Indian defense sector organizations and government-aligned entities have been targeted by multiple, sophisticated cyber campaigns designed to compromise both Windows and Linux systems. These attacks deploy remote access trojans (RATs) capable of stealing sensitive data and maintaining persistent access to infected machines.

The campaigns, attributed to the threat actors known as APT36 and SideCopy, are characterized by the use of malware families including Geta RAT, Ares RAT, and DeskRAT. Security researchers tracking the activity report that the attacks often begin with socially engineered emails containing malicious attachments or links.

Campaign Details and Malware Capabilities

Once executed, the malware establishes a connection to attacker-controlled servers, providing full remote control over the compromised system. The RATs possess extensive capabilities for data theft, including logging keystrokes, capturing screenshots, and exfiltrating documents and credentials.

The cross-platform nature of the attacks is a notable escalation, indicating the actors have developed or adapted tools to target the Linux environments commonly used in enterprise and government server infrastructure. This allows for a broader attack surface against critical organizations.

Attribution and Historical Context

APT36, also tracked under names like Transparent Tribe and Mythic Leopard, is a threat group long assessed by cybersecurity firms as operating with interests aligned with Pakistan. The group has a historical pattern of targeting Indian government, military, and diplomatic personnel.

SideCopy is another actor known to target South Asian entities, often employing lure documents related to regional military or political themes. The convergence of tactics and targets in these latest campaigns suggests a shared focus on intelligence gathering from Indian strategic sectors.

Defensive Recommendations and Response

Security advisories recommend organizations implement stringent email filtering, application allowlisting, and regular patching of software. Network monitoring for unusual outbound connections to unknown domains is also advised, as this is a common indicator of RAT activity.

Officials have not released a public statement regarding the specific incidents. Standard procedure in such cases involves internal investigation by national cybersecurity agencies, followed by coordinated mitigation efforts with the affected entities.

The expected next steps include continued analysis by private security firms to uncover additional infrastructure and malware variants used in the campaigns. Affected organizations are likely conducting forensic audits to assess the full scope of data compromise and to strengthen their defensive postures against future, similar attacks.

Source: Multiple cybersecurity research reports