{
	"id": "dbde80bf-1d34-4a17-b012-aac44b1adbae",
	"created_at": "2026-04-06T00:10:23.465518Z",
	"updated_at": "2026-04-10T03:35:38.101703Z",
	"deleted_at": null,
	"sha1_hash": "357b20dd94ab4a73d244706dfc7d7186f08fb893",
	"title": "CetaRAT APT Group – Targeting the Government Agencies - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1234671,
	"plain_text": "CetaRAT APT Group – Targeting the Government Agencies -\r\nHome\r\nBy Prashant Tilekar\r\nPublished: 2021-10-13 · Archived: 2026-04-05 13:10:52 UTC\r\nCetaRAT was seen for the first time in the Operation SideCopy APT. Now it is continuously expanding its activity\r\nsince then. We have been tracking this RAT for a long time and observed an increase in targeting the Indian\r\ngovernment agencies.\r\nThe CetaRAT infection chain starts with a Spear phishing mail with a malicious mail attachment. The attachment\r\ncan be a zip file that downloads an HTA file from a remote, compromised URL. Once this HTA file is executed\r\nusing mshta.exe, it drops and executes the CetaRAT payload that starts the CnC activity.\r\nAfter HTA file execution, we observed two different behaviours:\r\nIn the first method, it creates \u0026 executes the JavaScript file at the “C:\\\\ProgramData” location. The script code\r\nopens the decoy document, which is related to government topics and notifications. At the same time, CetaRAT\r\nexecutable payload is dropped at the Startup location and, the script operation can sleep for some duration and\r\nrestart the machine.\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 1 of 8\n\nFig 1. JavaScript code.\r\nThe second method observed, creating and running batch files at random name folder on C drive on the victim’s\r\nmachine, which contains the instructions to add registry entry at\r\n“HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” with the path of CetaRAT executable payload. In\r\nthis variant, the executable is dropped at %AppData/Roaming% location.\r\nFig 2. Decoy document.\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 2 of 8\n\nFig 3. Decoy document\r\nThe CetaRAT is C#-based RAT family which exfiltrates the data from the user and sends it to the CnC server.\r\nOnce it is executed, first, it will check the running AV product details from the machine with function Getans()\r\nand send details to the CnC server.\r\nFig 4. Get AV details from Machine.\r\nFunction Start() uses the get details from machines like computer name, OS details, IP address, memory details,\r\nrunning processor, etc., and uploads it to CnC Server. This data is encrypted before uploading it to CnC.\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 3 of 8\n\nFig 5. Get all details from Machine.\r\nThe GetIP() function is used in this RAT activity to get the running machine’s IP information. Here domain\r\n“checkip.dydnd.org” is used for this purpose. This function returns the machine’s IP address.\r\nFig 6. Get IP details.\r\nIn the next activity, the RAT uses commands to exfiltrate the data and for file operations, below are commands\r\ndetails-Download- use download data\r\nUpload- Upload the data to the CnC server.\r\nDownload .exe- it is used for download and then executing the file.\r\nCreated- for creating the directory on the system.\r\nRename- use for rename file\r\nDelete- use for delete file or data.\r\nScreen- take a screenshot of the system\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 4 of 8\n\nRun- used for running the code.\r\nShellexe- used for executing the payload\r\nProcess- information of techniques.\r\nPkill- To kill the running process.\r\nList- list of processes.\r\nFig 7. Commands are used to exfiltrate data.\r\nAfter gathering information from the user’s machine, CetaRAT uses the RC4 algorithm to encrypt data before\r\nuploading it to the CnC server.\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 5 of 8\n\nFig 8. Use RC4 encryption\r\nOnce the data is encrypted, it will exfiltrate to the CnC server using the POST HTTP method.  We can see three\r\nCnC server IPs mentioned in the code below, with the keyword “ceta”.\r\nFig 9. CnC servers.\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 6 of 8\n\nFig 10. Wireshark capture traffic.\r\nIOCs-\u003e (MD5)\r\nHTA File-9DEF22BE73D2713600B689F3074F3841\r\n849CA729063AAAD53BC743A7D476C63E\r\n0BA023D0CD30E77001A78B4CBA017ADE\r\nCetaRAT Payload-532ACBADB8151944650AAECC0A397965\r\n0058B40AEA4B981E0FC619250FC64EA3\r\n04213947D30FC4205A0C4D0674A27151\r\nJS/Batch Payload-4B85ADE5E9790BDC63B80AD8EF853D40\r\n6F0672BBD0700AC61D1EDF201C4CABFF\r\n6DC67068A93E05A35E90CF066F33B79E\r\nDecoy documents-5AA26DCD3CA84DB8963688BE491E8ABE\r\nF509CF7605566EE74DE5AABF7FEF3C61\r\nIPs-207.180.230.63\r\n164.68.104.126\r\n164.68.108.22\r\nConclusion\r\nCetaRAT is Exfiltrating data that simply deliver mechanisms and aggressively infect the victim. It might leak\r\nsensitive data from a government organization, which impacts harmful activities in the countries. We recommend\r\nour customers not to access suspicious emails/attachments and keep their AV software up-to-date to protect their\r\nsystems from such complex malware.\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 7 of 8\n\nSource: https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nhttps://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/"
	],
	"report_names": [
		"cetarat-apt-group-targeting-the-government-agencies"
	],
	"threat_actors": [
		{
			"id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc",
			"created_at": "2022-10-27T08:27:12.955905Z",
			"updated_at": "2026-04-10T02:00:05.376527Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"SideCopy"
			],
			"source_name": "MITRE:SideCopy",
			"tools": [
				"AuTo Stealer",
				"Action RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00",
			"created_at": "2023-01-06T13:46:39.30167Z",
			"updated_at": "2026-04-10T02:00:03.280161Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [],
			"source_name": "MISPGALAXY:SideCopy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b584b10a-7d54-4d05-9e21-b223563df7b8",
			"created_at": "2022-10-25T16:07:24.181589Z",
			"updated_at": "2026-04-10T02:00:04.892659Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"G1008",
				"Mocking Draco",
				"TAG-140",
				"UNC2269",
				"White Dev 55"
			],
			"source_name": "ETDA:SideCopy",
			"tools": [
				"ActionRAT",
				"AllaKore",
				"Allakore RAT",
				"AresRAT",
				"Bladabindi",
				"CetaRAT",
				"DetaRAT",
				"EpicenterRAT",
				"Jorik",
				"Lilith",
				"Lilith RAT",
				"MargulasRAT",
				"ReverseRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434223,
	"ts_updated_at": 1775792138,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/357b20dd94ab4a73d244706dfc7d7186f08fb893.pdf",
		"text": "https://archive.orkl.eu/357b20dd94ab4a73d244706dfc7d7186f08fb893.txt",
		"img": "https://archive.orkl.eu/357b20dd94ab4a73d244706dfc7d7186f08fb893.jpg"
	}
}