A threat actor with suspected ties to Pakistan has been observed expanding its cyberattacks to Indian sectors, utilizing various remote access trojans (RATs), including the well-known Xeno RAT, Spark RAT, and a previously undocumented malware family dubbed ‘CurlBack RAT’.
SideCopy, suspected to be a sub-cluster of Transparent Tribe (APT36), has been active since at least 2019. The wave of attacks, spotted by cybersecurity firm SEQRITE in December 2024, targets Indian entities in the railway, oil and gas, and external affairs ministries.
The hacking group behind these activities, tracked as SideCopy, has evolved its tactics and expanded its arsenal. In past attacks the threat actor used obfuscated HTA files, a technique also observed in attacks attributed to another nation-state actor called ‘SideWinder.’ The files contained links to RTF files, commonly associated with SideWinder's tactics.
The latest round of attacks saw the deployment of various RATs, including Action RAT, ReverseRAT, and the Cheex malware designed to steal documents and images. Additionally, SideCopy used a USB copier to siphon data from connected drives and a .NET-based Geta RAT, which executes up to 30 commands from a remote server. The malware is also able to steal browser data, including account information, profiles, and cookies from both Firefox and Chromium-based browsers.
The group has moved from using HTML Application (HTA) files to Microsoft Installer (MSI) packages as the primary method for deploying their malware, the researchers noted.
Two significant clusters of activity have been observed. One involves the deployment of Spark RAT, a cross-platform RAT capable of targeting both Windows and Linux systems, alongside CurlBack RAT, a new malware variant that can gather system information, download files, execute commands, escalate privileges, and list user accounts.
Another cluster uses decoy files to initiate a multi-step infection process that leads to the installation of Xeno RAT.
“The group has shifted from using HTA files to MSI packages as a primary staging mechanism and continues to employ advanced techniques like DLL side-loading, reflective loading, and AES decryption via PowerShell,” the report notes. “Additionally, they are leveraging customized open-source tools like Xeno RAT and Spark RAT, along with deploying the newly identified CurlBack RAT. Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group’s ongoing efforts to enhance persistence and evade detection.”
