Threat Actor Profile
High APT
Description

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)

Confidence Score
90%
Known Aliases
SideCopy
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (16)
T1105 - Ingress Tool Transfer
Command and Control
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1518 - Software Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1614 - System Location Discovery
Discovery
T1059.005 - Visual Basic
Execution
T1106 - Native API
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1574.001 - DLL
Persistence
T1598.002 - Spearphishing Attachment
Reconnaissance
T1584.001 - Domains
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['SideCopy'],
 'created': '2022-08-07T13:52:07.791Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[SideCopy](https://attack.mitre.org/groups/G1008) is a '
                'Pakistani threat group that has primarily targeted South '
                'Asian countries, including Indian and Afghani government '
                'personnel, since at least 2019. '
                "[SideCopy](https://attack.mitre.org/groups/G1008)'s name "
                'comes from its infection chain that tries to mimic that of '
                '[Sidewinder](https://attack.mitre.org/groups/G0121), a '
                'suspected Indian threat group.(Citation: MalwareBytes '
                'SideCopy Dec 2021)',
 'external_references': [{'external_id': 'G1008',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1008'},
                         {'description': 'Threat Intelligence Team. (2021, '
                                         'December 2). SideCopy APT: '
                                         'Connecting lures victims, payloads '
                                         'to infrastructure. Retrieved June '
                                         '13, 2022.',
                          'source_name': 'MalwareBytes SideCopy Dec 2021',
                          'url': 'https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure'}],
 'id': 'intrusion-set--03be849d-b5a2-4766-9dda-48976bae5710',
 'modified': '2025-04-16T20:37:38.248Z',
 'name': 'SideCopy',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Pooja Natarajan, NEC Corporation India',
                          'Hiroki Nagahama, NEC Corporation',
                          'Manikantan Srinivasan, NEC Corporation India'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (16)
Ingress Tool Transfer
Command and Control
Match Legitimate Resource Nam…
Defense Evasion
Mshta
Defense Evasion
System Network Configuration …
Discovery
System Information Discovery
Discovery
View All 16 TTPs
Back to Threat Actors
Dashboard Home