Cyber: Apt36 And Sidecopy Launch Cross-platform Rat Campaigns Against...

Indian defense sector and government-aligned organizations have been targeted by multiple campaigns that are designed to compromise Windows and Linux environments with remote access trojans capable of stealing sensitive data and ensuring continued access to infected machines.

The campaigns are characterized by the use of malware families like Geta RAT, Ares RAT, and DeskRAT, which are often attributed to Pakistan-aligned threat clusters tracked as SideCopy and APT36 (aka Transparent Tribe). SideCopy, active since at least 2019, is assessed to operate as a subdivision of Transparent Tribe.

"Taken together, these campaigns reinforce a familiar but evolving narrative," Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka, said. "Transparent Tribe and SideCopy are not reinventing espionage – they are refining it."

"By expanding cross-platform coverage, leaning into memory-resident techniques, and experimenting with new delivery vectors, this ecosystem continues to operate below the noise floor while maintaining strategic focus."

Common to all the campaigns is the use of phishing emails containing malicious attachments or embedded download links that lead prospective targets to attacker-controlled infrastructure. These initial access mechanisms serve as a conduit for Windows shortcuts (LNK), ELF binaries, and PowerPoint Add-In files that, when opened, launch a multi-stage process to drop the trojans.

The malware families are designed to provide persistent remote access, enable system reconnaissance, collect data, execute commands, and facilitate long-term post-compromise operations across both Windows and Linux environments.

One of the attack chains is as follows: a malicious LNK file invokes "mshta.exe" to execute an HTML Application (HTA) file hosted on compromised legitimate domains. The HTA payload contains JavaScript to decrypt an embedded DLL payload, which, in turn, processes an embedded data blob to write a decoy PDF to disk, connects to a hard-coded command-and-control (C2) server, and displays the saved decoy file.

After the lure document is displayed, the malware checks for installed security products and adapts its persistence method accordingly prior to deploying Geta RAT on the compromised host. It's worth noting this attack chain was detailed by CYFIRMA and Seqrite Labs researcher Sathwik Ram Prakki in late December 2025.

Geta RAT supports various commands to collect system information, enumerate running proces

Source: The Hacker News