article featured image


An updated version of a backdoor called ReverseRAT is being deployed through spear-phishing campaigns targeting Indian government entities.

Cybersecurity firm ThreatMon attributed the activity to a threat actor called SideCopy.

Known for copying the infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin with overlaps with Transparent Tribe. The APT group has been operational since at least 2019 and seems to focus on targets of value in cyberespionage.

In recent SideCopy attacks, threat actors have targeted Indian government officials’ use of a two-factor authentication solution called Kavach (which means “armor” in Hindi). The infection begins with a phishing email containing a macro-enabled Word document (“Cyber Advisory 2023.docm”).

In reality, the file is a fake advisory from India’s Ministry of Communications about Android threats and preventions; however, most of the content has been copied word by word from a departmental alert published in July 2020. As soon as the file is opened and macros are enabled, malicious code is executed, resulting in the deployment of ReverseRAT.

It waits for commands to execute on the target machine, and some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.


Previous ReverseRat Attacks

The adversarial crew was first observed delivering ReverseRAT in 2021 by detailing attacks targeting government and power utility victims. India was the most affected country, followed by Afghanistan. The threat actor basically used the compromised Windows systems of the companies to perform remote access trojan (RAT) cyberattacks.

At the time, the cybersecurity researchers explained how the malware was deployed, as well as the three phases it went through. The attack would start from phishing emails or messages containing malicious links that would download a ZIP archive file with a Microsoft shortcut file (.lnk) and a decoy PDF file.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *