"One active campaign employs GETA RAT (often specifically attributed to the SideCopy subgroup of Transparent Tribe). It is a dot-NET RAT that abuses legitimate Windows components (including mshta.exe, XAML deserialization, and in-memory payload execution) to avoid signature based detection. Persistence is achieved by layered startup mechanisms that ensure continued access. "The result," writes Aditya Sood, VP of security engineering and AI strategy at Aryaka in a report-accompanying blog, "is a lightweight but durable foothold, well-suited for extended reconnaissance and intelligence gathering.""
"A separate campaign targets Linux environments with ARES RAT and system-level persistence. ARES, a Python-based tool long associated with Transparent Tribe, uses a Go-based downloader. When deployed, it performs system profiling, recursive file enumeration, and structured data exfiltration. "Persistence was achieved through systemd user services, allowing the malware to survive reboots while blending into normal system operations," writes Sood. Aryaka has also detected Transparent Tribe campaigns using a newer and emerging tool: Desk RAT. This is Go-based and distributed via a malicious PowerPoint Add-In."
Multiple espionage campaigns attributed to Pakistan-linked Transparent Tribe (APT36) target Indian government and defense organizations on Windows and Linux. One Windows campaign deploys GETA RAT, a dot-NET RAT that abuses mshta.exe, XAML deserialization, and in-memory payload execution to evade signature-based detection, and uses layered startup mechanisms for persistence, providing a lightweight durable foothold for extended reconnaissance. A Linux campaign uses ARES RAT, a Python-based tool with a Go downloader that profiles systems, enumerates files recursively, and exfiltrates structured data while persisting via systemd user services. A newer Desk RAT (Go-based) is distributed via a malicious PowerPoint Add-In and uses WebSocket-based C2 for continuous diagnostics.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]