S1029: AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[1]
Analyst context for executives and security teams
AuTo Stealer matters because ATT&CK records it as a Windows malware family used by SideCopy in reporting focused on government personnel in India and Afghanistan. Its mapped behaviors center on discovering the user and system, checking security tools, collecting and staging local data, maintaining startup persistence, and exfiltrating through command-and-control communications. For leaders, the practical issue is not the malware name alone; it is whether Windows endpoints handling sensitive information would produce enough evidence to confirm discovery, staging, persistence, and outbound transfer quickly during an incident.
Executive priority
Prioritize this as a data-theft and incident-readiness scenario for Windows environments, especially where government, diplomatic, or sensitive personnel data is in scope. Security leaders should ask whether endpoint logging, egress visibility, autorun monitoring, and response playbooks can prove what data was accessed or staged, which user context was involved, and whether outbound C2-style communication occurred. This supports business continuity, breach assessment, audit evidence, and executive decision-making during containment.
Technical view
ATT&CK provides no official detection text for AuTo Stealer, so validation should be behavior-led using the mapped relationships: Windows Command Shell execution, System Owner/User Discovery, System Information Discovery, Security Software Discovery, Data from Local System, Local Data Staging, Registry Run Keys/Startup Folder persistence, Web Protocols, Non-Application Layer Protocol, and Exfiltration Over C2 Channel. SOC and IR teams should test whether Windows endpoint telemetry can correlate command execution, file collection or staging, autorun changes, and outbound network sessions from the same host and user context.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe activity
- Windows registry monitoring for Run key changes and startup folder modifications
- Endpoint file access, file creation, and directory staging activity
- User/session context showing logged-on user and account activity
- System inventory or host discovery indicators from endpoint logs
Detection direction
- Build detections around behavior chains rather than the malware name: discovery commands or APIs followed by local collection/staging, persistence changes, and outbound communications.
- Validate that Run key and startup folder monitoring is enabled and alertable on Windows endpoints, with tuning for legitimate software installers and administrative tools.
- Correlate command shell execution with user and system discovery activity to reduce noise from normal administration.
- Look for local staging patterns involving newly created files or directories before outbound transfer, while accounting for backup, compression, and enterprise software workflows.
- Review outbound web and non-application-layer communication visibility; blind spots often appear where endpoint, proxy, firewall, and DNS logs are not joined by host identity.
Mitigation priorities
- Start with telemetry assurance: confirm Windows process, registry, file, and network logging are collected and retained long enough for investigation.
- Harden persistence surfaces by monitoring and controlling user-writable startup locations and Registry Run keys.
- Limit unnecessary command shell use where feasible and ensure administrative command activity is attributable to a user and host.
- Apply least-privilege and data-access controls so local collection from compromised user context is constrained.
- Use egress filtering, proxy controls, and network monitoring to make unauthorized outbound C2 or exfiltration paths harder to sustain and easier to investigate.
Analyst notes and limits
The most useful defensive interpretation comes from the relationships rather than the sparse malware description. SideCopy is the linked group, and the reported targeting context is South Asian government personnel, but this take does not assume current activity or exposure in any specific environment. Treat AuTo Stealer as a Windows data-theft behavior package requiring endpoint-to-network correlation.
Official ATT&CK detection guidance, tactics on the malware object, aliases, and labels are not provided. The description is based on one cited MalwareBytes report and ATT&CK relationship mappings. Environment-specific prevalence, indicators, exploit path, payload details, and actual detection coverage must be validated with local telemetry and threat intelligence.
AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1074.001 | Local Data Staging Sub-technique | AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1033 | System Owner/User Discovery | AuTo Stealer has the ability to collect the username from an infected host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1095 | Non-Application Layer Protocol | AuTo Stealer can use TCP to communicate with command and control servers.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | AuTo Stealer can use `cmd.exe` to execute a created batch file.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | AuTo Stealer can use HTTP to communicate with its C2 servers.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1005 | Data from Local System | AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1082 | System Information Discovery | AuTo Stealer has the ability to collect the hostname and OS information from an infected host.CitationMalwareBytes SideCopy Dec 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | AuTo Stealer has the ability to collect information about installed AV products from an infected host.CitationMalwareBytes SideCopy Dec 2021 |
Groups, software, and campaigns
G1008: SideCopy
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d0877c2ce6ae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MalwareBytes SideCopy Dec 2021
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Open source URL -
[2]
mitre-attack S1029Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.