APT36 and SideCopy Launch Cross-Platform RAT Campaigns Targeting Indian Defense and Government Networks

Pakistan-aligned threat groups APT36 and SideCopy are actively targeting Indian defense and government-linked organizations with cross-platform remote access trojans designed for long-term espionage. The latest campaigns deploy malware families such as Geta RAT, Ares RAT, and DeskRAT across both Windows and Linux systems, focusing on persistence, credential theft, reconnaissance, and remote command execution.

Security researchers tracking these operations say the activity reflects an evolution in delivery methods and cross-platform tooling rather than a shift in strategic objective. The threat actors continue to rely on phishing and impersonation tactics, but the malware architecture is becoming more modular and adaptable.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

According to researchers at Aryaka, the activity shows a steady refinement of espionage tradecraft.

“Taken together, these campaigns reinforce a familiar but evolving narrative. Transparent Tribe and SideCopy are not reinventing espionage. They are refining it,” said Aditya K. Sood, Vice President of Security Engineering and AI Strategy at Aryaka.

The campaigns primarily target Indian defense institutions, government-aligned research organizations, and policy entities. Analysts note that the attackers use defense-themed documents and regionally trusted infrastructure to increase credibility and bypass suspicion.

Initial Access: Phishing and Multi-Stage Infection Chains

The intrusion typically begins with spear-phishing emails containing:

• Malicious Windows shortcut files (LNK)
• Embedded download links
• Rogue PowerPoint Add-In files
• ELF binaries for Linux systems

One observed attack chain begins with a malicious LNK file that invokes mshta.exe to execute a remote HTML Application (HTA) file. The HTA then decrypts and loads a DLL payload into memory. A decoy document is dropped to reduce suspicion while the malware establishes command-and-control communication.

Researchers previously analyzing related activity described how the payload stages are layered to avoid static detection and blend into normal system behavior.

Malware Families Used in the Campaign

The campaign uses multiple RAT families optimized for stealth and long-term access.

1. Geta RAT (Windows)

Geta RAT provides attackers with:

• System information collection
• Process enumeration and termination
• Clipboard manipulation
• Screenshot capture
• File upload and download
• USB device data harvesting
• Arbitrary shell command execution

The malware adapts persistence mechanisms based on detected security products, which increases survivability.

2. Ares RAT (Linux)

The Linux branch of the campaign uses a Go-based loader that downloads a Python-based Ares RAT. Once deployed, Ares RAT can:

• Execute remote Python scripts
• Harvest system and network information
• Collect sensitive files
• Maintain persistent access

This cross-platform capability expands targeting beyond traditional Windows-centric espionage campaigns.

3. DeskRAT (Golang)

DeskRAT is delivered via a malicious PowerPoint Add-In file that executes embedded macros. It establishes outbound communication with a remote server to retrieve additional payloads.

Security researchers have described DeskRAT as part of APT36’s evolving toolkit for persistent operations across enterprise environments.

Technical Infection Flow

The layered design reduces signature-based detection and allows flexible payload replacement.

Key Characteristics of the Campaign

• Cross-platform malware targeting Windows and Linux
• Defense-themed decoy documents
• Use of legitimate system binaries for execution
• Modular, multi-stage payload delivery
• Hard-coded command-and-control infrastructure

Researchers emphasize that this activity focuses on sustained espionage rather than immediate disruption.

Enterprise Risk Implications

Organizations in the defense and policy ecosystem should view these campaigns as targeted intelligence-gathering efforts. The threat actors aim to maintain access for extended periods while minimizing noise.

Risk factors include:

• Trusted domain impersonation
• Memory-resident payload execution
• Adaptive persistence techniques
• Credential harvesting across platforms

Enterprises with mixed Windows and Linux environments are particularly exposed if monitoring is inconsistent across systems.

Defensive Measures

Security teams should prioritize:

• Email filtering with attachment sandboxing
• Blocking execution of unsigned HTA files
• Monitoring abnormal mshta.exe usage
• Restricting macro execution in Office applications
• Enforcing endpoint detection on Linux systems
• Network monitoring for unusual outbound C2 traffic

Layered detection across identity, endpoint, and network layers reduces dwell time.

Frequently Asked Questions