CYBERSECURITY - NEWSBYTES
CYBERSECURITY - NEWSBYTES
Pakistan’s SideCopy APT36 Expands Campaign Across India
September 2025 • High
Overview
Between December 2024 and April 2025, SEQRITE attributed a series of cyberattacks on India's railway, oil and gas, and external affairs ministries to a Pakistan-linked threat group operating sub-clusters such as SideCopy and APT36. These adversaries deployed advanced RAT families like Xeno RAT, Spark RAT, and CurlBack RAT, marking expanded campaigns beyond previous defense-focused activity.
Background / Context
APT36 (Transparent Tribe) is known for cyber-espionage targeting South Asian military and government sectors. SideCopy, a sub-cluster of APT36, broadened operations from government and defense to national infrastructure entities, using phishing lures resembling official documents and sector advisories to infiltrate critical systems.
Timeline of Events
| June 2024 | SideCopy launches obfuscated HTA attacks mimicking SideWinder campaigns |
| Dec 2024 | SEQRITE detects attacks on Indian railway, oil/gas, and external affairs ministries |
| Early 2025 | Shift from HTA files to MSI package-based malware deployment |
| Apr 2025 | Discovery of CurlBack RAT and wider attacks confirmed |
Technical Details
- Attack Vector: Phishing emails with malicious HTA/MSI attachments.
- Vulnerabilities Used: DLL side-loading, reflective loading, PowerShell AES decryption.
- Targets: Government and critical infrastructure systems (Windows and Linux).
- Payloads: CurlBack RAT, Spark RAT, Xeno RAT, ReverseRAT, Geta, Cheex, and USB stealer variants.
- Data Compromised: Documents, credentials, browser data, and sensitive images.
Impact Assessment
- Multiple Indian ministries targeted; extent undisclosed.
- High national security and operational integrity risk.
- Espionage-level exposure of diplomatic communications.
Response and Mitigation
- Indian CERT, SEQRITE, and partners strengthened endpoint detection.
- Security advisories issued on SideCopy/APT36 activity.
- Incident response guided by behavioral analytics and proactive defense updates.
Attribution
Attribution confirmed to SideCopy (APT36), based on code reuse, TTP overlap, and shared payloads aligned with Pakistan-linked APT clusters.
Expert Commentary
Researchers emphasize advancing sophistication of SideCopy campaigns, calling for greater vigilance across critical infrastructure and defense-adjacent sectors.
Lessons Learned / Recommendations
- Enforce anti-phishing measures and restrict unsigned MSI execution.
- Perform regular patching and security audits for cross-platform RAT detection.
- Isolate sensitive systems, employ behavioral monitoring and PowerShell control policies.
References
- The Hacker News, “Pakistan-Linked Hackers Expand Targets in India” (Apr 2025).
- SEQRITE and CERT-In Reports (Dec 2024 – Apr 2025).
- FireEye, SideWinder, and Spark RAT advisories.