SideCopy, a cyber-espionage group, which mainly targets Indian army personnel, has increased its activity this year and added new malware tools to its arsenal, according to a new report from Cisco Talos.

Active since 2019, the group mimics the Sidewinder APT’s (a threat actor mainly targeting Pakistan military targets) infection chains to deliver their own malware.

Previous SideCopy’s campaigns involved malicious LNK files and documents delivering a custom C#-based malware dubbed CetaRAT by security researchers, as well as Allakore RAT, a publicly available Delphibased RAT. However, in recent campaigns the group has been observed using new plugins and RAT families, such as DetaRAT, ReverseRAT, MargulasRAT and ActionRAT. The APT group has also been observed using commodity RATs, including njRAT, Lilith and Epicenter.

“SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections,” Cisco Talos said.

The researchers noted that SideCopy’s infection chains have remained largely the same with minor variations - using malicious LNK files as entry points, followed by a convoluted infection chain involving multiple HTAs and loader DLLs to deliver the final payloads. If successful, the attack results in the installation of independent plugins with various capabilities, such as file enumeration, browser password stealing and keylogging.

Development of new RAT malware is an indication that the SideCopy cyber-espionage group is quickly evolving becoming more sophisticated, the researchers warned.