Indian government-linked entities and defense sector organizations are facing a new wave of cyber espionage operations attributed to Pakistan-aligned threat groups APT36, also known as Transparent Tribe, and its suspected sub-cluster SideCopy.
The coordinated campaigns are designed to infiltrate both Windows and Linux systems using advanced Remote Access Trojans, RATs, capable of stealing sensitive information and maintaining persistent access within compromised environments.
Expanding Cross-Platform Espionage Operations
Security researchers report that the operations rely on multiple malware families, including Geta RAT, Ares RAT, and DeskRAT. SideCopy, active since at least 2019, is widely considered an operational extension of Transparent Tribe.
According to Aditya K. Sood, Vice President of Security Engineering and AI Strategy at Aryaka, the groups are not introducing entirely new espionage tactics. Instead, they are refining existing tradecraft by improving stealth, persistence, and cross-platform adaptability.
By leveraging memory-resident techniques and experimenting with diverse delivery mechanisms, the attackers aim to remain undetected while maintaining strategic focus on high-value Indian targets.
Phishing as the Primary Entry Vector
Across the campaigns, phishing emails remain the primary infection method. Targets receive emails containing malicious attachments or embedded download links that redirect them to attacker-controlled infrastructure.
These infection chains commonly deliver:
- Malicious Windows shortcut files, LNK
- ELF binaries targeting Linux environments
- Rogue PowerPoint Add-In files
Once executed, these files initiate multi-stage attack sequences that ultimately deploy the RAT payloads.
Windows Attack Chain and Geta RAT Deployment
One documented attack chain begins with a malicious LNK file that launches mshta.exe to execute an HTA file hosted on compromised but legitimate domains.
The HTA file runs JavaScript code that decrypts an embedded DLL payload. The DLL processes encoded data to:
- Drop a decoy PDF file on the system
- Connect to a hard-coded command-and-control server
- Display the decoy document to avoid suspicion
After presenting the lure document, the malware inspects installed security solutions and modifies its persistence mechanism accordingly before deploying Geta RAT on the system.
Geta RAT supports extensive post-compromise functionality, including:
- System reconnaissance
- Process enumeration and termination
- Installed application listing
- Credential harvesting
- Clipboard monitoring and manipulation
- Screenshot capture
- File management operations
- Execution of arbitrary shell commands
- Data extraction from connected USB devices
Linux Variant and Ares RAT
Parallel to the Windows campaign, researchers observed a Linux-focused infection chain. This variant begins with a Golang binary that downloads and executes a shell script from a remote server. The script installs a Python-based Ares RAT.
Ares RAT mirrors many capabilities of Geta RAT, enabling command execution, data exfiltration, and remote control of compromised Linux machines. This cross-platform capability significantly broadens the operational reach of the threat actors.
DeskRAT Delivered Through PowerPoint Add-Ins
In a separate campaign, attackers used a malicious PowerPoint Add-In file containing embedded macros to retrieve DeskRAT, a Golang-based malware. Once executed, the macro establishes outbound communication with a remote server to fetch the payload.
Security firms previously documented APT36’s use of DeskRAT in late 2025, highlighting its role in long-term espionage operations.
Strategic Targeting and Long-Term Access
Researchers emphasize that the campaigns are highly focused and strategically aligned. The primary targets include Indian defense institutions, government agencies, policy organizations, research bodies, and critical infrastructure entities operating within trusted networks.
The combined deployment of DeskRAT, Geta RAT, and Ares RAT reflects an evolving toolkit optimized for stealth operations, persistence, and extended post-compromise control.
As geopolitical cyber tensions continue to shape the threat landscape, organizations within sensitive sectors are urged to strengthen phishing defenses, enhance endpoint monitoring, and prioritize proactive threat hunting to detect advanced persistent threats.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
