![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![[FREE EBOOKS] Machine Learning Hero, AI-Assisted Programming for Web and Machine Learning & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
SideCopy APT Hackers Mimic as Government Personnel to Deploy Open-Source XenoRAT Tool
A sophisticated campaign by the Pakistan-linked SideCopy Advanced Persistent Threat (APT) group has emerged since late December 2024, targeting critical Indian government sectors with enhanced tactics. The group has significantly expanded its scope beyond traditional defense and maritime sectors to now include entities under railway, oil & gas, and external affairs ministries, demonstrating an alarming […] The post SideCopy APT Hackers Mimic as Government Personnel to Deploy Open-Source XenoRAT Tool appeared first on Cyber Security News.
A sophisticated campaign by the Pakistan-linked SideCopy Advanced Persistent Threat (APT) group has emerged since late December 2024, targeting critical Indian government sectors with enhanced tactics.
The group has significantly expanded its scope beyond traditional defense and maritime sectors to now include entities under railway, oil & gas, and external affairs ministries, demonstrating an alarming broadening of their cyber espionage activities.
The attackers have been observed sending spear-phishing emails with subjects like “Update schedule for NDC 65 as discussed” and “Policy update for this course,” containing malicious download links.
.webp)
These emails originate from carefully crafted domains that impersonate legitimate government entities.
One notable email address, “gsosystemsndc@outlook.com,” was created on January 10, 2025, in UAE and remained active until February 28, 2025, mimicking a legitimate National Informatics Centre email address “gsosystems.ndc-mod@nic.in” associated with India’s Ministry of Electronics and Information Technology.
.webp)
SideCopy’s evolution includes a notable shift from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as their primary staging mechanism.
This tactical change demonstrates the group’s persistent efforts to evade detection while maintaining their capability to compromise targeted systems through DLL side-loading and multi-platform intrusions across both Windows and Linux environments.
Seqrite Labs APT researchers identified that the threat actors are leveraging open-source tools such as XenoRAT and SparkRAT to extend their capabilities, following their previous trend with AsyncRAT.
Additionally, a previously undocumented payload dubbed “CurlBack RAT” has been discovered that registers victim systems with command and control (C2) servers using unique identifiers.
.webp)
The researchers also uncovered that a fake domain mimicking an e-governance service portal hosted multiple phishing login pages targeting various City Municipal Corporations in Maharashtra state, with thirteen subdomains designed to harvest credentials from unsuspecting government employees.
Infection Chain
The infection chain begins when a victim receives a spear-phishing email containing links to download archive files with double-extension shortcuts (.pdf.lnk).
.webp)
These shortcuts execute obfuscated commands that download and install MSI packages hosted on compromised domains, including an official National Hydrology Project website under the Ministry of Water Resources.
.webp)
When examining the delivered payloads, one particularly sophisticated mechanism involves PowerShell-based AES decryption of embedded resources. The code reveals how attackers deploy their custom XenoRAT variant:-
$EKeyB = [Convert]::FromBase64String($EKey)
$EB = [System.IO.File]::ReadAllBytes($EPath)
$Iv = $EB[0..15]
$EncryptedData = $EB[16..($EB.Length - 1)]
$AesAlg = [System.Security.Cryptography.Aes]::Create()
$AesAlg.Key = $EKeyB
$AesAlg.IV = $Iv
$AesAlg.Mode = [System.Security.Cryptography.CipherMode]::CBC
$AesAlg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$Decryptor = $AesAlg.CreateDecryptor()
$DecryptedBytes = $Decryptor.TransformFinalBlock($EncryptedData, 0, $EncryptedData.Length)
$Assembly = [System.Reflection.Assembly]::Load($DecryptedBytes)This decryption routine loads the final XenoRAT payload directly into memory, bypassing disk-based detection methods.
The malware establishes persistence through scheduled tasks disguised as legitimate Windows processes and communicates with command and control servers hosted on domains like “updates.widgetservicecenter.com” and “updates.biossysinternal.com.”
The ongoing campaign depicts how state-sponsored threat actors continue to evolve their tactics while leveraging open-source tools to maintain operational flexibility and reduce development costs, presenting an ongoing challenge for defenders protecting government networks.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post SideCopy APT Hackers Mimic as Government Personnel to Deploy Open-Source XenoRAT Tool appeared first on Cyber Security News.
