Skip to content

G1008 SideCopy

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy‘s name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.1

Item Value
ID G1008
Associated Names
Version 1.0
Created 07 August 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling mshta.exe.1
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading SideCopy has used a malicious loader DLL file to execute the credwiz.exe process and side-load the malicious payload Duser.dll.1
enterprise T1105 Ingress Tool Transfer SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location SideCopy has used a legitimate DLL file name, Duser.dll to disguise a malicious remote access tool.1
enterprise T1106 Native API SideCopy has executed malware by calling the API function CreateProcessW.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment SideCopy has sent spearphishing emails with malicious hta file attachments.1
enterprise T1598 Phishing for Information -
enterprise T1598.002 Spearphishing Attachment SideCopy has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.1
enterprise T1518 Software Discovery SideCopy has collected browser information from a compromised host.1
enterprise T1518.001 Security Software Discovery SideCopy uses a loader DLL file to collect AV product names from an infected host.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware SideCopy has used compromised domains to host its malicious payloads.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta SideCopy has utilized mshta.exe to execute a malicious hta file.1
enterprise T1082 System Information Discovery SideCopy has identified the OS version of a compromised host.1
enterprise T1614 System Location Discovery SideCopy has identified the country location of a compromised host.1
enterprise T1016 System Network Configuration Discovery SideCopy has identified the IP address of a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File SideCopy has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.1


ID Name References Techniques
S1028 Action RAT - Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery Windows Management Instrumentation
S1029 AuTo Stealer - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Local Data Staging:Data Staged Exfiltration Over C2 Channel Non-Application Layer Protocol Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery