S1028: Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[1]
Analyst context for executives and security teams
Action RAT is a Windows remote access tool associated in ATT&CK with SideCopy activity against Indian and Afghani government personnel. Its defensive significance is not just the malware name; the mapped behaviors show a post-compromise tool that can execute commands, discover users, systems, files, network configuration, and security software, communicate over web protocols, bring in additional files, and handle obfuscated content. For leaders, this makes Action RAT a useful planning case for validating whether Windows endpoint, network, and incident response coverage can reconstruct remote-access malware activity after initial access.
Executive priority
Prioritize this as a control-validation and readiness issue rather than a standalone signature exercise. The ATT&CK record provides no official detection guidance, so executives should ask whether the organization can prove visibility into Windows command execution, WMI activity, discovery commands, file enumeration, inbound tool transfer, and web-based command-and-control patterns. This supports business continuity and audit readiness by testing whether SOC and IR teams can identify unauthorized remote control before it progresses to data collection or additional payload delivery.
Technical view
For SOC, detection engineering, and IR teams, use the mapped relationships to build behavior-based validation around Action RAT: Windows Command Shell and WMI execution, system/user/network/security-software discovery, file and directory enumeration, data collection from local systems, obfuscated or decoded payload content, ingress tool transfer, and web-protocol command-and-control. Because the malware object is Windows but several related technique platform lists are broader or do not list Windows in the supplied context, validation should be anchored to the Action RAT Windows platform and the explicitly Windows-related techniques where available. Investigations should correlate endpoint process activity with network sessions and file creation/modification rather than relying only on malware family names.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity and related Windows management event logs
- File creation, modification, directory enumeration, and local data access events
- Network connection logs, proxy logs, DNS logs, and HTTP/S metadata for web-protocol communications
- Security tool status/configuration query evidence where collected
Detection direction
- Validate detections for suspicious cmd.exe and WMI execution that are correlated with discovery, file enumeration, or follow-on network activity.
- Tune discovery detections for system information, user, network configuration, and security software queries; account for legitimate administrator and software-management activity to reduce false positives.
- Look for sequences: execution followed by discovery, local file access, tool transfer, and outbound web-protocol traffic.
- Confirm whether proxy, DNS, and endpoint telemetry can connect a Windows host process to external HTTP/S communications; blind spots here can hide web-protocol command-and-control.
- Do not depend solely on static malware signatures because the mapped techniques include obfuscation and deobfuscation behavior and ATT&CK provides no official detection text for this object.
Mitigation priorities
- Start with visibility: ensure Windows endpoint logging, command-line capture, WMI monitoring, and network egress telemetry are enabled and retained for IR use.
- Restrict and monitor administrative execution paths such as command shell and WMI according to business need and least privilege.
- Apply egress control and monitoring for web traffic so unusual host-to-external communications can be investigated with process and user context.
- Harden endpoint controls against unauthorized tool transfer and execution, including file reputation, execution control, and alert review workflows where available.
- Prepare IR playbooks for remote-access malware that include host isolation, collection of process/file/network evidence, review of local data access, and scoping for additional payloads.
Analyst notes and limits
The strongest decision value comes from the relationship set: Action RAT is mapped to execution, discovery, collection, stealth, and command-and-control behaviors, and to use by SideCopy. This supports behavior-based defensive validation across Windows endpoints and network telemetry. The official ATT&CK object does not provide aliases, labels, tactics, or detection text, so local detection content should be tested against behaviors rather than assumed from the malware name.
This take uses only the supplied ATT&CK/STIX fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, exploit paths, or guaranteed detections. The official malware platform is Windows, while several related technique platform fields in the supplied relationship context list broader or non-Windows platforms; local teams should validate coverage against their actual Windows estate and telemetry sources.
Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Action RAT can use Base64 to decode actor-controlled C2 server communications.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Action RAT has the ability to download additional payloads onto an infected machine.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | Action RAT can use WMI to gather AV products installed on an infected host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Action RAT can use HTTP to communicate with C2 servers.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Action RAT has the ability to collect the MAC address of an infected host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Action RAT's commands, strings, and domains can be Base64 encoded within the payload.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1082 | System Information Discovery | Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1083 | File and Directory Discovery | Action RAT has the ability to collect drive and file information on an infected machine.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Action RAT has the ability to collect the username from an infected host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Action RAT can identify AV products on an infected host using the following command: `cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1005 | Data from Local System | Action RAT can collect local data from an infected machine.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Action RAT can use `cmd.exe` to execute commands on an infected host.CitationMalwareBytes SideCopy Dec 2021 |
Groups, software, and campaigns
G1008: SideCopy
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2525ec8a2dfb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MalwareBytes SideCopy Dec 2021
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Open source URL -
[2]
mitre-attack S1028Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.