SideCopy (also tracked as APT-C-56, TAG-117 in Recorded Future taxonomy, and MITRE ATT&CK G1008) is a suspected Pakistan-aligned cyber-espionage cluster active since at least 2019 and publicly characterized in initial form by Seqrite (Quick Heal) Threat Research Labs in September 2020, with the seminal international- vendor disclosure by Cisco Talos in July 2021 ("InSideCopy: How This APT Continues to Evolve Its Arsenal"). The cluster is widely assessed to operate in alignment with Pakistani state intelligence interests, most commonly framed as Inter-Services Intelligence (ISI) tasking, the same Pakistani intelligence service that runs Transparent Tribe / APT36 (already covered as mythic_leopard.yaml). No formal government attribution event has been issued.
The cluster's name derives from its defining operational tradecraft: copying SideWinder-style (India-aligned, already covered as sidewinder.yaml) tradecraft patterns in what vendor research has assessed as an attempt at attribution misdirection. The mimicry attempts to make campaigns appear to be India-aligned operations (and therefore against Pakistani interests) when they are actually Pakistani operations against Indian targets. The attribution-misdirection pattern is operationally interesting because it represents an explicit cluster-level investment in false-flag tradecraft, a relatively unusual pattern among publicly-tracked state-aligned clusters and one that complicates defender attribution analysis.
The mimicry is not perfect: cluster- level operational signatures (distinct Action RAT / Reverse RAT / Margulas RAT toolkit, infrastructure patterns, victim-selection patterns) remain reliable attribution indicators that distinguish SideCopy from the actually-India-aligned SideWinder it imitates. A defining operational characteristic is sustained joint operations with Transparent Tribe / APT36. Documented infrastructure-and-victim overlap shows campaigns frequently use SideCopy-attributed implants alongside Transparent-Tribe- attributed implants against the same Indian victim sets.
The coordination pattern is the strongest publicly-available evidence for the broader Pakistani state-cyber ecosystem framing. Whether the coordination reflects centralized ISI tasking, decentralized cluster-to-cluster coordination, or shared contractor operations has been analytically open. The cleanest framing is that SideCopy and Transparent Tribe operate within the same Pakistani state-cyber ecosystem with substantial operational overlap but represent separable cluster identities based on toolkit and tradecraft differences.
Targeting focus is overwhelmingly directed at Indian government ministries, Indian Army (notably Northern Command and Eastern Command formations facing Pakistani and Chinese borders), Indian Navy, Indian Air Force, the Defence Research and Development Organisation (DRDO), paramilitary forces (Border Security Force, Central Reserve Police Force), Indian intelligence services, Indian state and central government entities, and Indian defense-academic research institutions. The Indian- military-and-defense focus is the cluster's dominant operational mission and aligns directly with broader ISI Pakistani- intelligence priorities. Selective targeting of Afghan, Bhutanese, Nepalese, Sri Lankan, and Bangladeshi entities has been documented but represents a small fraction of cluster operations.
Operationally the cluster's toolkit centers on three custom Windows remote-access-trojan families: Action RAT (the cluster's primary implant providing command execution, file collection, screenshot capture), Reverse RAT (a sibling implant with overlapping capability and different command-and-control patterns), and Margulas RAT (a newer implant first publicly disclosed by Cisco Talos in 2021). Additional tooling includes AllaKore RAT variants (a commercial RAT also used by other clusters, AllaKore-presence-alone insufficient for cluster attribution), DjvuHostSvc, NjRAT overlap, and Cobalt Strike Beacon for hands-on-keyboard operations. Initial-access tradecraft is predominantly spear-phishing with weaponized .lnk shortcuts, Microsoft Compiled HTML Help (.chm) decoy files, weaponized Office documents (CVE-2017-0199, CVE-2017-11882, CVE-2018-0798, CVE-2018-0802, CVE-2021-40444, CVE-2022-30190 Follina), and notably the rapid 2023 weaponization of CVE-2023-38831 (WinRAR RCE) within weeks of disclosure.
Lure themes include fake Indian Army officer credentials, DRDO research papers, ministry circulars, and Indian-government- themed PDFs, high-fidelity social-engineering content tailored to Indian military and government recipients. A handful of operational notes: First, the attribution-misdirection tradecraft (the SideWinder mimicry that gave the cluster its name) represents an unusually explicit cluster-level investment in false-flag tradecraft. Defender attribution analysis benefits from being aware of this pattern: SideWinder-style indicators in campaigns against Indian targets should be evaluated for the possibility of SideCopy misdirection rather than treated as automatic India-attribution indicators.
Second, the cluster's operational adjacency to Transparent Tribe / APT36 should be understood as substantive operational coordination within the same Pakistani state-cyber ecosystem rather than as cluster-identity ambiguity. The two clusters operate as separable but coordinated operational identities. Third, the cluster has not demonstrated 0day-development capability and primarily relies on rapid weaponization of disclosed n-day vulnerabilities, a pattern consistent with operational-maturity rather than top-tier capability development.
The August 2023 CVE-2023-38831 WinRAR weaponization within weeks of disclosure illustrates the operational tempo. Fourth, the cluster's continued operations through 2024-2025 despite substantial public attribution illustrate (consistent with the Star Blizzard, Sandworm, Pioneer Kitten, and Cadet Blizzard patterns in this corpus) that formal or research-grade attribution and public exposure do not necessarily produce operational pauses for state-aligned clusters.