A hacking group tied to Pakistan is stepping up its attacks on India. Recent reports show they’re now using new malware tools—CurlBack RAT and Spark RAT—to go after critical Indian sectors. These include the country’s railways, oil and gas industry, and external affairs department.
The group, flagged by cybersecurity firm SEQRITE in December 2024, is no stranger to India. But this time, they’ve shifted tactics. Instead of using HTML Application (HTA) files, they now rely on Microsoft Installer (MSI) packages to deliver malware. This change helps them avoid detection and reach more systems.
The attackers are believed to be part of SideCopy—a sub-group within the larger hacking collective Transparent Tribe (APT36). While APT36 typically targets Linux systems, SideCopy focuses on Windows. Over the years, the group has built a toolkit of remote access trojans (RATs) and spy tools. These allow them to steal documents, copy data from USB drives, and hijack web browser profiles.
In past campaigns, SideCopy used tricks borrowed from a rival group called SideWinder. They created decoy files with hidden malware, often disguised as official-looking documents. These were designed to lure victims into triggering infections.
This time, their approach is sharper and more dangerous.
The new attacks use phishing emails to deliver malware. These emails carry fake documents—like railway staff holiday schedules or cybersecurity guidelines from companies such as Hindustan Petroleum Corporation Limited (HPCL). When opened, they start a multi-step infection that installs powerful spyware.
One of the tools is Spark RAT. It’s a cross-platform trojan that works on both Windows and Linux systems. It can run commands, access files, and even take control of a machine.
But the bigger threat is CurlBack RAT—a brand-new malware made for Windows systems. It can collect system data, download files, run remote commands, elevate privileges, and list user accounts. In short, it gives the attacker full control of the infected system.
The group also uses a modified version of Xeno RAT. This malware hides behind string tricks and PowerShell commands to avoid being spotted by security tools. They’ve also been seen using DLL side-loading and reflective loading, two techniques that make malware harder to detect.
What’s more, the attackers are now using fake websites and stolen domains. These serve as both phishing traps and malware drop zones.
According to SEQRITE, this evolution shows just how advanced the group has become. They’re no longer just reusing old tools. Now, they’re building new ones and customizing open-source RATs to stay ahead of defenses.
For India, the message is clear. This is no longer just about protecting one sector. These attacks are growing—and so is the list of targets.
