Home/ Threat Actors/ SideCopy

🇵🇰SideCopy

🇵🇰 SideCopy is a tracked threat actor in the Clankerusecase corpus. PK-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 16 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1008) ↗

14Use cases

0Articles

16Techniques

0IOCs

About this actor (MITRE)

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://attack.mitre.org/groups/G0121), a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)

Known aliases

SideCopy

Top techniques

T1016 · System Network Configuration Discovery T1036.005 · Match Legitimate Resource Name or Location T1059.005 · Visual Basic

All other tracked techniques

T1082 · System Information Discovery T1105 · Ingress Tool Transfer T1106 · Native API T1204.002 · Malicious File T1218.005 · Mshta T1518 · Software Discovery T1518.001 · Security Software Discovery T1566.001 · Spearphishing Attachment T1574.001 · DLL T1584.001 · Domains T1598.002 · Spearphishing Attachment T1608.001 · Upload Malware T1614 · System Location Discovery

Detection use cases (14)

SideCopy (G1008) LNK→mshta.exe remote-HTA stager fetching second-stage from attacker infrastructure AI · profile SΣ SideCopy (G1008) DLL side-loading: signed-binary loader running from user-writable path with co-located unsigned DLL AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Abnormal Security: malicious email opened MITRE match Email attachment opened from external sender MITRE match