article featured image


Meta, the company that used to be known as Facebook, released a statement saying that it had taken measures against four separate cybercrime organizations from Pakistan and Syria.

The hacking groups had been observed targeting people in Afghanistan, including civil society, journalists, humanitarian organizations, and anti-regime military forces.

To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers and law enforcement, and alerted the people who we believe were targeted by these hackers.


The Pakistani organization, known as SideCopy in the security industry, targeted individuals connected to the previous Afghan administration, military, and law enforcement in Kabul.

SideCopy Created Fictitious Personas to Fool the Targets

Between April and August of 2021, the attack, which Meta described as a “well-resourced and persistent operation,” included delivering harmful links, which were typically shortened using URL shortener services, to malware-hosting websites. The attackers pretended to be young women sending romantic messages in order to entice victims to click on phishing links or download malicious chat apps.

SideCopy attempted to trick people into installing trojanized chat apps (i.e. they contained malware that misled people about its true intent), including messengers posing as Viber and Signal, or custom-made Android apps that contained malware to compromise devices. Among them were apps named HappyChat, HangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat — some of which were in fact functioning chat applications.


According to Meta’s threat intelligence experts, these applications were a front for two separate malware strains: PJobRAT, a remote access trojan previously discovered attacking Indian military forces, and Mayhem, a previously unreported Android malware strain.

Victims’ contact lists, SMS, call records, location data, media items on the device or connected external storage, and general device metadata can all be retrieved by these two families. They can also use accessibility services to scrape content from the device’s screen.

The hacking organization SideCopy was involved in a number of malicious operations, including:

  • operating rogue app stores,
  • compromising reputable websites in order to host harmful phishing pages that were created to trick people into revealing their Facebook passwords.

In August, SideCopy hacking group was removed from Facebook.

Orgs Linked to the Syrian Government Disrupted

The three hacking gangs connected to the Syrian government that were banned from Facebook are:

  • A hacking group dubbed Syrian Electronic Army (SEA) or APT-C-27 targeting individuals in Syria, including humanitarian organizations, journalists and activists in Southern Syria, government critics, and people linked with the anti-regime Free Syrian Army. They used phishing links to deploy a combination of commercially available and customized malware, such as njRAT and HmzaRat, which are designed to steal user confidential information.
  • APT-C-37 hacking group targeting people who had ties with Free Syrian Army and former military personnel who had since joined the opposition forces. The hackers employed SandroRAT, a commodity malware, as well as SSLove, an Android malware family that was most likely built in-house. They used social engineering to trick their victims into accessing attacker-controlled websites and downloading malware. Some of these sites specialized in Islamic content, while others pretended to be official app stores or utilized look-alike names to impersonate services like Telegram, Facebook, YouTube, and WhatsApp.
  • An unidentified government-linked cybercrime org focusing on minority groups, activists, opposition in Southern Syria, Kurdish reporters, and members of the People’s Protection Units and Syria Civil Defense. They also employed social engineering tactics to spread malware-laced apps that looked like WhatsApp and YouTube and installed SpyNote and Spymax remote administration tools on the devices.

How Can Heimdal Help You?

Heimdal Security has developed two email security software aimed against both simple and sophisticated email threats: Heimdal Email Security, which detects and blocks malware, spam emails, malicious URLs, and phishing attacks and Heimdal Email Fraud Preventiona revolutionary email protection system against employee impersonation, fraud attempts – and BEC, in general.

For example, you may want to consider HeimdalTM Security’s Heimdal Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.

If you liked this article follow us on LinkedIn, TwitterYouTubeFacebook, and Instagram to keep up to date with everything cybersecurity.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.