
Operations From APT36 To Government Agencies
APT36 is an advanced persistent threat group attiributed to Pakistan taht primarilly targets users working at Indian government organizations.SideCopy APT is a Pakistani threat actor operating since at least 2019,targeting mainly South Asian countries and more specifally India and Afghanistan.
Indicators of Compromise
Domains (60)
tt1.apktrial.comsupremo-portal.innsdrive-phone.onlinecentralink.onlinecloud-drive.storewww.ksboard.inksboard.ins1.fileditch.chcloud-drive.geo-news.tvdrive-phone.geo-news.tvmeetup-chat.comstudentsportal.costudentsportal.live.geo-news.tvgeo-news.tvstudentsportal.geo-news.tvstudentsportal.livephone-drive.online.geo-news.tvns1.vebhost.comuser-onedrive.livestatefinancebank.com+40 moreHashes (241)
02796a813b79928c95b2475798a14688fc34f9087ab199d0bac22aa97de48e5592dbf0784342b9ecd01b4a429272ab5b7322d82bf197ae98afb2a51583d399161ee74b0487b18b8d306275cc0b047243229a7c30110c746edf16aab18a13f16fa272555e6aa762f5098b0c4f06cb26bfbcc23a5f4f8668db509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6fdb9fe902ef9e9cb893c688c737e4cc7f11ada8d905b564b3c5dde58cc123c7290148e89f4f9cbd7066afb86877bb79c3d23eddaca15f5a0b74250a2259c947073225bbb24f11f4239d0ea4dabc45f4a40a4bbd46793fa6b963f1895a44f94c995b901a8ce896efacce0c1a8662a20ba1348eb7c6325cc190466e90bf0e83b776ca8716e01d35a8a2e5f96d328390e3ea8a547f05ca08551f484292d46398a2b38fd4aae001ac7d056c5abc08c1a5052bf3c1b33aff9e249ae860ea1435ce716d5b5be2ec3407520507c6d37e56cbac2134c6bcb67cf25428f8d7db959d341a26d81e4eb4f9f77e7186e5906c8127216d74724b9bbad1cffe2d00acd908c2ba664e37fe2f97f397ada5e75d67bbd668c65212e018dca1635b3700a1b7c8c3a596f25a874d6cbf8158cb7c491dcedaa81ceaebbae8f36d6b65e1bbc796744505a77a6214dce5614dc40c9031ee6bbf2b2306420e9330727a6+221 moreIPv4 (15)
149.248.52.61192.3.99.68153.92.220.48155.133.23.244194.233.70.5470.34.214.25278.46.21.24845.84.0.16466.235.175.91146.190.235.137185.229.119.60144.91.72.1789.117.63.146139.59.79.86139.59.23.88CVEs (5)
CVE-2022-41034CVE-2022-42889CVE-2022-37969CVE-2022-3786CVE-2022-3602APT Groups
SideWinder
SideCopy
Pakistan
Notes
<font><b>Conclusions</b></font><div><font><div><font>Apps used internally in Indian government organizations is a popular choice of social engineering theme used by APT-36 groups. Users should be careful while downloading apps and make sure they only download apps from official sources.</font></div><div><font><span style="color: var(--q-dark);">Since APT-36 uses malicious advertising to hijack Google search results, we advise users to be very careful when clicking links in Google search results and always verify that they are indeed visiting the official website.</span><br></font></div><div><span style="color: var(--q-dark);"><font>Therefore, it is recommended that government agencies invest more in security and be vigilant against such threat groups.</font></span><br></div></font></div>
Mitigation
<div><font style=""><b>SideCopy</b></font><br></div><div><font>SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]</font></div><div><font><b><br></b></font></div><div><b><font>Techniques Used</font></b><br></div><div><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Domain</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">ID</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Name</span></font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Use</span></font></th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1059</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; background-color: transparent;">Visual Basic</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling <code style="box-sizing: border-box; word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">mshta.exe</code>.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1584" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1584</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1584/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1584" style="box-sizing: border-box; background-color: transparent;">Compromise Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1584/001" style="box-sizing: border-box; background-color: transparent;">Domains</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has compromised domains for some of their infrastructure, including for C2 and staging malware.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1574</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; background-color: transparent;">DLL Side-Loading</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has used a malicious loader DLL file to execute the <code style="box-sizing: border-box; word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">credwiz.exe</code> process and side-load the malicious payload <code style="box-sizing: border-box; word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Duser.dll</code>.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1105</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Ingress Tool Transfer</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1036</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; background-color: transparent;">Match Legitimate Name or Location</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has used a legitimate DLL file name, <code style="box-sizing: border-box; word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">Duser.dll</code> to disguise a malicious remote access tool.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1106</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Native API</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has executed malware by calling the API function <code style="box-sizing: border-box; word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">CreateProcessW</code>.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1566</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; background-color: transparent;">Spearphishing Attachment</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has sent spearphishing emails with malicious hta file attachments.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1598" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1598</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1598/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1598" style="box-sizing: border-box; background-color: transparent;">Phishing for Information</a>: <a href="https://attack.mitre.org/techniques/T1598/002" style="box-sizing: border-box; background-color: transparent;">Spearphishing Attachment</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1518</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Software Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has collected browser information from a compromised host.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Security Software Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> uses a loader DLL file to collect AV product names from an infected host.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1608" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1608</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1608/001" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1608" style="box-sizing: border-box; background-color: transparent;">Stage Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1608/001" style="box-sizing: border-box; background-color: transparent;">Upload Malware</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has used compromised domains to host its malicious payloads.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1218</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; background-color: transparent;">Mshta</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has utilized <code style="box-sizing: border-box; word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">mshta.exe</code> to execute a malicious hta file.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1082</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">System Information Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has identified the OS version of a compromised host.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1614" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1614</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1614" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">System Location Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has identified the country location of a compromised host.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1016</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">System Network Configuration Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has identified the IP address of a compromised host.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223); border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font color="#262626">Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">T1204</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; background-color: transparent;">Malicious File</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font color="#262626"><a href="https://attack.mitre.org/groups/G1008" style="box-sizing: border-box; background-color: transparent;">SideCopy</a> has attempted to lure victims into clicking on malicious embedded archive files sent via spearphishing campaigns.<span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; background-color: transparent;">[1]</a></span></span></font></p></td></tr></tbody></table><br><b><font>Software</font></b><br><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important; empty-cells: hide;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">ID</span></font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Name</span></font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;"><font color="#262626"><span style="font-size: 14px; font-weight: 400;">Techniques</span></font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1028" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S1028</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1028" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">Action RAT</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; background-color: transparent;">Windows Management Instrumentation</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1029" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">S1029</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1029" style="box-sizing: border-box; background-color: transparent;"><font color="#262626">AuTo Stealer</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font color="#262626"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; background-color: transparent;">Local Data Staging</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; background-color: transparent;">System Owner/User Discovery</a></font></td></tr></tbody></table><font><b>References</b></font><br><div class="row" style="box-sizing: border-box; margin-right: -15px; margin-left: -15px;"><div class="col" style="box-sizing: border-box; position: relative; width: 698.625px; padding-right: 15px; padding-left: 15px; flex-basis: 0px; flex-grow: 1; color: rgb(57, 67, 76); font-family: Roboto-Regular, sans-serif; font-size: 16px;"><ol style="box-sizing: border-box; margin-top: 0px; margin-bottom: 1rem;"><li style="box-sizing: border-box;"><span id="scite-1" class="scite-citation" style="box-sizing: border-box;"><span class="scite-citation-text" style="box-sizing: border-box;"><a rel="nofollow" class="external text" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.</a></span></span></li></ol></div></div></div>