wordpress blog stats
Connect with us

Hi, what are you looking for?

Pakistani hacker group targeted Indian defence personnel with ‘romantic lures’: Report

Decoy files and photos were used to bait defence personnel in a sophisticated campaign uncovered by a security firm.

SideCopy, the Pakistan-based advanced-persistent threat (APT) group whose accounts were recently disabled by Facebook for targeting Afghanistan, has also targeted Indians — specifically defence personnel, Malwarebytes, an American Internet security company said.

In a blog post titled, “SideCopy APT: Connecting lures to victims, payloads to infrastructure”, Hossein Jazi, a threat intelligence analyst at Malwarebytes said that Indian defence personnel including the Indian Army and National Cadet Corps (NCC) were targeted using archive (zip) files embedded with malicious applications. These files were —

  • Designed and crafted to target specific victims
  • Romantic lures

Through these lures, in one instance Malwarebytes was able to find that SideCopy had gained access to a machine and “collected a lot of credentials from government and education services”. This was the only instance where Malwarebytes provided India-specific details in regards to what data was exfiltrated.

Such cyber attacks point to an emerging trend of a country’s critical infrastructure such as defence, power, and so on, being targeted. They also raise questions on the cybersecurity awareness of government and military officials.

Those who read MediaNama are ahead of the curve. Support our journalism by subscribing here

Pakistani group targeted Indian defence personnel with file names such as nisha.zip

Using romantic lures, which also find a mention in Facebook’s announcement about banning SideCopy from the platform, the Pakistan-based APT group targeted Indian defence personnel with archive file names such as —

Advertisement. Scroll to continue reading.
  • nisha.zip: This file contain a list of images with .3d extension and a malicious Trojan application named 3Dviewer.exe, which needed to be executed to load and view images, Jazi said in the blog post.

Source: Malwarebytes

  • image-random number.zip and WhatsApp-image-random number.zip: “These zip files contain a malicious link file that shows a girl picture as a decoy,” the post said.

The targeted lures for Indian government or defence personnel consisted of these file names —

address-list-ere-update-sep-2021.zip: Malwarebytes said that this archive file contained a malicious file, with a decoy PDF listing email facility with addresses of an Indian defence unit. “This lure seems to be used to target the Indian Army and National Cadet Corps of India,” Malwarebytes said.

  • NCERT-NCF-LTV-Vislzr-2022.zip: This archive file too, like the previous one, contained a malicious link with a decoy PDF. “The decoy is a curriculum of the course named “Living the values, a value-narrative to grass-root leadership” offered by NCERT (National Council of Educational Research and Training of India),” Malwarebytes said.

A screen grab of the decoy PDF file that shows content from NCERT | Source: Malwarebytes

A look into SideCopy’s infrastructure

Malwarebytes researchers gained access to the main command and control server used by the attacker to send the malicious files. They discovered that the server has four users with English names: Hendrick, Alexander, Hookes, and Malone.

The system has a dashboard that shows all the infected machines. “Each row in the dashboard shows one package and its statistics which includes the IP address of the victim, package name, OS version, User-Agent, browser information, country and victim status,” Jazi said in the blog.

Dashboard of the attacker’s system | Source: Malwarebytes

India affected by Russian govt-backed Gmail phishing campaign

India, apart from the United States of America and the United Kingdom, was one among the most affected countries that were allegedly targeted by a Russian government-backed APt28/Fancy Bear Gmail phishing campaign, according to a report by Google’s Cybersecurity Action Team.

The report, a first of its kind, said that Google’s Cybersecurity Action Team observed a large-scale attack of a credential phishing campaign targeting more than 12,000 Gmail accounts by this threat actor. Fancy Bear earlier used to target Yahoo! and Microsoft users, the report said. Other countries that were targeted include Canada, Russia, Brazil, and members of the European Union.

Also read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ