Do Son 
Attacker Email
A Pakistan-linked hacking group has broadened its campaign against Indian entities, deploying previously undocumented malware strains—CurlBack RAT and the cross-platform Spark RAT—according to cybersecurity specialists at SEQRITE, who observed the activity in December 2024.
Targets of these incursions include institutions within India’s railway sector, oil and gas industry, and Ministry of External Affairs, marking a clear expansion of objectives beyond the group’s earlier focus on defense organizations, academic institutions, and maritime facilities.
One notable evolution in their tactics is a shift from traditional HTA files to MSI installer packages as the primary delivery mechanism. This transition suggests a strategic attempt to bypass enhanced Windows security controls and reflects the growing technical sophistication of the threat actors.
The attacks are believed to be orchestrated by the SideCopy cluster, a subgroup operating under the broader APT36 umbrella, also known as Transparent Tribe. SideCopy derives its name from its mimicry of SideWinder, a rival threat group, adopting similar malware delivery techniques via HTA files and RTF documents hosted on preconfigured URLs.
Back in June 2024, SEQRITE had already tracked SideCopy’s deployment of obfuscated HTA scripts inspired by SideWinder. The group’s latest campaigns not only exhibit diversity in tactics but also in malware arsenal. In addition to Action RAT and ReverseRAT, SideCopy now utilizes Cheex—a utility designed to exfiltrate documents and images—alongside a USB data-harvesting tool and a customized variant of Geta RAT, capable of executing over 30 commands issued from a remote server.
Geta RAT itself draws functionality from the well-known AsyncRAT, including its ability to harvest credentials, profile data, and cookies from Chromium- and Firefox-based browsers. Notably, SideCopy’s infrastructure remains largely tailored to Windows systems, distinguishing it from APT36’s broader targeting of Linux environments.
The new wave of attacks relies heavily on phishing emails with attachments disguised as holiday schedules for railway personnel or cybersecurity advisories from state-run firms such as HPCL. One cluster is distributing Spark RAT—designed to operate on both Windows and Linux—while another is deploying CurlBack RAT, which is Windows-centric.
CurlBack RAT enables threat actors to gather system information, download files, execute arbitrary commands, escalate privileges, and enumerate user accounts. It is often used in tandem with Xeno RAT, a lightly obfuscated tool that manipulates strings through straightforward methods.
Overall, these campaigns illustrate the group’s growing operational maturity. The attackers now employ advanced techniques such as DLL sideloading, reflective loading, and AES decryption via PowerShell. To maintain stealth, they leverage fraudulent websites and compromised domains both for credential phishing and malware distribution.
