Critical infrastructure worldwide faces mounting threats from sophisticated, state-sponsored “espionage ecosystems.”
These well-funded organizations deploy various tools designed to disrupt essential services and gather intelligence.
Some launch denial-of-service (DDoS) attacks against transport hubs and supply chains. In contrast, others seek geopolitical advantage by mining sensitive information and bypassing traditional security measures.
For over a decade, the Indian government and defense organizations have operated under constant digital surveillance.
The espionage ecosystem notably Transparent Tribe (APT36) and the aligned SideCopy cluster has continuously probed and adapted its methods.
Their primary objective remains unchanged: long-term intelligence collection through stealthy, resilient access.
Recent Campaign Activity
Over the past month, Aryaka Threat Research Labs observed multiple active campaigns targeting Indian defense and government organizations across Windows and Linux environments.
Windows Campaign: Attackers used phishing emails delivering LNK and HTA files that deployed GETA RAT, a .NET-based remote access trojan.
The infection chain abuses legitimate Windows components like mshta.exe and XAML deserialization to evade file-based detection.
Layered startup mechanisms ensure continued access even if disruption occurs, creating a durable foothold for extended reconnaissance.
Linux Campaign: A separate operation focused on Linux systems using a Go-based downloader to install ARES RAT, a Python-based remote access tool.
Once deployed, ARES RAT performs automated system profiling, recursive file enumeration, and structured data exfiltration.
Persistence is achieved through systemd user services, allowing the malware to survive reboots while blending into normal operations. This signals intent to maintain equal capability across platforms.
Emerging Threat: Desk RAT
Researchers also observed campaigns delivering Desk RAT, a Go-based remote access trojan distributed via malicious PowerPoint Add-In (PPAM) files. Desk RAT emphasizes host telemetry and real-time monitoring, collecting detailed system diagnostics and communicating via WebSocket-based command-and-control.
This design enables continuous surveillance on compromised hosts, reinforcing APT36’s long-term intelligence objectives.
These campaigns reveal how Transparent Tribe and SideCopy refine their espionage tactics.
By expanding cross-platform coverage, using memory-resident techniques, and experimenting with new delivery vectors, this ecosystem operates below detection thresholds while maintaining strategic focus.
For defenders, these are coordinated efforts within a mature threat ecosystem, not isolated incidents.
Detecting and disrupting such actors requires visibility across platforms, attention to behavioral signals, and understanding that persistence not speed is the attacker’s greatest weapon.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
