![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbazpuuwU1rJbldu2fNhcDhnmgmpygU-Ci4lvjJXXo3TlmbV06oWZJ-FEJjMtQnkzg9-cBOt9h8aCA5d2EuO3gRaDlbzzc1w4cZRsdDUY1YwMTXv9f3ebp4CrZ-0jIar70HO_pyuhzHdClzTo85wpHJF8wiabXv8ko9fxQbp5WFmWdVwvtqqAkh5mk2_hv/s1600/india.jpg\")
Indian defense sector and government-aligned organizations have been targeted by numerous campaigns designed to compromise Windows and Linux environments with remote access trojans capable of stealing sensitive data and ensuring continuous access to infected machines.
The campaigns involve the use of malware families such as Geta RAT, Ares RAT, and DeskRAT, which are often associated with threat clusters aligned with Pakistan, known as SideCopy and APT36 (Transparent Tribe). SideCopy, operational since at least 2019, is believed to function as a subdivision of Transparent Tribe.
\”These campaigns collectively reinforce a familiar yet evolving narrative,\” mentioned Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka. \”Transparent Tribe and SideCopy are not reinventing espionage – they are refining it.\”
\”By broadening cross-platform coverage, leveraging memory-resident techniques, and exploring new delivery methods, this ecosystem continues to operate under the radar while maintaining strategic direction.\”
All campaigns share a common trait of utilizing phishing emails with malicious attachments or embedded download links that direct potential targets to attacker-controlled infrastructure. These initial access points act as a conduit for Windows shortcuts (LNK), ELF binaries, and PowerPoint Add-In files that, upon execution, trigger a multi-stage process to deploy the trojans.
The malware families are crafted to provide persistent remote access, conduct system reconnaissance, gather data, execute commands, and support long-term post-compromise activities across both Windows and Linux environments.
One of the attack chains involves a malicious LNK file triggering \”mshta.exe\” to run an HTML Application (HTA) file hosted on compromised legitimate domains. The HTA payload contains JavaScript to decrypt an embedded DLL payload, which then processes an embedded data blob to write a decoy PDF to disk, connect to a hardcoded command-and-control (C2) server, and display the saved decoy file.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheRJn0G58-h5eLeFY81az1SoeN0DlVv75lan2-3xrQvGEcyYQImr8lxqR0Fv4BF41I7MzUff2h79hpdC8wVtUPc9CMRwxRw9GqNXcz5s7OF3apNxWioLgWHExzKwUbsqdIvNLqj60SY-VioBAyNCIedXBWBXApsHzgOD1viry_J_1HQSuPFOE2t7PFFgXz/s1600/xml.jpg\")
Following the lure document display, the malware checks for installed security products and adjusts its persistence method before deploying Geta RAT on the compromised host. This attack chain was recently outlined by CYFIRMA and Seqrite Labs researcher Sathwik Ram Prakki in late December 2025.
Geta RAT offers various commands for system information collection, process enumeration, credential gathering, screenshot capture, file operations, shell command execution, and USB device data harvesting.
Running parallel to the Windows-focused campaign is a Linux variant that utilizes a Go binary to introduce a Python-based Ares RAT through a shell script fetched from an external server. Similar to Geta RAT, Ares RAT supports a wide array of commands for data harvesting and executing Python scripts or commands instructed by the threat actor.
Aryaka also noted another campaign where the Golang malware, DeskRAT, is distributed via a rogue PowerPoint Add-In file that executes embedded macros to establish communication with a remote server for malware retrieval. APT36’s adoption of DeskRAT was documented by Sekoia and QiAnXin XLab in October 2025.
\”These campaigns highlight a well-equipped, espionage-oriented threat actor targeting Indian defense, government, and strategic sectors through defense-themed baits, forged official documents, and locally trusted infrastructure,\” stated the company. \”The operations extend beyond defense to policy, research, critical infrastructure, and defense-related organizations within the same trusted network.\”
\”The inclusion of DeskRAT alongside Geta RAT and Ares RAT showcases an evolving arsenal optimized for stealth, persistence, and sustained access.\”
