Seqrite has uncovered and thoroughly analysed a series of sophisticated cyber campaigns targeting critical Indian government entities. These advanced persistent threats (APTs), linked to multiple Pakistan-based threat actors, represent a significant escalation in cyber operations against India’s defence and infrastructure sectors.
The research, conducted by the APT team at Seqrite Labs, India’s largest malware analysis facility, revealed a complex web of interconnected APT groups, including Transparent Tribe (APT36), SideCopy, and RusticWeb. These groups have been observed sharing infrastructure, tactics, and malware components, indicating a level of coordination previously unseen among these actors. The campaigns specifically targeted the Indian Air Force, shipyards, and ports, demonstrating a clear focus on India’s strategic assets.
A key finding of the investigation was the discovery of open directories hosting malware linked to both Transparent Tribe and SideCopy. Researchers found a single domain hosting payloads for both SideCopy and APT36, targeting Windows and Linux environments respectively. This overlap, along with shared command and control (C2) infrastructure, strongly suggests a convergence of operations among these previously distinct threat actors.
The sophistication of these campaigns is evident in their use of advanced evasion techniques. SideCopy was observed employing updated HTML Application (HTA) files, similar to those used by the SideWinder APT group, to evade detection. The group also introduced new payloads, including a tool called Cheex for document and image theft, a USB copier for exfiltrating files from attached drives, and deployments of FileZilla application and SigThief scripts.
Seqrite’s analysis uncovered several novel malware variants. A new .NET-based payload named Geta RAT was identified, incorporating browser stealing functionality from Async RAT. Another variant, Action RAT, was observed being side-loaded by charmap.exe, a deviation from previously used system binaries. Transparent Tribe was found utilising a Golang-based downloader targeting Linux systems, fetching a final payload named DISGOMOJI, which showed infrastructure links to SideCopy.
The APT groups demonstrated sophisticated social engineering tactics, leveraging themes such as salary increments, naval project reports, and government documents as lures. Many of these decoys were based on publicly available documents, showcasing the attackers’ efforts to create convincing pretexts for their phishing campaigns. The convergence of tactics among these APT groups represents a significant evolution in the cyber threat landscape facing India. This level of coordination and sophistication demands a reassessment of cybersecurity strategies at the highest levels of government and critical infrastructure.
Seqrite’s research team conducted an in-depth technical analysis of the malware used in these campaigns. They found that the attackers were testing their stager evasion against anti-virus solutions at locations in Pakistan. Concurrently, victim traffic from India, typically observed from C2 servers in Germany, was being routed through IPsec protocol from Pakistani IP addresses, as corroborated by Team Cymru.
The reach of these campaigns was extensive, with Transparent Tribe’s Poseidon malware targeting Linux platforms using themes such as ‘Posting/Transfer under Ph-III of Rotational Transfer’, ‘Blacklist IP Address with TLP & Dates’, and ‘LTC checklist’. The group was also observed using Crimson RAT with ‘Uttarakhand Election Result’ and ‘TDS Claim Summary’ baits.
To combat these threats, Seqrite strongly advises organisations to implement comprehensive security measures. These include deploying and maintaining up-to-date antivirus and anti-malware solutions, implementing strong authentication mechanisms, conducting regular security awareness training, and ensuring all systems and software are promptly updated. Furthermore, Seqrite recommends implementing network segmentation and the principle of least privilege to minimise the potential impact of a breach.
Researchers at Seqrite Labs have provided detailed indicators of compromise and MITRE ATT&CK mappings to aid organisations in detecting and defending against these threats. Seqrite continues to monitor these threat actors and will provide updates as new information becomes available.