Shadow Networks: Pakistani Cyber Spies Deploy Sophisticated RATs Against India’s Critical Systems

It began, as so many modern espionage tales do, with a simple email. But behind the mundane façade of official-looking attachments, Indian defense and government-aligned organizations have found themselves in the crosshairs of a stealthy and relentless digital assault - one that spans both Windows and Linux, and is engineered for persistent, silent access. The architects: Pakistan-aligned threat groups APT36 (Transparent Tribe) and their offshoot, SideCopy. Their weapons: a new generation of cross-platform Remote Access Trojans (RATs) designed to exfiltrate secrets while staying under the radar.

The recent campaigns, uncovered by security researchers at Aryaka, CYFIRMA, and others, reveal a familiar yet evolving playbook. The threat actors are not rewriting the rules of cyber espionage - they’re perfecting them. By expanding their reach across operating systems, employing memory-resident malware, and experimenting with new delivery vectors, these groups are achieving a level of stealth that allows them to operate “below the noise floor,” as Aryaka’s Aditya K. Sood describes.

The attack typically starts with a phishing email, baited with defense-themed lures or forged official documents. Once the recipient clicks a malicious attachment or embedded link, the infection chain springs into action. For Windows targets, a specially crafted LNK file triggers the execution of a hidden HTML Application (HTA). This, in turn, decrypts and runs a malicious DLL, which writes a convincing decoy document to disk - while quietly connecting to a command-and-control server and deploying the Geta RAT.

Geta RAT is a digital Swiss Army knife: it can harvest system details, steal credentials, manipulate clipboard data, capture screenshots, enumerate running processes, and even access USB devices. If security software is detected, the malware adapts its persistence techniques to evade removal. Meanwhile, parallel attacks on Linux systems use a Go-based loader to drop Ares RAT, a Python-powered spy tool with similar capabilities and remote command execution features.

Another campaign variant uses DeskRAT, delivered via rogue PowerPoint Add-Ins - showing the attackers’ willingness to diversify their arsenal and delivery methods. All three RATs are engineered for stealth, persistence, and long-term access, reflecting a sustained, well-resourced espionage effort targeting not just defense, but also policy, research, and critical infrastructure entities connected to India’s strategic core.

As these campaigns unfold, they serve as a stark reminder that the digital battlefield is always shifting. The lines between statecraft and cybercrime blur, with attackers refining their tools and tactics for maximum impact and minimum detection. For India’s most sensitive organizations, vigilance and layered defense are no longer optional - they are existential necessities in an era of invisible wars.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• LNK File: An LNK file is a Windows shortcut that links to a file or program. Attackers can exploit LNK files to run hidden commands or malware.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.