This campaign by SideCopy employs a social engineering lure—a double-extension shortcut file named 'Minutes Of Meeting.docx.lnk'—which runs a PowerShell stager (pdfdocs.bat) from a nested folder while displaying a clean decoy document to the victim. The stager then deploys a Remote Access Trojan (pdfdocs) that achieves persistence by adding itself to the HKCU Run registry key. Detection rates for the initial components are very low (0/66 for the decoy document, 1/61 for the stager), with only the final payload detected moderately (35/71). The attack targets Indian defense personnel and uses known adversary tactics consistent with SideCopy's previous campaigns.

The attack enables unauthorized remote access to compromised systems via the pdfdocs RAT, potentially allowing the adversary to maintain persistence, execute commands, and exfiltrate data. The low detection rates at initial stages increase the likelihood of successful compromise. Targeting Indian defense personnel indicates a high-value espionage objective. No known exploits in the wild are reported for this campaign, but the RAT's presence poses a significant threat to confidentiality and operational security.

No official patch or fix is available as this is a malware campaign rather than a software vulnerability. Defenders should focus on user awareness to recognize double-extension files and suspicious email attachments, restrict execution of PowerShell scripts from untrusted locations, and monitor for persistence mechanisms such as unexpected entries in the HKCU Run key. Endpoint detection and response solutions should be updated to detect the pdfdocs RAT and associated stager components. Given the low initial detection rates, layered defenses and behavioral monitoring are recommended.