Cybersecurity researchers have identified multiple coordinated cyber espionage campaigns targeting organizations connected to India’s defense sector and government ecosystem. These operations are designed to infiltrate both Windows and Linux systems using remote access trojans that allow attackers to steal sensitive information and retain long-term control over compromised devices.
The activity involves several spyware families, including Geta RAT, Ares RAT, and DeskRAT. These tools have been associated in open-source security reporting with threat clusters commonly tracked as SideCopy and APT36, also known as Transparent Tribe. Analysts assess that SideCopy has operated for several years and functions as an operational subset of the broader cluster. Rather than introducing radically new tactics, the actors appear to be refining established espionage techniques by expanding their reach across operating systems, using stealthier memory-resident methods, and experimenting with new delivery mechanisms to avoid detection while sustaining strategic targeting.
Across the campaigns, initial access is commonly achieved through phishing emails that deliver malicious attachments or links to attacker-controlled servers. Victims are directed to open Windows shortcut files, Linux executables, or weaponized presentation add-ins. These files initiate multi-stage infection chains that install spyware while displaying decoy documents to reduce suspicion.
One observed Windows attack chain abuses a legitimate system utility to retrieve and execute web-hosted malicious code from compromised, regionally trusted websites. The downloaded component decrypts an embedded library, writes a decoy PDF file to disk, contacts a command-and-control server, and opens the decoy for the user. Before deploying Geta RAT, the malware checks which security products are installed and modifies its persistence technique accordingly to improve survivability. This method has been documented in public research by multiple security vendors.
Geta RAT enables extensive surveillance and control, including system profiling, listing and terminating processes, enumerating installed applications, credential theft, clipboard manipulation, screenshot capture, file management, command execution, and data extraction from connected USB devices.
Parallel Linux-focused attacks begin with a loader written in Go that downloads a shell script to install a Python-based Ares RAT. This malware supports remote command execution, data collection, and the running of attacker-supplied scripts. In a separate infection chain, DeskRAT, a Golang-based backdoor, is delivered through a malicious presentation add-in that establishes outbound communication to retrieve the payload, a technique previously described in independent research.
Researchers note that targets extend beyond defense to policy bodies, research institutions, critical infrastructure, and defense-adjacent organizations within the same trusted networks. The combined deployment of Geta RAT, Ares RAT, and DeskRAT reflects a developing toolkit optimized for stealth, persistence, and long-term intelligence collection.
