VERY IMPORTANT

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customized open-source tools such as Xeno RAT and Spark RAT, and deploying a new CurlBack RAT. The attackers use compromised domains and fake sites for credential phishing and payload hosting. New tactics include reflective loading, AES decryption via PowerShell, and multi-platform attacks targeting both Windows and Linux systems. The group continues to evolve its methods to enhance persistence and evade detection.