RATS in the Machine reports a Pakistan-linked, three-pronged cyber assault on India led by the Transparent Tribe (APT36), targeting Indian defence and government sectors across Windows and Linux. One campaign uses GETA RAT, often attributed to the SideCopy subgroup of Transparent Tribe, while a separate Linux campaign deploys ARES RAT and a Go-based downloader, with Desk RAT observed as well.
Aryaka describes persistence as achieved through layered startup mechanisms and systemd user services, enabling long-term access and stealthy data collection via in-memory execution and exfiltration. Initial access is gained through phishing emails delivering weaponised attachments or embedded download links that lead to malicious LNK files, ELF binaries, HTA scripts, and PowerPoint add-ins, with execution and loader activity abusing living-off-the-land binaries such as mshta[.]exe and PowerShell.
Desk RAT is Go-based and distributed via a malicious PowerPoint Add-In, collecting detailed system diagnostics and communicating with operators via WebSocket-based command-and-control to sustain awareness on compromised hosts. The Campaigns are described as part of an expanding trend toward economic and state-enabled espionage.