An espionage-focused hacking group with links to Pakistan, identified as SideCopy—a sub-group within APT36 (Transparent Tribe)—has expanded its operations in India with a more refined toolkit and a broader victim profile. According to SEQRITE, their recent campaigns have moved beyond traditional targets like defense or maritime sectors to now include Indian ministries responsible for railways, oil and gas, and external affairs.
This shift is not just in targets but also tactics. The group has stopped relying on HTA files and now uses Microsoft Installer (MSI) packages for initial malware delivery. This change likely reflects an attempt to bypass growing detection rates associated with older techniques. These MSI files are often disguised as legitimate documents—like holiday schedules or security guidelines—and delivered via phishing emails.
Technically, the group relies on a mix of open-source remote access trojans (RATs) like Spark RAT and Xeno RAT, which have been modified to serve specific campaign needs. Spark RAT is cross-platform, while Xeno RAT has been customized using basic obfuscation methods. A key highlight is the emergence of CurlBack RAT, a previously undocumented Windows-based tool with advanced capabilities: system reconnaissance, command execution, file downloads, privilege escalation, and user enumeration.
SideCopy makes use of multiple post-exploitation methods including DLL side-loading, reflective payload loading, and AES-encrypted PowerShell scripts. They're also drawing from other known tools—borrowing features such as browser data theft from AsyncRAT, and using Cheex to extract images and documents.
Overall, the group’s progression reflects a maturing operation that integrates reused code, custom malware, and targeted social engineering to conduct surveillance and data theft at scale.
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴☠️
