Threat Research

Operation ShadowCat: Stealthy RAT Targets Indian Political Observers

Cyble

Operation ShadowCat is a stealthy, Go-based RAT campaign that targets Indian political observers, distributing a disguised LNK shortcut that loads PowerShell to drop a .NET loader and a steganography-protected payload inside a PNG. The attackers use in-memory loading, APC injection, and WebSocket-based C2 to control the infected hosts while evading detection, with geo-location checks to skip Russian-speaking regions and a lure aimed at Indian parliamentary followers.
#OperationShadowCat #ShadowCat

Keypoints

  • CRIL identifies a disguised .LNK shortcut masquerading as an Office document that initiates the infection chain.
  • Execution proceeds via a PowerShell script that drops a malicious .NET loader and a decoy Word document.
  • The payload is concealed in a steganographic PNG hosted on a CDN and decompressed into memory.
  • APC-based process injection is used to run shellcode inside a suspended PowerShell process, avoiding disk writes.
  • The final payload is a Go-based RAT capable of full system control, lateral movement, and potential ransomware deployment.
  • The campaign targets individuals interested in Indian politics, including officials, analysts, journalists, and think tanks.
  • Threat actors avoid Russian-speaking regions, suggesting a Russian-speaking or RaaS-affiliated actor, with possible attribution based on behavior and language clues.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – “.LNK file shared as mail attachments” – .LNK file shared as mail attachments.
  • [T1204.002] User Execution: Malicious File – “User opens an .LNK file as a file pretending to be an Office Document” – User opens an .LNK file as a file pretending to be an Office Document.
  • [T1059.001] PowerShell – “Embedded PowerShell commands executed” – Embedded PowerShell commands executed.
  • [T1036.008] Masquerading: Masquerade File Type – “LNK file disguised as a legitimate office file” – LNK file disguised as a legitimate office file.
  • [T1614] System Location Discovery – “Checks GeoLocation using Get-WinHomeLocation.GeoID” – Checks GeoLocation using Get-WinHomeLocation.GeoID.
  • [T1070.004] Indicator Removal: File Deletion – “Self-deleting .LNK file after execution” – Self-deleting .LNK file after execution.
  • [T1082] System Information Discovery – “Checking for System architecture using Int.ptr” – Checking for System architecture using Int.ptr.
  • [T1027.003] Obfuscated Files and Information: Steganography – “Malicious GZip compressed stream is hidden inside a PNG file” – Malicious GZip compressed stream is hidden inside a PNG file.
  • [T1140] Deobfuscate/Decode Files or Information – “API and other program strings are obfuscated” – API and other program strings are obfuscated.
  • [T1106] Native API – “CreateProcess(),QueueUserAPC() used for Process Injection” – CreateProcess() and QueueUserAPC() used for Process Injection.
  • [T1055.004] Privilege Escalation: Process Injection – “Using QueueUserAPC, it injects the shellcode into powershell.exe” – Using QueueUserAPC to inject shellcode into powershell.exe.
  • [T1071.001] Web Protocols: WebSocket – “The RAT communicates with the C&C server using WebSocket over port 443” – WebSocket-based C2 communication over port 443.

Indicators of Compromise

  • [SHA256] Zip attachment – ffe5b09cbc0073be33332436150c81edfa952d2af749160699fc8b10b912ef35 – Zip attachment used in initial delivery.
  • [SHA256] LNK File – 6f4dc0d9fe5970586403865d551bbea13e2ceb1bfe41f22e235a6456a5ec509b – LNK file used to trigger infection.
  • [SHA256] Dropped DLL file – 168182578da46de165d10e6753d1c7db7b214efc723c89c6d9d0038264abad54 – Malicious DLL dropped during attack.
  • [SHA256] x86.png – 8edc8f3eed761694c6b1df740de376f9e12f82675df7507417adb2c8bbedd8da – PNG payload container.
  • [SHA256] x86_64.png – ac957c501867a86c13045fa72d53faacb291cc8b6b2750915abc1b5815b164c6 – 64-bit PNG payload container.
  • [SHA256] Final injected payload (32-bit) – c42ea4d3c8b6ae2c4727a11de65f624a70dabba46c1996aa545de35a58804802 – Final PE payload (32-bit).
  • [SHA256] Final injected payload (64-bit) – 83d6e377a5527f41d8333f8eb0d42f7c6a24f8694ed3caceb3a1e63de7b23e9d – Final PE payload (64-bit).
  • [SHA256] PE with ShellCode – aef4d36ce252a9181767f263b1cbd831ac79f6e80516aa640222f9c56b06de4f – Shellcode-loaded payload.
  • [URL] PNG hosting Gzip stream – hxxps://suquaituupie.global.ssl.fastly[.]net/static/x86.png?u=, hxxps://suquaituupie.global.ssl.fastly[.]net/static/x86_64.png?u= – PNGs containing GZip streams.
  • [Domain] C2 Domain – use1.netcatgroup[.]site – Command and Control server.
  • [Domain] C2 Domain – suquaituupie.global.ssl.fastly[.]net – Command and Control server.

Read more: https://cyble.com/blog/operation-shadowcat-targeting-indian-political-observers-via-a-stealthy-rat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint