Pakistan-backed cybercriminals zeroing in on Indian civil servants
- Javier Conejo del Cerro
- 14 abr
- 3 Min. de lectura
Pakistan-linked threat actors are pushing deeper into Indian government infrastructure, moving beyond defense and maritime targets into railway, energy, and external affairs ministries. Backed by the cyber group SideCopy—a known sub-cluster of APT36 (Transparent Tribe)—this latest wave of intrusions showcases the group’s maturing tactics: phishing campaigns with legitimate-looking lures and a new malware suite featuring CurlBack RAT, Spark RAT, and Xeno RAT.
Unlike earlier campaigns that relied on basic HTML Application (HTA) files, SideCopy is now using Microsoft Installer (MSI) packages as its staging method, paired with DLL side-loading, reflective loaders, and AES-encrypted payloads. These enhancements mark a significant leap in both sophistication and stealth.
Bureaucrats unwittingly thread the trap
The victims are Indian civil servants embedded in critical ministries—handling internal communications, policy drafts, infrastructure plans, and resource coordination. Their roles, often involving routine access to sensitive information and external documents, make them prime targets. The lure? Harmless-looking files like holiday schedules, internal advisories, or memos from state-linked companies like Hindustan Petroleum Corporation Limited (HPCL). Once opened, these decoys unleash a full-blown malware chain.
RATs in the stack
The infection begins with MSI files dropping malware like Xeno RAT, CurlBack RAT, and Spark RAT. These payloads aren’t just designed to steal—they’re engineered for stealth and persistence.
CurlBack RAT gathers system metadata, lists user accounts, downloads files, escalates privileges, and executes arbitrary commands.
Spark RAT, a cross-platform backdoor, grants remote access on both Windows and Linux systems.
Xeno RAT, hidden in multi-stage loaders, operates through string manipulation and encrypted traffic.
Payloads are launched via DLL side-loading and reflective loading, and distributed using compromised websites or credential phishing sites. Encrypted C2 traffic masks the exfiltration of browser profiles, system info, and user credentials.
The Indian (and any nationality’s) wall
India’s civil systems—and those of any government agency—must adapt defenses to the modern threat landscape, where malware hides in bureaucracy and trust is easily weaponized.
Defending against campaigns like SideCopy’s requires layered countermeasures that focus on email, execution paths, user behavior, and network integrity:
Filter and flag phishing emails at the perimeter by scanning for mismatched domains, spoofed senders, and suspicious document templates. Many attacks begin with a message that looks completely benign.
Block or sandbox MSI, HTA, and script-based attachments from unknown or unverified sources. Attackers are shifting to MSI packages to evade older detection models reliant on macro scanning.
Monitor DLL side-loading and reflective loading behavior. Unusual DLLs executing from user directories or temp folders should raise immediate red flags, especially in administrative contexts.
Audit PowerShell activity, particularly obfuscated commands, reflective script execution, or suspicious child processes spawned from installers or office files.
Validate the authenticity of internal communications, including memos, calendars, or cybersecurity bulletins. Even a simple holiday list could be the front door to a compromise.
Enforce least privilege policies to limit what malware can do if it gains initial access. Segment networks so that a breach in one endpoint doesn’t expose an entire department.
Control outbound traffic to prevent C2 connections. SideCopy uses encrypted payload delivery and known abuse-prone domains—block traffic to unvetted URLs and monitor DNS activity for anomalies.
Train personnel continuously. Users should know how to spot slight inconsistencies in internal emails, document formatting, or sender identities. Awareness remains a critical layer of defense.
In campaigns like these, the entry point is often just one click on what seems like harmless paperwork. Defense must start long before the user opens the file.
Comments