Pakistan-Linked Hackers Expand Cyberattacks on Indian Sectors with New Malware CurlBack RAT
A threat group connected to Pakistan has been observed launching cyberattacks on multiple sectors in India, deploying a variety of remote access trojans (RATs) such as Xeno RAT, Spark RAT, and a newly discovered malware named CurlBack RAT.
A threat group connected to Pakistan has been observed launching cyberattacks on multiple sectors in India, deploying a variety of remote access trojans (RATs) such as Xeno RAT, Spark RAT, and a newly discovered malware named CurlBack RAT.
According to SEQRITE, the malicious activity, detected in December 2024, expanded the attackers’ reach into India's railway, oil and gas, and external affairs ministries—broadening beyond their usual targets like government, defense, maritime industries, and academic institutions.
Security researcher Sathwik Ram Prakki noted a significant tactic change: attackers have shifted from using HTML Application (HTA) files to Microsoft Installer (MSI) packages as their main method for initiating attacks.
The group, known as SideCopy, is believed to be a subdivision of Transparent Tribe (also known as APT36), active since at least 2019. Its name stems from its imitation of another threat actor, SideWinder, particularly in how it delivers malicious payloads.
Earlier, in June 2024, SEQRITE had reported SideCopy's deployment of obfuscated HTA files resembling SideWinder's techniques, including URLs hosting RTF files associated with SideWinder campaigns. These attacks ultimately led to the deployment of known malware like Action RAT and ReverseRAT, and other tools such as Cheex for stealing documents and images, a USB data theft tool, and the .NET-based Geta RAT, capable of executing 30 different remote commands.
Notably, the Geta RAT can exfiltrate browser data—such as passwords, profiles, and cookies—from Firefox and Chromium-based browsers, a feature adapted from AsyncRAT.
SEQRITE had previously pointed out that while APT36 primarily focuses on Linux environments, SideCopy concentrates on targeting Windows systems, constantly expanding its toolkit.
Emerging Threats: CurlBack RAT and Spark RAT
Recent investigations reveal further sophistication from the threat group, which continues to rely heavily on email phishing to distribute malware. Phishing emails contain lure documents, including fake holiday lists for railway employees and counterfeit cybersecurity guidelines purportedly from Hindustan Petroleum Corporation Limited (HPCL).
One notable campaign demonstrated the group's capability to infect both Windows and Linux platforms, deploying Spark RAT—a cross-platform RAT—and CurlBack RAT, a new Windows-specific malware. CurlBack RAT can collect system information, download files, execute arbitrary commands, escalate privileges, and enumerate user accounts.
Another campaign used deceptive documents to trigger a multi-stage infection process, culminating in the deployment of a modified version of Xeno RAT, which features basic obfuscation techniques.
SEQRITE noted that the attackers have not only transitioned to MSI-based delivery methods but are also leveraging sophisticated tactics such as DLL side-loading, reflective loading, and AES decryption via PowerShell.
Moreover, the threat actors are weaponizing customized versions of open-source tools like Xeno RAT and Spark RAT, alongside the newly discovered CurlBack RAT. They are also exploiting compromised domains and fake websites to conduct credential phishing and host malware payloads—highlighting their ongoing efforts to strengthen persistence and evade detection.
