Since late December 2024, the Pakistan-linked SideCopy Advanced Persistent Threat (APT) group has intensified its cyber espionage activities, targeting a broader range of Indian government sectors. Beyond their traditional focus on defense and maritime industries, the group now infiltrates entities within the railway, oil and gas, and external affairs ministries, indicating a significant expansion of their operational scope.
Spear-Phishing Tactics and Deceptive Domains
SideCopy employs sophisticated spear-phishing campaigns, dispatching emails with subject lines such as Update schedule for NDC 65 as discussed and Policy update for this course. These emails contain malicious download links and originate from domains meticulously crafted to impersonate legitimate government entities. For instance, the email address [email protected] was created on January 10, 2025, in the UAE and remained active until February 28, 2025. This address closely mimics the legitimate National Informatics Centre email [email protected], associated with India’s Ministry of Electronics and Information Technology.
Evolution of Attack Techniques
Demonstrating adaptability, SideCopy has shifted from using HTML Application (HTA) files to Microsoft Installer (MSI) packages as their primary method for initiating attacks. This change underscores the group’s commitment to evading detection while maintaining the ability to compromise targeted systems through DLL side-loading and multi-platform intrusions across both Windows and Linux environments.
Utilization of Open-Source Tools and Custom Payloads
In their recent campaigns, SideCopy has leveraged open-source tools such as XenoRAT and SparkRAT to enhance their capabilities, continuing their previous trend with AsyncRAT. Additionally, researchers have identified a previously undocumented payload named CurlBack RAT, which registers victim systems with command and control (C2) servers using unique identifiers.
Credential Harvesting Through Fake Portals
The group has also been found hosting multiple phishing login pages on a fake domain that mimics an e-governance service portal. These pages target various City Municipal Corporations in Maharashtra state, with thirteen subdomains designed to harvest credentials from unsuspecting government employees.
Infection Chain Analysis
The infection chain typically begins when a victim receives a spear-phishing email containing links to download archive files with double-extension shortcuts (e.g., .pdf.lnk). These shortcuts execute obfuscated commands that download and install MSI packages hosted on compromised domains, including an official National Hydrology Project website under the Ministry of Water Resources.
Upon execution, the delivered payloads employ sophisticated mechanisms, such as PowerShell-based AES decryption of embedded resources. This technique reveals how attackers deploy their custom XenoRAT variant, enabling them to maintain persistent access and control over compromised systems.
Implications and Recommendations
The expansion of SideCopy’s targeting scope and the evolution of their attack techniques highlight the persistent and adaptive nature of cyber threats facing Indian government sectors. It is imperative for organizations to implement robust cybersecurity measures, including regular security awareness training, advanced threat detection systems, and stringent email filtering protocols, to mitigate the risks posed by such sophisticated adversaries.
