Security News APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities

[Captain Awesome]

Content source

https://thehackernews.com/2026/02/apt36-and-sidecopy-launch-cross.html?m=1

Indian defense sector and government-aligned organizations have been targeted by multiple campaigns that are designed to compromise Windows and Linux environments with remote access trojans capable of stealing sensitive data and ensuring continued access to infected machines.

The campaigns are characterized by the use of malware families like Geta RAT, Ares RAT, and DeskRAT, which are often attributed to Pakistan-aligned threat clusters tracked as SideCopy and APT36 (aka Transparent Tribe). SideCopy, active since at least 2019, is assessed to operate as a subdivision of Transparent Tribe.

"Taken together, these campaigns reinforce a familiar but evolving narrative," Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka, said. "Transparent Tribe and SideCopy are not reinventing espionage – they are refining it."

 

[Bot]

This excerpt lines up with a common pattern in South Asia–focused espionage: repeated, incremental improvements to initial access, persistence, and data theft rather than “new” techniques.

Key takeaways (without over-trusting attribution)
News write-ups often assign campaigns to clusters like “SideCopy/APT36,” but attribution is rarely provable from public reporting alone. What matters operationally is that these campaigns typically aim for: (1) reliable initial access (often phishing or trojanized content), (2) stable persistence on endpoints, and (3) quiet collection/exfiltration.

Practical defensive actions for Windows + Linux environments

• Harden initial access paths: enforce MFA everywhere possible (mail/VPN/SSO), block legacy auth, and tighten email controls (SPF/DKIM/DMARC + attachment/link detonation where available).
• Reduce execution avenues (Windows): enable Attack Surface Reduction rules where feasible, restrict script execution (PowerShell/WSH), and use application control (WDAC/AppLocker) for high-risk user groups.
• Limit persistence:
  • Windows: monitor Run keys, Scheduled Tasks, Services, WMI persistence, and new local admin creation.
  • Linux: monitor systemd unit creation/modification, cron changes, new SSH keys/authorized_keys edits, and suspicious binaries in /tmp, /var/tmp, user home hidden paths.
• Credential theft resistance: local admin reduction, LAPS (or equivalent), disable/limit NTLM where possible, protect LSASS (Credential Guard on supported editions), and rotate SSH keys/force passphrase policies for high-value systems.
• EDR + centralized logging: ensure Linux endpoints are not “second class.” Collect and alert on:
  • Process creation (including parent/child chains)
  • Network connections by process
  • Authentication logs (Windows Security, Linux auth.log/journal)
  • File creation in user profile/temp paths
• Network containment: segment R&D/defense-adjacent networks, restrict outbound egress (especially from servers), and alert on unusual DNS/HTTPS beacons and new destinations.
• IOC handling: if you extract hashes/domains from articles, treat them as starting points only—validate with multiple sources and your own telemetry. Don’t rely on single-blog indicators for allow/block decisions.

Operational recommendation
If this is being discussed for preparedness, the highest ROI is validating you can detect and respond to: phishing-to-RAT execution, new persistence creation, and quiet credential access—across both Windows and Linux. If anyone posts IOCs or TTP details from the referenced reports, they can be mapped cleanly to monitoring use-cases and SIEM/EDR alerting.

If this is connected to an active concern/incident, the safe next step is to isolate affected hosts, preserve logs/artifacts, and run full scans with reputable EDR/AV while checking for persistence on both OS types.

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

Initial Access
T1566.001 (Spearphishing Attachment) - ZIP archives containing malicious LNKs.

Execution
T1204.002 (Malicious File) - User clicks LNK; T1059.005 (Visual Basic) - HTA scripts executed via mshta.exe.

Defense Evasion
T1036 (Masquerading) - LNK files mimic legitimate PDF icons
T1027 (Obfuscated Files or Information) - Reversed C2 endpoints.

Persistence
T1547.001 (Registry Run Keys / Startup Folder) - LNK dropped in Startup.

Telemetry & Artifacts

Network IOCs (C2)

dns.wmiprovider[.]com (Hardcoded C2)

aeroclubofindia.co[.]in (Payload Staging/Compromised Site)

Filesystem Anchors

NCERT-Whatsapp-Advisory.pdf.lnk (Phishing Lure)

nikmights.msi (Installer Payload)

C:\ProgramData\PcDirvs\wininet.dll (Malicious DLL)

C:\ProgramData\PcDirvs\pcDirvs.exe (Loader)

iinneldc.dll (RAT Payload)

C2 Communication Patterns

The malware uses reversed HTTP endpoints to evade static detection: /retsiger (register), /taebtraeh (heartbeat), /dnammoc_teg (get_command).

Payload Characteristics

Adaptive Persistence
The malware checks for specific AV vendors (Kaspersky, Quick Heal, Avast, AVG, Avira) and alters its installation path or method (e.g., using Registry vs. Startup folder) to bypass detection.

Linux Track
Introduction of the "Adel" RAT indicates an expansion into Linux environments, likely targeting backend servers or workstations running non-Windows OS.

Remediation - THE ENTERPRISE TRACK (NIST CSF 2.0)

GOVERN (GV) – Crisis Management

Command
Block all LNK, HTA, and MSI attachments at the email gateway immediately.

Command
Issue an advisory to employees regarding "NCERT" or government-themed WhatsApp advisories delivered via email.

DETECT (DE) – Monitoring & Analysis

Command
Hunt for process execution chains where mshta.exe spawns network connections to unknown external IPs.

Command
Query SIEM for URL strings containing reversed keywords: retsiger, taebtraeh, dnammoc.

Command
Scan endpoints for the directory C:\ProgramData\PcDirvs\ or files named nikmights.msi.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any host attempting to contact dns.wmiprovider[.]com.

Command
If wininet.dll is found in a non-standard path (e.g., ProgramData), immediately suspend the parent process and capture memory for forensics.

RECOVER (RC) – Restoration

Command
Reimage compromised hosts. Persistence mechanisms involving Registry modifications and Startup items may be difficult to fully eradicate manually.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Do not open files ending in .lnk or .hta that arrive via email, even if they look like PDFs.

Command
Update your Antivirus software immediately. This malware specifically looks for Quick Heal, Kaspersky, and Avast to try and bypass them; ensure your definitions are current to force detection.

Priority 2: Identity

Command
If you opened a "Government Advisory" PDF recently that acted suspiciously (e.g., flashed a command prompt), change your passwords from a different, clean device.

Priority 3: Persistence

Command
Check your Windows Startup folder.

Press Windows Key + R, type shell:startup, and press Enter.

Look for suspicious shortcuts (LNK files) or scripts you did not create.

Hardening & References

Baseline
Restrict mshta.exe and wscript.exe execution via AppLocker or WDAC if not required for business operations.

Framework
NIST SP 800-61r3 (Incident Handling)
MITRE ATT&CK T1566.

Context
This campaign specifically exploits the trust in government advisories (e.g., PKCERT/NCERT) to deliver payloads. Verification of the sender's actual email address (not just the display name) is critical.

Source

The Hacker News

 

[Halp2001]

The real risk for the user arises when opening attachments or links that look routine but actually hide RATs like Geta, Ares, or DeskRAT. Defense remains the classic approach: careful with credentials and avoiding dubious executions.It’s like maintaining a castle with old walls: attackers don’t invent new catapults, but they keep striking the same stones until one gives way.