Summary: A Pakistan-linked threat actor has been targeting various sectors in India using multiple remote access trojans, including a new strain, CurlBack RAT. The group’s tactics have evolved, moving from HTML Application files to Microsoft Installer packages, and they have expanded their targeting to include railway, oil, gas, and governmental sectors. This maturity in their methods showcases their capability to execute sophisticated phishing attacks and deploy malware across both Windows and Linux platforms.
Affected: Indian government sectors, including railway, oil and gas, external affairs ministries
Keypoints :
- The threat actor is linked to a group called SideCopy, a sub-cluster of Transparent Tribe (APT36), which has been active since 2019.
- Recent campaigns have shifted to using Microsoft Installer packages, enhancing their infection mechanisms.
- The group has released multiple malware variants, including CurlBack RAT and Spark RAT, capable of cross-platform attacks and sophisticated data exfiltration.
- Email-based phishing is employed to distribute malware through decoy documents designed to lure victims.
- The group utilizes compromised domains and fake websites for credential phishing and hosting payloads.
Source: https://thehackernews.com/2025/04/pakistan-linked-hackers-expand-targets.html