The hacking group known as SideCopy, a sub-cluster of the Transparent Tribe (APT36), has been active since at least 2019 and has recently intensified its operations.

In December 2024, security researchers from SEQRITE detected a significant shift in SideCopy's focus, as they expanded their targeting beyond traditional sectors like government and defense.

The group has notably begun to target critical sectors in India, including railways, oil and gas, and external affairs ministries, employing various remote access trojans (RATs) such as CurlBack RAT and Spark RAT.

SideCopy has demonstrated the capability to target both Windows and Linux systems by deploying cross-platform RATs, enhancing their operational reach.

The newly identified CurlBack RAT is particularly versatile, capable of gathering system information, downloading files, executing commands, elevating privileges, and listing user accounts.

In addition to CurlBack, the group utilizes advanced techniques such as DLL side-loading and AES decryption via PowerShell, while also leveraging compromised domains for credential phishing and malware hosting.

Notably, the group has shifted its malware distribution methods from HTML Application (HTA) files to Microsoft Installer (MSI) packages, indicating an evolution in their tactics.

In June 2024, SEQRITE reported that SideCopy was using obfuscated HTA files and techniques reminiscent of SideWinder attacks, including malicious RTF file hosting.

Their attacks have involved deploying various RATs, including Action RAT and ReverseRAT, alongside additional payloads like Cheex for document theft and a USB copier for data siphoning.

The hackers have also employed email-based phishing campaigns, using lure documents such as holiday lists for railway staff and cybersecurity guidelines from Hindustan Petroleum Corporation Limited (HPCL).