A threat actor tied to Pakistan has intensified its cyber espionage efforts against Indian government entities. Deploying a mix of advanced remote access trojans—including a newly discovered strain called CurlBack RAT. The activity, flagged by cybersecurity firm SEQRITE in December 2024, reveals a growing threat footprint targeting sectors such as railways, oil and gas, and external affairs.
This marks a significant shift for the hacking crew, believed to be a sub-cluster of the APT36 group, also known as Transparent Tribe. Operating under the alias SideCopy, the group mimics the attack styles of another known threat actor. SideWinder, while advancing its own set of payloads and delivery mechanisms.
From HTA to MSI: Evolving Tactics
In a noticeable change from past campaigns, the attackers have moved away from using HTML Application (HTA) files. Instead, they are now leveraging Microsoft Installer (MSI) packages as their primary infection method. According to SEQRITE’s Sathwik Ram Prakki, this evolution marks an effort to evade detection and improve success rates in compromising systems.
Past operations attributed to SideCopy often involved obfuscated HTA files and embedded URLs hosting RTF documents—techniques linked to SideWinder campaigns. These earlier attacks dropped malware such as Action RAT, ReverseRAT, and Geta RAT. With capabilities ranging from data theft to full system control.
Introducing CurlBack RAT and Spark RAT
The latest wave of attacks demonstrates a maturing toolkit. SideCopy is now distributing a new Windows-based malware known as CurlBack RAT, alongside the cross-platform Spark RAT. These strains are deployed via phishing emails that carry lures such as holiday schedules for railway employees or security bulletins from HPCL.
Once active, CurlBack RAT can gather system information, download and execute files, elevate privileges, and list all user accounts. Meanwhile, Spark RAT—already known for its multi-platform compatibility—adds to the group’s reach by targeting Linux systems as well.
In one attack cluster, the malware chain includes a custom version of Xeno RAT, Updated with string manipulation techniques for better obfuscation. These campaigns use multi-stage payload delivery, DLL side-loading, reflective DLL injection, and AES decryption via PowerShell to bypass defenses.
Customized Tools and Phishing Infrastructure
SEQRITE also observed the group using modified open-source malware, such as Xeno RAT and Spark RAT, to create a flexible attack framework. They continue to rely heavily on email phishing as an entry point, often using decoy files that appear legitimate.
Beyond trojans, the hackers deploy supporting tools like Cheex for document theft and a USB copier to siphon data from connected drives. They also use compromised domains and fake login portals for credential phishing and payload hosting. Allowing them to persist on networks and exfiltrate data with minimal detection.
Targeting Windows Over Linux
While APT36 has historically focused on Linux environments, SideCopy has carved out its role by targeting Windows systems. With new additions like CurlBack RAT, the group is strengthening its arsenal while continuing to blur attribution lines with other threat actors.
As SideCopy broadens its operations and introduces increasingly sophisticated malware. The need for heightened cybersecurity awareness and proactive threat detection becomes more urgent. Especially in government, energy, and infrastructure sectors.
