Experience Aryakas Unified SASE as a Service Take The Interactive Tour >>
Blog Resources Threat Research Lab Contact Us Customer Login Book A Demo
aryaka aryaka

Popular Posts

Espionage Without Noise: Understanding APT36’s Enduring Campaigns

By Aditya K Sood | February 10, 2026

espionage_without_noise

Critical infrastructure all over the world is under threat from highly organized, state-sponsored “espionage ecosystems”. These loosely knit but well-resourced organizations are deploying a variety of tools aimed both at disrupting essential services and gathering intelligence. Some work by launching dedicated denial of service (DDoS) attacks against transport and communications hubs as well as commercial supply chains. Others are seeking geopolitical, military or economic advantage, adept at mining for sensitive information and skilled at bypassing traditional security measures. Everything is a target and nowhere is safe.

So, what does an espionage ecosystem look like and how does it operate? In this blog we demonstrate a recent example.

For more than a decade, the Indian government and defense organizations have operated under a constant digital shadow. Behind the scenes, a tightly connected espionage ecosystem—most notably Transparent Tribe (APT36) and the closely aligned SideCopy cluster- has continued to probe, adapt, and persist. While individual campaigns come and go, the underlying objective remains unchanged: long-term intelligence collection through stealthy, resilient access, emphasizing the importance of sustained defense efforts.

These actors are not flashy. Instead, they rely on proven tactics, spear-phishing, weaponized documents, and a mix of custom and off-the-shelf remote access trojans to quietly embed themselves in target environments. Over time, however, their tooling has steadily evolved. Cross-platform payloads, memory-resident execution, and increasingly covert command-andcontrol channels now form the backbone of an ecosystem designed for patience rather than speed, encouraging defenders to adapt continually.

A Surge in Activity: What We Observed

Over the past month, Aryaka Threat Research Labs observed multiple active campaigns targeting Indian defense and government-aligned organizations across both Windows and Linux environments. Detailing these campaigns’ focus emphasizes the persistent threat landscape faced by regional security sectors.

Windows Campaign: GETA RAT via Living-Off-the-Land Abuse

One active campaign targeted Windows systems using phishing emails that delivered LNK and HTA files. These files ultimately deployed GETA RAT, a .NET-based remote access trojan frequently linked to the SideCopy cluster. The infection chain abuses legitimate Windows components—including mshta.exe, XAML deserialization, and in-memory payload execution— to evade traditional file-based detection.

To achieve persistence, the attackers implemented layered startup mechanisms that ensured continued access even if the disruption occurred in the infection chain. The result is a lightweight but durable foothold, well-suited for extended reconnaissance and intelligence gathering.

Linux Campaign: ARES RAT and System-Level Persistence

In parallel, a separate campaign focused on Linux environments—an area where Transparent Tribe has shown growing maturity. This operation used a Go-based downloader to install ARES RAT, a Python-based remote access tool historically associated with APT36 activity.

Once deployed, ARES RAT performed automated system profiling, recursive file enumeration, and structured data exfiltration. Persistence was achieved through systemd user services, allowing the malware to survive reboots while blending into normal system operations. This campaign clearly signals an intent to maintain parity across platforms, rather than treating Linux as an afterthought.

An Emerging Tool: Desk RAT Enters the Stage

Beyond known malware families, Aryaka Threat Research Labs also observed campaigns delivering Desk RAT, a Go-based remote access trojan distributed via a malicious PowerPoint Add-In (PPAM). Emphasizing this emerging tool underscores the threat actors’ ongoing innovation and the need for updated detection strategies.

Desk RAT stands out for its emphasis on host telemetry and real-time monitoring. It collects detailed system diagnostics and communicates with its operators using WebSocket-based command-and-control, exchanging structured heartbeat and client information messages. This design enables continuous situational awareness on compromised hosts, reinforcing APT36’s long-term surveillance objectives.

The Bigger Picture

Taken together, these campaigns reinforce a familiar but evolving narrative. Transparent Tribe and SideCopy are not reinventing espionage—they are refining it. By expanding cross-platform coverage, leaning into memory-resident techniques, and experimenting with new delivery vectors, this ecosystem continues to operate below the noise floor while maintaining strategic focus.

For defenders, the takeaway is clear: these are not isolated incidents, but coordinated efforts within a mature threat ecosystem. Detecting and disrupting such actors requires visibility across platforms, attention to subtle behavioral signals, and an understanding that persistence is the attacker’s greatest weapon and not speed, empowering security teams to take comprehensive action.

Read the complete report here

Share Now :

About the author

Aditya K SoodAditya K Sood
Aditya K Sood (Ph.D) is the VP of Security Engineering and AI Strategy at Aryaka. With more than 18 years of experience, he provides strategic leadership in information security, covering products and infrastructure. Dr. Sood is interested in Artificial Intelligence (AI), cloud security, malware automation and analysis, application security, and secure software design. He has authored several papers for various magazines and journals, including IEEE, Elsevier, Crosstalk, ISACA, Virus Bulletin, and Usenix. He has been an active speaker at industry conferences and presented at Blackhat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP, and many others. Dr. Sood obtained his Ph.D. in Computer Science from Michigan State University. Dr. Sood is also the author of "Targeted Cyber Attacks," “Empirical Cloud Security,” and "Combating Cyberattacks Targeting the AI Ecosystem" books. He held positions such as Senior Director of Threat Research and Security Strategy, Head (Director) of Cloud Security, Chief Architect of Cloud Threat Labs, Lead Architect and Researcher, and others while working for companies such as F5 Networks, Symantec, Blue Coat, Elastica, and KPMG.