THE Hacker News reports that Indian defence sector and government-aligned organisations have been targeted by cross-platform campaigns using remote access trojans to steal data and maintain long-term access across Windows and Linux. The campaigns deploy malware families including Geta RAT, Ares RAT and DeskRAT, with SideCopy and APT36 (Transparent Tribe) often attributed as the threat clusters behind them; SideCopy has been active since at least 2019 and is viewed as a subdivision of Transparent Tribe.
Phishing emails with malicious attachments or embedded download links lead targets to attacker-controlled infrastructure, where initial access utilises Windows LNK files, ELF binaries and PowerPoint Add-Ins to trigger multi-stage payloads. Geta RAT runs on Windows, with capabilities to gather system information, enumerate processes, harvest credentials, capture screenshots and exfiltrate data, while a Linux variant uses a Go starter to drop a Python-based Ares RAT.
One campaign described by Aryaka observes DeskRAT delivered via a rogue PowerPoint Add-In and a macro to contact a remote server, with CYFIRMA and Sathwik Ram Prakki having detailed the HTA chain used to deploy the malware, including memory-resident techniques and stealthy persistence. Aditya K.
Sood, vice president of Security Engineering and AI Strategy at Aryaka, notes that these campaigns reflect an evolving espionage toolkit that targets Indian defence and policy sectors through regionally trusted infrastructure.