{ "id": "292d5ef1-4f0e-4ba8-94e2-3d2d95dcd7d6", "created_at": "2026-04-06T00:09:56.425489Z", "updated_at": "2026-04-10T03:36:50.409971Z", "deleted_at": null, "sha1_hash": "53cb8dc514590b97e63d7b55483d6a875442c11c", "title": "Pakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils Threats and Connections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3095286, "plain_text": "Pakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils\r\nThreats and Connections\r\nBy Sathwik Ram Prakki\r\nPublished: 2024-04-24 · Archived: 2026-04-05 21:12:17 UTC\r\nIn the recent past, cyberattacks on Indian government entities by Pakistan-linked APTs have gained significant\r\nmomentum. Seqrite Labs APT team has discovered multiple such campaigns during telemetry analysis and hunting in\r\nthe wild. One such threat group, SideCopy, has deployed its commonly used AllaKore RAT in three separate\r\ncampaigns over the last few weeks, where two such RATs were deployed at a time in each campaign. During the same\r\nevents, its parent APT group Transparent Tribe (APT36) continuously used Crimson RAT but with either an encoded or\r\na packed version. Based on their C2 infrastructure, we were able to correlate these APTs, proving their sub-divisional\r\nrelation once again. This blog overviews these campaigns and how a connection is established by looking at their\r\nprevious attacks.\r\nIndia is one of the most targeted countries in the cyber threat landscape where not only Pakistan-linked APT groups\r\nlike SideCopy and APT36 (Transparent Tribe) have targeted India but also new spear-phishing campaigns such as\r\nOperation RusticWeb and FlightNight have emerged. At the same time, we have observed an increase in the sale of\r\naccess to Indian entities (both government and corporate) by initial access brokers in the underground forums, high-profile ransomware attacks, and more than 2900 disruptive attacks such as DDoS, website defacement and database\r\nleaks by 85+ Telegram Hacktivist groups in the first quarter of 2024.\r\nThreat Actor Profile\r\nSideCopy is a Pakistan-linked Advanced Persistent Threat group that has been targeting South Asian countries,\r\nprimarily the Indian defense and government entities, since at least 2019. Its arsenal includes Ares RAT, Action RAT,\r\nAllaKore RAT, Reverse RAT, Margulas RAT and more. Transparent Tribe (APT36), its parent threat group with the\r\nsame persistent targeting, shares code similarity and constantly updates its Linux malware arsenal. Active since 2013, it\r\nhas continuously used payloads such as Crimson RAT, Capra RAT, Eliza RAT and Oblique RAT in its campaigns.\r\nSideCopy\r\nSo far, three attack campaigns with the same infection chain have been observed, using compromised domains to host\r\npayloads. Instead of side-loading the Action RAT (DUser.dll) payload, as seen previously, two custom variants of an\r\nopen-source remote agent called AllaKore are deployed as the final payload.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 1 of 26\n\nFig. 1 – Attack Chain of SideCopy\r\nInfection Process\r\n1. Spear-phishing starts with an archive file containing a shortcut (LNK) in a double-extension format.\r\n2. Opening the LNK triggers the MSHTA process, which executes a remote HTA file hosted on a compromised\r\ndomain. The stage-1 HTA contains two embedded files, a decoy and a DLL, that are base64 encoded.\r\n3. DLL is triggered to run in-memory where the decoy file is dropped \u0026 opened by it. As previously seen, the DLL\r\ncreates multiple text files that mention the name “Mahesh Chand” and various other random texts.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 2 of 26\n\n4. Later, the DLL will download two HTA files from the same compromised domain to begin its second stage\r\nprocess.\r\n5. Both the HTA contain embedded files, this time an EXE and two DLLs.\r\n6. One of the DLLs is executed in-memory, which drops the remaining two files into the public directory\r\nafter decoding them. Persistence on the final payload is set beforehand via the Run registry key. One\r\nexample:\r\nREG ADD “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /V “issas” /t REG_SZ /F /D\r\n“C:\\Users\\Public\\issas\\issas.exe”\r\nFig. 2 – Files dropped in one of the campaigns\r\n1. Lastly, both the final payloads, which is AllaKore RAT, are executed and connected with the same IP but\r\ndifferent port numbers for C2 communication. The final DLL is not side-loaded but is completely legitimate and\r\nold file.\r\nAn in-depth analysis of each stage can be checked in our previous blogs and whitepapers. It contains timers for\r\ntimeout, reconnection, clipboard, and separate sockets for desktop, files, and keyboard. The functionality of AllaKore\r\nincludes:\r\nGathering system information\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 3 of 26\n\nEnumerating files and folders\r\nUpload and execute files\r\nKeylogging\r\nSteal clipboard data\r\nThe Delphi-based AllaKore RATs have the following details campaign-wise:\r\nCampaign Internal Name Compiler Timestamp\r\n1\r\nmsmediaGPview\r\nmsmediarenderapp\r\n06-Mar-2024\r\n2\r\nmsvideolib\r\nmsrenderapp\r\n18-Mar-2024\r\n3\r\nmsvideolib\r\nmsrenderapp\r\n01-Apr-2024\r\nInitially, the RAT sends and receives ping-pong commands, listening to the C2 for commands to know that the\r\nconnection is alive. Both RAT payloads run together, complementing each other, as seen in the network traffic below.\r\nTheir sizes are also different: one is 3.2 MB, and the other almost doubles to 7 MB, like Double Action RAT. A\r\nconnection ID based on the system information is created for each instance.\r\nFig. 3 – Network traffic for port 9828\r\nFig. 4 – Network traffic for port 6663\r\nList of encrypted strings used for C2 communication in smaller-sized payloads:\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 4 of 26\n\nEncrypted Decrypted\r\n7oYGAVUv7QVqOT0iUNI SocketMain\r\n7oYBFJGQ OK\r\n7o4AfMyIMmN Info\r\n7ooG0ewSx5K PING\r\n7ooGyOueQVE PONG\r\n7oYCkQ4hb550 Close\r\n7oIBPsa66QyecyD NOSenha\r\n7oIDcXX6y8njAD Folder\r\n7oIDaDhgXCBA Files\r\n7ooD/IcBeHXEooEVVuH4BB DownloadFile\r\n7o4H11u36Kir3n4M4NM UploadFile\r\nSx+WZ+QNgX+TgltTwOyU4D Unknown (Windows)\r\nQxI/Ngbex4qIoVZBMB Windows Vista\r\nQxI/Ngbex46Q Windows 7\r\nQxI/Ngbex4aRKA Windows 10\r\nQxI/Ngbex4KTxLImkWK Windows 8.1/10\r\nVarious file operations have been incorporated, including create, delete, execute, copy, move, rename, zip, and upload,\r\nwhich are part of the AllaKore agent. These commands were found in the bigger payload.\r\nFig. 5 – File move operation\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 5 of 26\n\nFig. 6 – Commands in the second payload\r\nThe DLL files dropped are not sideloaded by the AllaKore RAT, and they are legitimate files that could be later used\r\nfor malicious purposes. These are Microsoft Windows-related libraries, but only a few contain a valid signature.\r\nDropped DLL\r\nName\r\nPDB Description\r\nCompilation\r\nTimestamp\r\nmsdr.dll Windows.Management.Workplace.WorkplaceSettings.pdb\r\nWindows Runtime\r\nWorkplaceSettings\r\nDLL\r\n2071-08-19\r\nbraveservice.dll dbghelp.pdb\r\nWindows Image\r\nHelper\r\n2052-02-25\r\nsalso.dll D3d12core.pdb\r\nDirect3D 12 Core\r\nRuntime\r\n1981-03-18\r\nsalso.dll OrtcEngine.pdb\r\nMicrosoft Skype\r\nORTC Engine\r\n2020-01-07\r\nsalso.dll msvcp120d.amd64.pdb\r\nMicrosoft® C\r\nRuntime Library\r\n2013-10-05\r\nFI_Ejec13234.dll IsAppRun.pdb TODO:\u003c\u003e 2013-10-15\r\nDecoys\r\nTwo decoy files have been observed, where one was used in previous campaigns in February-March 2023. The date in\r\nthe document, “21 December 2022,” has been removed, and the bait’s name has been changed to indicate March 2024\r\n– “Grant_of_Risk_and_HardShip_Allowances_Mar_24.pdf.” As the name suggests, it is an advisory from 2022 on\r\nallowance grants to Army officers under India’s Ministry of Defence. This is used in two of the three campaigns.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 6 of 26\n\nFig. 7 – Decoy (1)\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 7 of 26\n\nThe second decoy is related to the same allowance category and mentions payment in arrears form. This is another old\r\ndocument used previously, dated 19 January 2023.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 8 of 26\n\nFig. 8 – Decoy (2)\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 9 of 26\n\nInfrastructure and Attribution\r\nThe compromised domains resolve to the same IP addresses used in previous campaigns, as seen with the passive DNS\r\nreplication since last year.\r\nIP Compromised Domain Campaign\r\n151.106.97[.]183\r\ninniaromas[.]com\r\nivinfotech[.]com\r\nNovember 2023\r\nrevivelife.in March 2024\r\nvparking[.]online April 2024\r\n162.241.85[.]104\r\nssynergy[.]in April 2023\r\nelfinindia[.]com May 2023\r\noccoman[.]com August 2023\r\nsunfireglobal[.]in October 2023\r\nmasterrealtors[.]in November 2023\r\nsmokeworld[.]in March 2024\r\nC2 servers of AllaKore RAT are registered in Germany to AS51167 – Contabo GmbH, commonly used by SideCopy.\r\nBased on the attack chain and arsenal used, these campaigns are attributed to SideCopy, which has high confidence and\r\nuses similar infrastructure to carry out the infection.\r\n164.68.102[.]44 vmi1701584.contaboserver.net\r\n213.136.94[.]11 vmi1761221.contaboserver.net\r\nThe following chart depicts telemetry hits observed for all three SideCopy campaigns related to AllaKore RAT. The\r\nfirst two campaigns indicate a spike twice in March, whereas the third campaign is observed during the second week of\r\nApril.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 10 of 26\n\nFig. 9 – SideCopy campaign hits\r\nTransparent Tribe\r\nMany Crimson RAT samples are seen regularly on the VirusTotal platform, with a detection rate of around 40-50. In\r\nour threat hunting, we have found new samples but have had very few detections.\r\nFig. 10 – Infection Chain of APT36\r\nAnalyzing the infection chain to observe any changes, we found that the Crimson RAT samples are not embedded\r\ndirectly into the maldocs as they usually are. This time, the maldoc in the XLAM form contained three objects: the\r\ndecoy and base64-encoded blobs.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 11 of 26\n\nFig. 11 – Additional Functions in Macro\r\nAfter extracting the VBA macro, we see additional functions for reading a file, decoding base64, and converting binary\r\nto string. The macro reads and decodes the two base64 blobs embedded inside the maldoc. This contains archived\r\nCrimson RAT executed samples, after which the decoy file is opened.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 12 of 26\n\nFig. 12 – VBA infection flow\r\nCrimson RAT\r\nThe final RAT payloads contain the same functionality where 22 commands for C2 communication are used. As the\r\ndetection rate is typically high for this Crimson RAT, we see a low rate for both these samples. These .NET samples\r\nhave compilation timestamp of 2024-03-17 and PDB as:\r\n“C:\\New folder\\mulhiar tarsnib\\mulhiar tarsnib\\obj\\Debug\\mulhiar tarsnib.pdb”\r\nFig. 13 – Detection count on VT\r\nNo major changes were observed when the C2 commands were checked along with the process flow. IP of the C2 is\r\n204.44.124[.]134, which tries to check the connection with 5 different ports – 9149, 15597, 18518, 26791, 28329.\r\nBelow, you can find C2 commands for some of the recent samples (compile-timestamp-wise) of Crimson RAT, which\r\nuses similar 22 to 24 commands. All of these are not packed (except the last two) and have the same size range of 10-\r\n20 MB.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 13 of 26\n\nFig. 14 – C2 commands of Crimson RAT for recent samples\r\nAs seen in BinDiff, similarity with previous samples is always more than 75%. Changes in the order of the command\r\ninterpreted by the RAT were only found with numerical addition or splitting the command in two.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 14 of 26\n\nFig. 15 – Comparing similarity between Crimson RAT variants\r\nAdditionally, two new samples that were obfuscated with Eziriz’s .NET Reactor were also found which are named\r\n‘ShareX’ and ‘Analytics Based Card.’ APT36 has used different packers and obfuscators like ConfuserEx, Crypto\r\nObfusator, and Eazfuscator, in the past. Compared with the previous iteration, the regular ones contain 22-24\r\ncommands as usual, whereas the obfuscated one contains 40 commands. The C2, in this case, is juichangchi[.]online\r\ntrying to connect with four ports – 909, 67, 65, 121. A few of these C2 commands don’t have functionality yet, but they\r\nare similar to the ones first documented by Proofpoint. The list of all 22 commands and their functionality can be found\r\nin our previous whitepaper on APT36.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 15 of 26\n\nFig. 16 – Comparison after deobufscation\r\nDecoys\r\nThe maldoc named “Imp message from dgms” contains DGMS, which stands for India’s Directorate General of Mines\r\nSafety. The decoy document contains various points relating to land and urban policies associated with military or\r\ndefense, showing its intended targeting of the Indian Government. Another maldoc named “All details” is empty but\r\nhas a heading called posting list.\r\nFig. 17 – DGMS decoy\r\nCrimson Keylogger\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 16 of 26\n\nA malicious .NET file with a similar PDB naming convention to Crimson RAT was recently seen, with a compilation\r\ntimestamp of 2023-06-14. Analysis led to a keylogger payload that captures all keyboard activity.\r\nPDB: e:\\vdhrh madtvin\\vdhrh madtvin\\obj\\Debug\\vdhrh madtvin.pdb\r\nApart from capturing each keystroke and writing it into a file, it collects the name of the current process in the\r\nforeground. Toggle keys are captured separately and based on key combinations; clipboard data is also copied to the\r\nstorage file.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 17 of 26\n\nFig. 18 – Crimson Keylogger\r\nCorrelation\r\nSimilar to the code overlaps seen previously between SideCopy and APT36 in Linux-based payloads, based on the\r\ndomain used as C2 by Transparent Tribe, we pivot to see passive DNS replications of the domain using Virus Total and\r\nValidin. The C2 for the above two packed samples resolved to different IPs – 176.107.182[.]55 and 162.245.191[.]214,\r\nas seen in the below timeline, giving us when they went live.\r\nFig. 19 – Timeline of C2 domain\r\nThis also leads us to two additional IP addresses: 155.94.209[.]4 and 162.255.119[.]207. The first one is\r\ncommunicating with a payload having detections of only 7/73 on Virus Total, whereas the latter is not associated with\r\nnew malware. The malware seems to be another .NET Reactor packed payload with compile timestamp as 2039-02-24\r\nbut small (6.55 MB) compared to the Crimson RAT payloads.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 18 of 26\n\nFig. 20 – Deobufscated AllaKore RAT\r\nThe default name of the sample is an Indian language word “Kuchbhi.pdb” meaning anything. After deobfuscation, we\r\nsee C2 commands that are similar to the above Delphi-based AllaKore RAT deployed by SideCopy. Only this time it is\r\nin a .NET variant with the following five commands:\r\nC2 Command Function\r\nLIST_DRIVES Retrieve and send list of drives on the machine\r\nLIST_FILES Enumerate files and folder in the given path\r\nUPLOAD_FILE Download and execute file\r\nPING Listening to C2 and send PONG for live status\r\ngetinfo Send username, machine name and OS information\r\nPersistence is set in two ways, run registry key or through the startup directory.\r\nOverlap of code usability was found in SideCopy’s Linux-based stager payload of Ares RAT and that of Transparent\r\nTribe’s Linux-based python malware called Poseidon and other desktop utilities. Here we see similar code overlaps and\r\npossibly sharing of C2 infrastructure between the two groups. AllaKore RAT (open source) has been associated with\r\nSideCopy since its discovery in 2019 along with Action RAT payload. Similarly, Crimson RAT is linked to be an in-house toolset of APT36.\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 19 of 26\n\nInfrastructure and Attribution\r\nLooking at the C2, the same target names used previously by APT36 were identified that are running Windows Server\r\n2012 and 2022 versions.\r\nIP ASN Organization Country Name\r\n204.44.124[.]134 AS8100 QuadraNet Inc United States WIN-P9NRMH5G6M8\r\n162.245.191[.]214 AS8100 QuadraNet Inc United States WIN-P9NRMH5G6M8\r\n155.94.209[.]4 AS207083 Quadranet Inc Netherlands WIN-P9NRMH5G6M8\r\n176.107.182[.]55 AS47987 Zemlyaniy Dmitro Leonidovich Ukraine WIN-9YM6J4IRPC\r\nBased on this correlation and previous attack chains, these campaigns are attributed to both APT36 and SideCopy\r\ngroups with high confidence, establishing yet another strong connection between them.\r\nConclusion\r\nPersistent targeting of the Indian government and defense entities by Pakistan-linked APT groups has continued, where\r\nnew operations have emerged with similar threats. SideCopy has deployed its well—associated AllaKore RAT in\r\nmultiple campaigns, whereas its parent group, Transparent Tribe (APT36), is continuously using Crimson RAT, T,\r\nmaking changes to evade detections.\r\nAs the threat landscape shifts due to various geopolitical events like the Israel-Iran conflict, India is bound to get\r\ntargeted continuously. On the verge of India’s upcoming election, it is suggested that necessary precautions be taken\r\nand that people stay protected amidst the increasing cybercrime.\r\nSeqrite Protection\r\nSideCopy.48519\r\nSideCopy.48674.GC\r\nTrojan.48761.GC\r\nSideCopy.S30112905\r\nSideCopy\r\nDownloader.48760.GC\r\nCrimson\r\nIOCs\r\nSideCopy\r\nHTA\r\n6cdc79655e9866e31f6c901d0a05401d jfhdsjfh34frjkfs23432.hta\r\ndbf196ccb2fe4b6fb01f93a603056e55 flutter.hta\r\n37b10e4ac08534ec36a59be0009a63b4 plugins.hta\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 20 of 26\n\nd907284734ea5bf3bd277e118b6c51f0 bjihfsdfhdjsh234234.hta\r\n2a47ea398397730681f121f13efd796f plugins.hta\r\n6ab0466858eb6d71d830e7b2e86dab03 flutter.hta\r\necc65e6074464706bb2463cb74f576f7 4358437iufgdshvjy5843765.hta\r\nda529e7b6056a055e3bbbace20740ee9 min-js.hta\r\ncadafc6a91fc4bba33230baed9a8a338 nodejsmin.hta\r\nEmbedded DLL\r\n1e5285ee087c0d73c76fd5b0b7bc787c hta.dll\r\nf74c59fd5b835bf7630fbf885d6a21aa hta.dll\r\n3cc6602a1f8a65b5c5e855df711edeb0 hta.dll\r\n990bfd8bf27be13cca9fa1fa07a28350 SummitOfBion.dll\r\n29fa44d559b4661218669aa958851a59 SummitOfBion.dll\r\n26bde2d6a60bfc6ae472c0e9c8d976e2 SummitOfBion.dll\r\neceb986d166526499f8f37fd3efd44db SummitOfBion.dll\r\n2a680cf1e54f1a1f585496e14d34c7e9 SummitOfBion.dll\r\nAllaKore RAT\r\n76ca50a71e014aa2d089fed1251bf6cd issas.exe\r\n71b285c8903bb38d16d97c1042cbeb92 quick.exe\r\n9684bf8955b348540446df6b78813cdb cove.exe\r\n48e1e695258a23742cd27586e262c55a salso.exe\r\n4ba7ca56d1a6082f0303f2041b0c1a45 cove.exe\r\n6cda3b5940a2a97c5e71efcd1dd1d2ca FI_Ejec1.exe\r\nDecoys\r\n30796f8fb6a8ddc4432414be84b8a489\r\n8740d186877598297e714fdf3ab507e9\r\nGrant_of_Risk_and_HardShip_Allowances_Mar_24.pdf\r\nDLL\r\nabeaa649bd3d8b9e04a3678b86d13b6b msdr.dll\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 21 of 26\n\nb3a5e819e3cf9834a6b33c606fc50289 braveservice.dll\r\n312923e0baf9796a846e5aad0a4d0fb6 salso.dll\r\n1d7fc8a9241de652e481776e99aa3d46 salso.dll\r\n760ff1f0496e78d37c77b2dc38bcbbe4 salso.dll\r\nfa5a94f04e684d30ebdc4bf829d9c604 FI_Ejec13234.dll\r\nCompromised Domains\r\nrevivelife[.]in 151.106.97[.]183\r\nsmokeworld[.]in 162.241.85[.]104\r\nvparking[.]online 151.106.97[.]183\r\nC2 and Ports\r\n164.68.102[.]44 6663, 9828\r\n213.136.94[.]11 6663, 7880\r\nURLs\r\nhxxps://revivelife[.]in/assets/js/other/new/\r\nhxxps://revivelife[.]in/assets/js/other/new/jfhdsjfh34frjkfs23432.hta\r\nhxxps://revivelife[.]in/assets/js/other/grant/\r\nhxxps://revivelife[.]in/assets/js/other/grant/32476sdfsdafgsdcsd3476328.hta\r\nhxxps://revivelife[.]in/assets/js/support/i/index.php\r\nhxxps://revivelife[.]in/assets/js/support/c/index.php\r\nhxxps://smokeworld[.]in/wp-content/plugins/header-footer-show/01/\r\nhxxps://smokeworld[.]in/wp-content/plugins/header-footer-show/01/bjihfsdfhdjsh234234.hta\r\nhxxps://smokeworld[.]in/wp-content/plugins/header-footer-other/intro/index.php\r\nhxxps://smokeworld[.]in/wp-content/plugins/header-footer-other/content/index.php\r\nhxxps://vparking[.]online/BetaVersion/MyDesk/assets/fonts/account/show/index.php\r\nhxxps://vparking[.]online/BetaVersion/MyDesk/assets/fonts/account/show/4358437iufgdshvjy5843765.hta\r\nhxxps://vparking[.]online/BetaVersion/MyDesk/plugins/quill/support/intro/\r\nhxxps://vparking[.]online/BetaVersion/MyDesk/plugins/quill/support/content/index.php\r\nHost\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 22 of 26\n\nC:\\ProgramData\\HP\\flutter.hta\r\nC:\\ProgramData\\HP\\plugins.hta\r\nC:\\ProgramData\\HP\\min-js.hta\r\nC:\\ProgramData\\HP\\nodejsmin.hta.hta\r\nC:\\Users\\Public\\quick\\quick.exe\r\nC:\\Users\\Public\\quick\\msdr.dll\r\nC:\\Users\\Public\\quick\\quick.bat\r\nC:\\Users\\Public\\issas\\issas.exe\r\nC:\\Users\\Public\\issas\\braveservice.dll\r\nC:\\Users\\Public\\issas\\issas.bat\r\nC:\\Users\\Public\\cove\\cove.exe\r\nC:\\Users\\Public\\cove\\salso.dll\r\nC:\\Users\\Public\\cove\\cove.bat\r\nC:\\Users\\Public\\salso\\salso.exe\r\nC:\\Users\\Public\\salso\\salso.dll\r\nC:\\Users\\Public\\salso\\salso.bat\r\nC:\\Users\\Public\\FI_Ejec1\\FI_Ejec1.exe\r\nC:\\Users\\Public\\FI_Ejec1\\FI_Ejec1324.dll\r\nC:\\Users\\Public\\FI_Ejec1\\FI_Ejec1.bat\r\nAPT36\r\nMaldoc\r\nf436aa95838a92b560f4cd1e1c321fe7 All details.xlam\r\nafb24ec01881b91c220fec8bb2f53291 Imp message from dgms.xlam\r\nBase64-zipped Crimson RAT\r\n7bb8f92770816f488f3a8f6fe25e71a7 oleObject1.bin\r\n303b75553c5df52af087b5b084d50f98 oleObject2.bin\r\nCrimson RAT\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 23 of 26\n\n898df40a8f2a6702c0be059f513fab9d mulhiar tarsnib.exe\r\ne3cf6985446cdeb2c523d2bc5f3b4a32 mulhiar tarsnib.exe\r\nbb5b569b38affb12dfe2ea6d5925e501 ShareX.exe\r\n7cdc81a0f5c5b2d341de040a92fdd23a Analytics Based Card.exe\r\n81b436873f678569c46918862576c3e0 vdhrh madtvin.exe (keylogger)\r\nAllaKore RAT (.NET)\r\ne291fffbcb4b873b76566d5345094567 Mailbird.exe\r\nDecoys\r\n9d337c728c92bdb227055e4757952338 All details.xlam.xlsx\r\nd7b909f611e8f9f454786f9c257f26eb Imp message from dgms.xlam.xlsx\r\nC2 and Ports\r\n204.44.124[.]134 9149, 15597, 18518, 26791, 28329\r\njuichangchi[.]online\r\n176.107.182[.]55\r\n162.245.191[.]214\r\n909, 67, 65, 121\r\n155.94.209[.]4 8888, 9009, 33678\r\nHost\r\nC:\\Users\\\u003cname\u003e\\Documents\\mulhiar tarsnib.scr\r\nC:\\Users\\\u003cname\u003e\\AppData\\Meta-\u003cnumber\u003e\\\r\nC:\\Users\\\u003cname\u003e\\AppData\\mulhiar tarsnib.scr\\mulhiar tarsnib.png\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Name\r\nResource Development T1583.001\r\nT1584.001\r\nT1587.001\r\nT1588.001\r\nT1588.002\r\nAcquire Infrastructure: Domains\r\nCompromise Infrastructure: Domains\r\nDevelop Capabilities: Malware\r\nObtain Capabilities: Malware\r\nObtain Capabilities: Tool\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 24 of 26\n\nT1608.001\r\nT1608.005\r\nStage Capabilities: Upload Malware\r\nStage Capabilities: Link Target\r\nInitial Access\r\nT1566.001\r\nT1566.002\r\nPhishing: Spear phishing Attachment\r\nPhishing: Spear phishing Link\r\nExecution\r\nT1106\r\nT1129\r\nT1059\r\nT1047\r\nT1204.001\r\nT1204.002\r\nNative API\r\nShared Modules\r\nCommand and Scripting Interpreter\r\nWindows Management Instrumentation\r\nUser Execution: Malicious Link\r\nUser Execution: Malicious File\r\nPersistence T1547.001 Registry Run Keys / Startup Folder\r\nDefense Evasion\r\nT1027.010\r\nT1036.005\r\nT1036.007\r\nT1140\r\nT1218.005\r\nT1574.002\r\nT1027.009\r\nT1027.010\r\nCommand Obfuscation\r\nMasquerading: Match Legitimate Name or Location\r\nMasquerading: Double File Extension\r\nDeobfuscate/Decode Files or Information\r\nSystem Binary Proxy Execution: Mshta\r\nHijack Execution Flow: DLL Side-Loading\r\nObfuscated Files or Information: Embedded Payloads\r\nObfuscated Files or Information: Command Obfuscation\r\nDiscovery\r\nT1012\r\nT1033\r\nT1057\r\nT1083\r\nT1518.001\r\nQuery Registry\r\nSystem Owner/User Discovery\r\nProcess Discovery\r\nFile and Directory Discovery\r\nSoftware Discovery: Security Software Discovery\r\nCollection T1005 Data from Local System\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 25 of 26\n\nT1056.001\r\nT1074.001\r\nT1119\r\nT1113\r\nT1125\r\nInput Capture: Keylogging\r\nData Staged: Local Data Staging\r\nAutomated Collection\r\nScreen Capture\r\nVideo Capture\r\nCommand and Control\r\nT1105\r\nT1571\r\nT1573\r\nT1071.001\r\nIngress Tool Transfer\r\nNon-Standard Port\r\nEncrypted Channel\r\nApplication Layer Protocol: Web Protocols\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nAuthor:\r\nSathwik Ram Prakki\r\nSource: https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nhttps://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/" ], "report_names": [ "pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "403c7091-ccdd-4a76-94ad-27eb61449336", "created_at": "2024-01-18T02:02:34.407633Z", "updated_at": "2026-04-10T02:00:04.829369Z", "deleted_at": null, "main_name": "Operation RusticWeb", "aliases": [], "source_name": "ETDA:Operation RusticWeb", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434196, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/53cb8dc514590b97e63d7b55483d6a875442c11c.pdf", "text": "https://archive.orkl.eu/53cb8dc514590b97e63d7b55483d6a875442c11c.txt", "img": "https://archive.orkl.eu/53cb8dc514590b97e63d7b55483d6a875442c11c.jpg" } }