G1008 (03be849d-b5a2-4766-9dda-48976bae5710)	Intrusion Set	1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	2
Action RAT - S1028 (36801ffb-5c85-4c50-9121-6122e389366d)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	2
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	2
AuTo Stealer - S1029 (3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3