From dcb87b0dc63753e25e817df75f7abaeae9417c27 Mon Sep 17 00:00:00 2001
From: Sami Tainio <samitainio@hotmail.com>
Date: Fri, 7 Jan 2022 17:45:41 +0200
Subject: [PATCH] chg: [threat-actor] Add SideCopy

---
 clusters/threat-actor.json | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0619d582..2deeb946 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8883,7 +8883,22 @@
       },
       "uuid": "60fa684d-c738-4b77-98fb-3f6605e2bb82",
       "value": "FIN13"
+    },
+    {
+      "description": "The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.",
+      "meta": {
+        "country": "PK",
+        "refs": [
+          "https://www.seqrite.com/blog/operation-sidecopy/",
+          "https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/",
+          "https://www.telsy.com/sidecopy-apt-from-windows-to-nix/",
+          "https://blog.talosintelligence.com/2021/07/sidecopy.html",
+          "https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/"
+        ]
+      },
+      "uuid": "f6d02ac3-3447-4892-b844-1ef31839e04f",
+      "value": "SideCopy"
     }
   ],
-  "version": 208
+  "version": 209
 }