Indian government and defence organizations are facing a fresh wave of highly targeted cyber espionage campaigns from the Transparent Tribe (APT36) threat group, with attackers now using cross-platform malware, memory-resident execution and stealthy command-and-control channels to maintain long-term access across both Windows and Linux systems, according to new research from Aryaka Threat Research Labs.
The report details multiple active campaigns observed over the past month that specifically target defence, government and strategic infrastructure-linked entities in India, using phishing emails, weaponized documents and compromised Indian websites to deliver remote access trojans and establish persistent footholds.
Multiple active campaigns targeting defence and government
Researchers say the Transparent Tribe (APT36) and related SideCopy cluster continue to operate as a sustained espionage ecosystem focused on Indian government, defence and strategic sectors. The latest campaigns show expanded tooling, multi-stage infection chains and improved evasion techniques.
The attacks primarily begin with phishing emails carrying malicious attachments or links that lead to weaponized shortcut files, scripts, Linux binaries and PowerPoint add-ins disguised as legitimate official documents. Lure themes heavily reference defence administration, border infrastructure and government workflows to increase execution success among targeted officials.
According to the report, the campaigns are designed for low-noise, high-trust intrusion rather than mass infection, with emphasis on persistence and long-term intelligence collection.
Compromised Indian websites used for malware delivery
One notable tactic is the use of compromised legitimate Indian websites to host malicious payloads, allowing attackers to piggyback on domain trust. Researchers observed malware delivery components hosted on Indian news and social initiative sites, including innlive.in and sifi.co.in.
This approach helps bypass basic reputation filters and increases the likelihood that targets will not suspect malicious activity when files are fetched during the infection chain.
Windows attacks use fileless and in-memory execution
In Windows-focused campaigns, attackers used phishing-delivered LNK shortcut files and HTA scripts to trigger multi-stage infection chains that deploy GETA RAT, a .NET-based remote access trojan associated with the SideCopy cluster.
The execution chain abuses built-in Windows tools such as mshta.exe and relies on XAML deserialization and in-memory payload loading, avoiding writing the main payload to disk. This fileless-style execution is specifically designed to evade signature-based detection.
Once active, the malware establishes persistence through startup folder artifacts and registry run keys, adapts behavior based on installed antivirus products, and connects to command-and-control servers over custom TCP protocols instead of standard web protocols.
The GETA RAT capabilities observed include system reconnaissance, process control, credential harvesting, screenshot capture, clipboard access, file exfiltration and remote command execution. It also includes USB monitoring functions that automatically copy documents from inserted removable drives into hidden staging folders.
Linux systems targeted with Go and Python RATs
In parallel, researchers identified Linux-targeting campaigns using a Go-based downloader that installs ARES RAT, a Python-based remote access tool previously linked to Transparent Tribe operations.
The Linux infection chain uses packed Go binaries as loaders, creates hidden directories, installs persistence through systemd user services and performs automated system profiling and recursive file enumeration. Stolen data is exfiltrated through HTTP POST requests to attacker-controlled servers.
A decoy PDF is opened for the victim while background malicious activity continues, reinforcing the social engineering cover.
Malicious PowerPoint add-ins deploy new Desk RAT
A third campaign chain uses malicious PowerPoint Add-In files (PPAM) to deploy a newer Go-based tool dubbed Desk RAT. The lure document referenced Indian border infrastructure projects and defence terminology to appear credible to targeted users.
The add-in runs embedded macros that download password-protected archives from defence-themed lookalike domains and execute the RAT payload.
Desk RAT emphasizes system diagnostics, telemetry collection and real-time host monitoring. It establishes persistence by copying itself into system directories and creating registry autorun entries.
Unlike the other families, Desk RAT uses WebSocket-based command-and-control communications, maintaining interactive sessions with periodic heartbeat messages and structured telemetry exchanges. Operators can browse files, execute payloads and run commands remotely over this channel.
Detectable patterns despite encryption
Although payloads and command traffic are encrypted, Aryaka researchers note that the malware shows consistent behavioral patterns that defenders can monitor. These include fixed-size encrypted command packets, regular beacon timing intervals and long-lived outbound connections over non-standard ports and protocols.
The report concludes that while APT36’s tooling is becoming more stealthy and modular, its operational patterns — including phishing-led entry, living-off-the-land execution and predictable beacon behavior — still provide detection opportunities for network and security teams.
The campaigns reinforce that Indian defence, government and defence-adjacent organizations remain a priority espionage target set, with attackers continuing to refine tradecraft for persistence and covert data collection rather than disruptive attacks
