Recent cyber espionage campaigns targeting the Indian defense sector have raised alarms due to their sophisticated use of remote access trojans (RATs). These operations, attributed to threat actors like APT36 and SideCopy, aim to infiltrate both Windows and Linux systems to steal sensitive information and maintain prolonged access to compromised devices.
Key Players and Malware Used
The campaigns are primarily associated with malware families such as Geta RAT, Ares RAT, and DeskRAT. These tools are linked to SideCopy and APT36, with the latter also known as Transparent Tribe. Active since 2019, SideCopy is considered an offshoot of Transparent Tribe, indicating a well-coordinated strategy behind these operations.
Aditya K. Sood, Aryaka’s vice president of Security Engineering and AI Strategy, highlights that these campaigns refine rather than reinvent traditional espionage techniques. By expanding their reach across platforms and exploring new delivery methods, these threat actors continue to operate below the radar while maintaining their strategic focus.
Infiltration Techniques
The attack strategies often begin with phishing emails that contain malicious attachments or download links, leading victims to attacker-controlled servers. These initial vectors use Windows shortcuts, ELF binaries, and PowerPoint Add-Ins to initiate a multi-stage process to deploy RATs.
Once deployed, these RATs provide persistent access, allowing attackers to conduct system reconnaissance, execute commands, and facilitate long-term operations on both Windows and Linux platforms. One particular attack chain involves a malicious LNK file that executes an HTML Application, eventually leading to the installation of Geta RAT after bypassing security checks.
Ongoing Threats and Response
Parallel to the Windows attacks, a Linux variant employs a Go binary to install a Python-based Ares RAT via a shell script. Similar to Geta RAT, Ares RAT enables a wide array of commands to exfiltrate data and execute attacker-driven scripts.
In another observed campaign, the Golang malware DeskRAT is distributed through a rogue PowerPoint Add-In. This tactic underscores the evolving arsenal of tools optimized for stealth and persistence. Documented by Sekoia and QiAnXin XLab, APT36’s use of DeskRAT highlights their ongoing efforts to target strategic Indian sectors.
These campaigns demonstrate a deliberate approach by well-resourced threat actors to compromise Indian defense and other critical sectors. By using defense-themed lures and impersonated official documents, they exploit trusted regional infrastructure to expand their reach beyond defense to policy, research, and critical infrastructure organizations.
As these threats evolve, it is crucial for targeted entities to bolster their cybersecurity defenses and remain vigilant against such sophisticated espionage tactics.
