SideCopy Campaign

Since May 2023, the has been targeting university students with complex infection chains, utilizing malicious LNK files, HTAs, and loader DLLs masquerading as genuine documents.

by Alan J May 15, 2024 in Cybersecurity News, Dark Web News, Firewall Daily Reading Time: 2 mins read 0

592 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

() researchers have uncovered a new SideCopy campaign. The threat actor group has previously been observed targeting nations with a particular focus on government and military targets in and Afghanistan.

Active since May 2023, the campaign targets university students through sophisticated infection chains involving malicious LNK files, HTAs, and loader DLLs disguised as legitimate documents. Ultimately, the campaign deploys malware payloads such as Reverse RAT and Action RAT, granting attackers extensive control over infected devices.

The research explores the tactics employed by SideCopy, such as their recent focus on university students, and potential overlap in activities with the APT group.

Technical Analysis of the SideCopy Campaign Infection Chain

In early May, CRIL identified a malicious domain employed by the SideCopy group in their operations. The website was discovered hosting a ZIP archive file named “files.zip” that contained sub-directories labeled as “economy,” “it,” and “survey.” The survey directory included files similar to those previously employed by SideCopy in their earlier campaigns.

The campaign likely employs spam emails to distribute the malicious ZIP archive hosted through the compromised website as the initial infection vector. These archives contain malicious LNK files disguised as legitimate documents, such as “IT Trends.docx.lnk.”

Upon execution, the LNK files trigger a series of commands that proceeds to download and execute a malicious HTA file. The downloaded HTA files contain embedded payloads within additional lure documents and DLL files. The lure documents are typically themed around current affairs or relevant academic topics to appear legitimate to the targeted demographic.



The malware is crafted with the functionality to adopt to the presence of different antivirus software such as Avast, Kaspersky and Bitdefender, which further amplifies its ability to evade detection and ensure persistence by placing the LNK shortcut files in the startup folder.

The attack process ultimately leads to the deployment of malicious payloads such as Reverse RAT and Action RAT on to the victim system, which then connect to a remote Command-and-Control (C&C) server to commence malicious activities.

Intersection with Transparent Tribe Activities

The research further suggests a potential overlap or collaboration between SideCopy and Transparent Tribe, another APT group known for targeting military and . This intersection hints at a possible collaborative efforts or shared objectives between the two groups with researchers previously noting that SideCopy may function as a sub-division of Transparent Tribe.

SideCopy is also known to emulate tactics of the Sidewinder APT group in the distribute of malware files, such as the use of disguised LNK files to initiate a complex chain of infections.

CRIL researchers have advised the use of strong email filtering systems, exercise of caution, the deployment of network-level monitoring and the disabling of scripting languages such as PowerShell, MSHTA, cmd.exe to prevent against this potential threat.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button