A risk actor with connections to Pakistan has been spotted using remote entry trojans like Xeno Rodent, Spark Rodent, and a previously unreleased malware family called CurlBack RAT to target different sectors in India.
SEQRITE discovered that the action had targeted American businesses under the railway, oil, and foreign affairs ministries, expanding the spying crew’s reach beyond government, defense, maritime, and university sectors.
Security researcher Sathwik Ram Prakki noted that” a notable shift in recent campaigns is the transition from using HTML Application ( HTA ) files to adopting Microsoft Installer ( MSI) packages as a primary staging mechanism.”
is thought to be a Clear Tribe sub-cluster ( also known as APT36), which has been active since at least 2019. It has the so-called” so-called” name because it uses the attack chains used to offer its own payloads by another threat actor, .
SEQRITE SideCopy’s use of opaque HTA files in June 2024, using techniques that SideWinder users have recently used to perform attacks. Additionally, it was discovered that the data contained references to URLs that SideWinder had used to store RTF documents.
and , two well-known malicious families linked to SideCopy, as well as several other payloads, including a USB copier that can grab files and images from attached drives, a.NET-based Geta RAT that can execute 30 commands sent from a remote server, were the victims of the attacks.
The Mouse has a characteristic borrowed from AsyncRAT that allows it to take all accounts, profiles, and cookies from both Firefox and Chromium-based browsers.
SideCopy targets Windows techniques, adding new cargo to its arsenal, while APT36’s focus is primarily on Linux systems, according to SEQRITE at the time.
The malware group is continuing to advance while using email-based phishing as a malware distribution channel, according to the most recent findings. These email communications include a variety of pull documents, from holiday lists for railroad employees to safety recommendations issued by a public company called the Hindustan Petroleum Corporation Limited ( HPCL).
One swarm of exercise is particularly noticeable because it can target both Windows and Linux systems, leading to the implementation of a cross-platform remote entry trojan, , and a brand-new Windows-based malware called CurlBack RAT, which can perform random commands, grant users privileges, and listing user accounts.
A second grouping was discovered using the deception files to start a multi-step infection process that drops a specialized version of that incorporates fundamental string manipulation techniques.
The organization continues to use advanced methods like DLL side-loading, reflective loading, and AES encryption via Power Shell, according to the company, which has switched from using HTA data to MSI packages as its primary staging system.
Moreover, they are deploying CurlBack RAT, which has been identified as a result of their use of custom open-source tools like Xeno RAT and Spark RAT. Compromised domains and fake websites are being used for load hosting and token phishing, highlighting the party’s ongoing efforts to improve persistence and escape detection.