A cyber espionage group known as SideCopy has been identified as using themes related to India’s Defence Research and Development Organization (DRDO) to deliver malware payloads as part of an ongoing phishing campaign. The group has been active since at least 2019, targeting entities that align with Pakistan government interests. There are indications that SideCopy shares links with another Pakistani hacking group called Transparent Tribe.
Its recent phishing email attacks have used DRDO-related decoys to drop a wide range of malware, including the Action RAT and AllaKore RAT, which can harvest sensitive information and communicate with remote servers to launch additional payloads.
Further analysis by Team Cymru of the Action RAT command-and-control (C2) infrastructure has identified outbound connections from one of the C2 server IP addresses to another address that is geolocated in Pakistan. It also observed inbound connections to the IP address from IP addresses assigned to Indian ISPs.
As many as 18 distinct victims in India have been detected as connecting to C2 servers associated with Action RAT, while 236 unique victims, also located in India, have been connecting to C2 servers associated with AllaKore RAT. These findings suggest SideCopy has continued to be successful in targeting Indian users, using DRDO-related decoys to distribute a wide range of malware.
It is notable that SideCopy’s use of DRDO-related decoys for malware distribution was previously flagged by Cyble and Chinese cybersecurity firm QiAnXin in March 2023, and again by Team Cymru last month. SideCopy’s success in targeting Indian users and the connection to Pakistan suggests that it targets entities aligned with Pakistan government interests.
The findings emphasize the need for vigilance against phishing campaigns, particularly those targeting government and military organizations. It is important for organizations to stay up-to-date with the latest cybersecurity reports and implement effective security measures to protect against such attacks.
