Cyber Attack

Pakistani APT Hacker Group SideCopy Unknown Details Revealed by Researchers

The SideCopy hackers, a Pakistani APT group, have recently targeted several Indian and Afghan government officials, especially the officials from the military, through social engineering.

The cybersecurity researchers at Malwarebytes have affirmed that the hackers have compromised the sensitive data of ministries in Afghanistan and a shared government system in India to steal the following data from its targets and gain access to government portals:-

  • Google credentials
  • Twitter credentials
  • Facebook credentials
  • Banking information
  • Password-protected documents


Here we have mentioned the victims that are targeted by the SideCopy APT group:-

  • Administration Office of the President (AOP) of Afghanistan personnel
  • Ministry of Foreign affairs- Afghanistan
  • Ministry of Finance, Afghanistan
  • Afghanistan’s National Procurement Authority (NPA)
  • A shared computer, India

Infection chain

To monitor and control their victims, the primary command and control (C2) server used by the Pakistani APT group SideCopy has been fully uncovered by the experts.

And they have discovered that the threat actors send a unique package to the victims with malicious payloads that are hosted on the domains that are compromised.

Here, to monitor each package, the threat actors use the Scout system with nicknames like Hendrick, Alexander, Hookes, Malone to manage each package and all these names define the teams that are responsible to manage them.

All the infected machines get listed on the dashboard provided by the Scout system in which it shows each specific detail like:-

  • The IP address of the victim
  • Package name
  • OS version
  • User-Agent
  • Browser information
  • Country
  • Victim status

According to the Malwarebytes report “When the victim opens the lure document, the lure executes a loader to drop a next-stage RAT known as ActionRAT with the following capabilities:-

  • Uploading files
  • Executing commands received from a server
  • Download more payloads

Apart from this, it also drops an info stealer that is named AuTo Stealer, and before exfiltrating the information to its server over HTTP or TCP, this info stealer gathers the following data:-

  • Microsoft Office files
  • PDF documents
  • Text files
  • Database files
  • Images

The type of file used by the threat actors are:-

  • /streamppt
  • /streamdoc
  • /streamxls
  • /streamdb
  • /streamtxt
  • /streampdf
  • /streamimg

New lures

Here we have mentioned all the new lures that are observed by the experts of Malwarebytes:-

  • Using girl names as the archive file name such as
  • image-random
  • Whatsapp-image-random
  • New

Hossein Jazi, one of the Malwarebytes researchers has stated:-

“The lures used by SideCopy APT are usually archived files that have embedded one of these files: LNK, Microsoft Publisher, or Trojanized Applications. And all these files are mainly tailored to target Indian and Afghan government and military officials.”

In South Asia, the SideCopy APT group has been actively targeting the military and government officials. So, to mitigate this threat, the experts have recommended users to use proper security solutions and stay active to monitor any suspicious activities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

25 Best Managed Security Service Providers in 2024

A Managed Security Service Provider (MSSP) offers a wide range of services, from network security…

14 hours ago

New Satanstealer Malware Steals Browser Cookies and Passwords

A new malware named "Satanstealer" has been identified, targeting browser cookies and passwords. The discovery…

16 hours ago

Microsoft Unveils Ways To Detect Compromised Devices In Your Organization

Microsoft has announced a new way to spot potentially hacked machines in your organization.  Analysts…

16 hours ago

New ScriptBlock Smuggling Attack Let Ackers Bypass PowerShell Security Logs And AMSI

Ever since the introduction of PowerShell v5, there have been less usage of the application…

16 hours ago

Hackers Leveraging New Social Engineering To Run PowerShell And Install Malware

Hackers use social engineering as it focuses on the psychological rather than technological aspects of…

18 hours ago

Hackers Attacking Hotel Owners & Employees as Potential Guests

Since last summer, hotel owners and employees have grappled with a surge in malicious e-mails…

19 hours ago