G1008: SideCopy
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]
Analyst context for executives and security teams
SideCopy matters because ATT&CK describes it as a threat group focused on South Asian countries, including Indian and Afghani government personnel, with activity reported since at least 2019. The relationship context points to a practical pattern defenders can validate: targeted attachments leading to user-driven execution, Windows malware such as Action RAT and AuTo Stealer, discovery of host/network/security context, and follow-on tool transfer or evasive execution methods.
Executive priority
Prioritize this object when the organization has government, diplomatic, South Asia, contractor, or personnel-risk exposure. The business question is not simply “are we targeted by SideCopy,” but whether email security, endpoint visibility, user reporting, and incident response can handle targeted attachment-based intrusion attempts that may progress into reconnaissance and remote access. It is also useful for audit and readiness discussions because coverage depends on proving telemetry exists across mail, endpoint, DNS/network, and response workflows.
Technical view
ATT&CK provides no official detection text and no group-level platforms or tactics, so validation should be built from the relationships. Focus on coverage for spearphishing attachments and malicious file execution, followed by suspicious use of Visual Basic, mshta.exe, Native API-related execution, DLL abuse, system/network/software/security software/location discovery, and ingress tool transfer. Relationship software includes Action RAT and AuTo Stealer, both described as Windows malware used by SideCopy, so Windows endpoint process, file, module-load, and network telemetry are especially relevant where those software relationships are in scope.
Likely telemetry
- Email security logs for targeted messages, attachments, attachment detonation results, and user interaction evidence
- Endpoint process creation and command-line telemetry, especially for mshta.exe, script/VB execution, and unusual child-process chains from opened files
- File creation, download, quarantine, and execution events for attachments, payloads, DLLs, and transferred tools
- DLL/module load telemetry and execution from unusual names or locations that resemble legitimate resources
- Host discovery evidence such as system, network configuration, installed software, security software, locale, timezone, or location checks
Detection direction
- Because MITRE provides no official detection guidance for this group object, map detections to the related techniques rather than relying on group-name matching.
- Validate the full chain: suspicious attachment delivery, user opening a malicious file, execution through script or trusted Windows utilities, payload placement, discovery activity, and outbound transfer or command-and-control-related traffic.
- Tune detections for mshta.exe, Visual Basic/script execution, and DLL abuse to account for legitimate administrative or business software usage; prioritize unusual parent processes, user context, file origin, and uncommon paths/names.
- Review blind spots around pre-execution email telemetry, attachment detonation retention, endpoint command-line logging, DLL load visibility, and proxy/DNS retention, since missing any one layer can break reconstruction.
- Use Action RAT and AuTo Stealer relationships as threat-intelligence pivots where allowed by local tooling, but do not treat tool-name matching alone as sufficient detection coverage.
Mitigation priorities
- Strengthen attachment controls, sandboxing, and user reporting workflows for targeted phishing scenarios.
- Reduce unnecessary execution paths for script interpreters and trusted utilities such as mshta.exe where operationally feasible, and monitor exceptions.
- Apply application control, least privilege, and endpoint hardening to limit malicious file execution, DLL abuse, and unauthorized tool transfer.
- Ensure egress filtering, DNS/proxy monitoring, and endpoint containment procedures are ready for payload retrieval or remote access tooling.
- Maintain IR playbooks that connect email triage, endpoint investigation, malware containment, and credential/access review after suspected attachment-driven compromise.
Analyst notes and limits
This take is based on the official SideCopy ATT&CK group description, the MalwareBytes external reference listed by ATT&CK, and the supplied uses relationships. The strongest defensive value comes from relationship-driven behavior mapping rather than from the group object itself, because the group-level platforms, tactics, and detection fields are not specified.
Do not infer local exposure or active exploitation from this object alone. ATT&CK does not provide official detection text for SideCopy here, and several related techniques have broad platform descriptions that should not be treated as confirmed SideCopy operating platforms. Local telemetry, asset exposure, geography, business relationships, and incident evidence are required to assess relevance.
SideCopy
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1614 | System Location Discovery | SideCopy has identified the country location of a compromised host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | SideCopy uses a loader DLL file to collect AV product names from an infected host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1584.001 | Domains Sub-technique | SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | SideCopy has identified the IP address of a compromised host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | SideCopy has used compromised domains to host its malicious payloads.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1106 | Native API | SideCopy has executed malware by calling the API function `CreateProcessW`.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling `mshta.exe`.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1518 | Software Discovery | SideCopy has collected browser information from a compromised host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | SideCopy has sent spearphishing emails with malicious hta file attachments.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1574.001 | DLL Sub-technique | SideCopy has used a malicious loader DLL file to execute the `credwiz.exe` process and side-load the malicious payload `Duser.dll`.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | SideCopy has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1082 | System Information Discovery | SideCopy has identified the OS version of a compromised host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | SideCopy has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | SideCopy has used a legitimate DLL file name, `Duser.dll` to disguise a malicious remote access tool.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1218.005 | Mshta Sub-technique | SideCopy has utilized `mshta.exe` to execute a malicious hta file.CitationMalwareBytes SideCopy Dec 2021 |
Groups, software, and campaigns
S1029: AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[1]
S1028: Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bc0bc90651d7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MalwareBytes SideCopy Dec 2021
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Open source URL -
[2]
mitre-attack G1008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.