APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities

Indian Defense and Government Sectors Under Sustained Cyber Espionage Assault from Pakistan-Linked Threat Actors

In a stark escalation of cyber espionage activity, India’s defense sector and government-aligned organizations have come under sustained attack from sophisticated threat actors linked to Pakistan. Multiple coordinated campaigns have been identified, deploying advanced remote access trojans (RATs) capable of infiltrating both Windows and Linux environments, stealing sensitive data, and maintaining persistent access to compromised systems.

The attacks, attributed to Pakistan-aligned cyber clusters known as SideCopy and APT36 (also called Transparent Tribe), showcase an evolving espionage playbook. SideCopy, active since at least 2019, is believed to operate as a subdivision of Transparent Tribe, both sharing tactics, techniques, and procedures (TTPs) honed over years of targeted operations.

According to Aditya K. Sood, Vice President of Security Engineering and AI Strategy at Aryaka, “These campaigns reinforce a familiar but evolving narrative. Transparent Tribe and SideCopy are not reinventing espionage—they are refining it.” The attackers are expanding cross-platform coverage, leveraging memory-resident techniques, and experimenting with new delivery vectors, all while operating below the radar to maintain strategic focus.

Modus Operandi: Phishing-Laced Deception

The campaigns rely heavily on phishing emails containing malicious attachments or embedded download links that direct victims to attacker-controlled infrastructure. These initial access mechanisms serve as conduits for Windows shortcuts (LNK), ELF binaries, and PowerPoint Add-In files. Once opened, these files trigger a multi-stage process to deploy the trojans.

One particularly insidious attack chain begins with a malicious LNK file that invokes “mshta.exe” to execute an HTML Application (HTA) file hosted on compromised legitimate domains. The HTA payload contains JavaScript to decrypt an embedded DLL, which processes an embedded data blob to write a decoy PDF to disk, connect to a hard-coded command-and-control (C2) server, and display the saved decoy file. This tactic, documented by CYFIRMA and Seqrite Labs researcher Sathwik Ram Prakki in late December 2025, exemplifies the attackers’ sophistication.

The Arsenal: Geta RAT, Ares RAT, and DeskRAT

The malware families deployed in these campaigns are designed for persistent remote access, system reconnaissance, data collection, command execution, and long-term post-compromise operations across both Windows and Linux environments.

Geta RAT, for instance, supports a wide array of commands, including collecting system information, enumerating running processes, terminating specified processes, listing installed apps, gathering credentials, retrieving and replacing clipboard contents with attacker-supplied data, capturing screenshots, performing file operations, running arbitrary shell commands, and harvesting data from connected USB devices.

Parallel to the Windows-focused campaign is a Linux variant that employs a Go binary as a starting point to drop a Python-based Ares RAT via a shell script downloaded from an external server. Like Geta RAT, Ares RAT can run a wide range of commands to harvest sensitive data and execute Python scripts or commands issued by the threat actor.

In another campaign, DeskRAT, a Golang malware, is delivered via a rogue PowerPoint Add-In file that runs an embedded macro to establish outbound communication with a remote server to fetch the malware. APT36’s use of DeskRAT was documented by Sekoia and QiAnXin XLab in October 2025.

Strategic Targeting and Long-Term Access

Aryaka noted that these campaigns demonstrate a well-resourced, espionage-focused threat actor deliberately targeting Indian defense, government, and strategic sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure. The activity extends beyond defense to policy, research, critical infrastructure, and defense-adjacent organizations operating within the same trusted ecosystem.

“The deployment of DeskRAT, alongside Geta RAT and Ares RAT, underscores an evolving toolkit optimized for stealth, persistence, and long-term access,” Aryaka stated. The attackers’ ability to adapt their persistence methods based on installed security products further highlights their sophistication and resourcefulness.

Implications and Countermeasures

These campaigns underscore the persistent and evolving nature of cyber espionage threats targeting critical sectors. Organizations in India’s defense and government spaces must remain vigilant, implementing robust cybersecurity measures, including advanced threat detection, employee training to recognize phishing attempts, and regular system updates to mitigate vulnerabilities.

As cyber warfare continues to evolve, the need for international cooperation and information sharing to combat such threats becomes increasingly critical. The sophistication and persistence of these attacks serve as a stark reminder of the high stakes involved in protecting national security and sensitive data in the digital age.

Tags:
Cyber Espionage, APT36, Transparent Tribe, SideCopy, Geta RAT, Ares RAT, DeskRAT, Pakistan-Linked Hackers, Indian Defense Sector, Government Cyber Attacks, Remote Access Trojans, Phishing Campaigns, Windows and Linux Malware, Command-and-Control Servers, Data Theft, Persistent Access, Cyber Warfare, National Security, Cybersecurity Threats

Viral Phrases:

• “Espionage without noise: APT36’s enduring campaigns”
• “Pakistan-linked hackers refine cyber espionage tactics”
• “Indian defense under sustained cyber assault”
• “Sophisticated RATs target Windows and Linux environments”
• “Phishing-laced deception: The new face of cyber warfare”
• “Stealth, persistence, and long-term access: The hallmarks of modern cyber espionage”
• “Defending India’s critical sectors from relentless cyber threats”
• “The evolving toolkit of APT36 and SideCopy”
• “Cross-platform coverage: Expanding the battlefield”
• “Memory-resident techniques: Operating below the noise floor”
• “Decoy PDFs and HTA files: The art of deception”
• “Golang malware and rogue PowerPoint Add-Ins: New delivery vectors”
• “Cyber warfare in the digital age: High stakes and relentless threats”
• “International cooperation: The key to combating cyber espionage”
• “Vigilance and robust cybersecurity: The first line of defense”

,