Organizations associated with the Indian defense sector and government have been targeted by multiple campaigns designed to compromise Windows and Linux environments with remote access Trojans capable of stealing sensitive data and ensuring continuous access to infected machines.
The campaigns are characterized by the use of malware families such as Geta RAT, Ares RAT, and DeskRAT, which are often attributed to Pakistan-aligned threat groups tracked as Sidecopy and APT36 (aka Transparent Tribe). Sidecopy, which has been active since at least 2019, is projected to operate as a subdivision of Transparent Tribe.
Aditya K., vice president of security engineering and AI strategy at Aryka. “Overall, these campaigns reinforce a familiar but evolving narrative,” Sood said. “Transparent Tribe and SideCopy aren’t reinventing espionage – they’re refining it.”
“By expanding cross-platform coverage, leaning into memory-resident technologies, and experimenting with new delivery vectors, this ecosystem continues to operate below the noise floor while maintaining strategic focus.”
Common across all campaigns is the use of phishing emails that contain malicious attachments or embedded download links that lead potential targets to attacker-controlled infrastructure. These initial access mechanisms serve as a conduit for Windows Shortcuts (LNK), ELF binaries, and PowerPoint add-in files that, when opened, launch a multi-stage process to release the Trojan.
Malware families are designed to provide persistent remote access, enable system reconnaissance, collect data, execute commands, and facilitate long-term post-compromise operations in both Windows and Linux environments.
One of the attack chains is as follows: A malicious LNK file invokes “mshta.exe” to execute an HTML application (HTA) file hosted on the compromised legitimate domain. The HTA payload contains JavaScript to decrypt an embedded DLL payload, which, in turn, processes an embedded data blob to write a decoy PDF to disk, connect to a hard-coded command-and-control (C2) server, and display the saved decoy file.
After the lure document is displayed, the malware checks installed security products and adapts its persistence method accordingly before deploying Geta RAT on the compromised host. It is worth noting that this attack chain was detailed by CYFIRMA and Seqrite Labs researcher Satwik Ram Prakki in late December 2025.
Geta RAT supports various commands to collect system information, enumerate running processes, terminate a specified process, list installed apps, gather credentials, retrieve and replace clipboard contents with attacker-supplied data, capture screenshots, perform file operations, run arbitrary shell commands, and retrieve data from a connected USB device.
Running parallel to this Windows-centric campaign is a Linux version that employs the Go binary as a starting point for releasing the Python-based Ares RAT via a shell script downloaded from an external server. Like Geta RAT, Ares RAT can also run a variety of commands to collect sensitive data and run Python scripts or commands issued by the threat actor.
Aryaka said she also observed another campaign where Golang malware, DeskRAT, is distributed via a rogue PowerPoint add-in file that runs an embedded macro to establish outbound communication with a remote server to deliver the malware. APT36’s use of DeskRAT was documented by Sekoia and QiAnXin XLab in October 2025.
“These campaigns demonstrate a well-resourced, espionage-focused threat actor deliberately targeting Indian defence, government and strategic sectors through defence-themed lures, fake official documents and regionally trusted infrastructure,” the company said. “The activity extends beyond defense to policy, research, critical infrastructure and defence-adjacent organizations working within the same trusted ecosystem.”
“The deployment of DeskRAT, along with Getta RAT and Ares RAT, highlights an evolving toolkit optimized for privacy, persistence, and long-term accessibility.”
