Sighty Sculpture in Defense and Government of India: Geta RAT, Ares RAT and DeskrAT in Undiscovered

In the latest cybersecurity research, an already known but constantly refined pattern has been rerevealed: defence organizations and entities aligned with the Government of India are being targeted by digital espionage campaigns that seek to engage both Windows and Linux systems. The attackers use remote access tools - known as RATs - that allow from exfiltration of information to silent stay on infected machines for long periods.

Among the malware families identified by analysts are names such as Geta RAT, Ares RAT and Deskrat. These pieces do not operate in isolation: they are associated with clusters of threats with alleged Pakistani affinity, identified in the community as Transparent Tribe (also referred to as APT36) and SideCopy, the latter evaluated by some teams as a subdivision that has been operating in the same orbit for years. For further technical reading and analysis, the reports of those who first published these observations and the comments of specialized teams should be consulted. on Aryaka's blog and other signatures that follow these actors.

The preferred entry door remains social engineering: phishing emails with malicious attachments or links to servers controlled by the attackers. From there, infection chains are deployed built in several stages that combine old tricks and new adaptations. An example of observed chain is an initial access by an LNK file (direct Windows access) that invokes mshta.exe to run a HTA file hosted in legitimate compromised domains. That HTA may contain JavaScript that decrypt and load an embedded DLL; the DLL processes packaged data, leaves a decoy document (like a PDF) on disk, establishes communication with a control and control server (C2) and shows the user the decoy to avoid raising suspicion.

This kind of sophistication is not casual. The use of lures that present plausible documents, the preference for reliable infrastructure in the region and the automatic adaptation of the persistence method according to the presence of security solutions are resources that help the actor operate "below the noise," reducing the probability of detection by administrators and automatic tools. To see examples of additional technical campaigns and analysis, there are public resources from research teams and companies dedicated to cybersecurity as CYFIRMA or pages of specialized laboratories as Seqrite Labs. Also the researcher who disseminated specific attack chains shared findings on social networks and technical platforms ( publication).

In terms of capabilities, Geta RAT presents a long list of functions designed for remote control and exfiltration: system information collection, process and application listing, specific process completion, credentials theft, clipboard handling, screen capture, file operations, arbitrary command execution and data extraction from connected USB devices. That is, it not only serves to observe and move data, but also to maintain and expand the presence of the attacker in the compromised environment.

In parallel to the Windows-oriented variant, the campaigns also move in Linux. There the adversaries have used binaries written in Go as an initial phase to deploy a RAT in Python - Ares RAT - through scripts downloaded from external servers. Ares offers similar features: data collection, remote execution of scripts and commands, and the ability to adapt the operation according to the context of the attacked machine. In another documented vector, Deskrat (another malware developed in Golang) has been distributed by malicious PowerPoint supplements that run macros to recover and launch the final sample from the network.

The result is an ecosystem of tools and exploitation chains that emphasize persistence, traceability and multiplatform coverage. Reports published by several security laboratories show how these families and techniques have evolved: from the re-use of compromised infrastructure to the commitment to memory charges and indirect executions that make their traceability difficult. In order to deepen the technique and correlate commitment indicators, it is appropriate to review specialized sources and public knowledge bases on tactics and procedures, such as those provided by the MITRE ATT & CK framework. on your portal.

What lessons does this pattern leave for organizations and security officials? First, that the surface of attack remains human: training aimed at recognizing credible lures and verification of senders must be a priority. Second, technical defenses require a combination of measures: filter and block suspicious attachments (especially LNK, HTA and macros in documents), limit the use of system tools that lend themselves to indirect execution (such as mshta.exe), deploy EDR / AV solutions that detect abnormal behaviors, and monitor the outgoing traffic in search of atypical C2 connections. Relevant public entities and incident response teams have guides and alerts to help implement specific mitigation; useful resources include the portals of response teams and national and international cybersecurity agencies as CISA or CERT-In from India.

It is not just a technical issue: when the activity is aligned with geostrategic interests, the threat is focused on very specific sectors and the attackers invest in improving lures and maintaining long-term access. That is why the response must also be strategic and sustained: sharing intelligence between entities, coordinating malicious infrastructure blocks and conducting constant audits of critical systems. Collective reports and analyses - from both private companies and academic laboratories - make it possible to better map the adversary and anticipate his next movement; in this sense, analysis of specialized firms and laboratories is recommended for technical and decision-makers.

In short, the campaigns that have exposed Geta RAT, Ares RAT and DeskrAT remember that cyberespionage remains a living and adaptable threat. The tools change and will be sophisticated, but the prevention signals are also not new: awareness-raising, robust technical controls, network visibility and public-private collaboration are the best barriers to minimizing impact and reducing the attacker's performance window. For those who want to consult technical analysis and warning notes, they can start with the publications of companies that have investigated these incidents and the resources of cybersecurity agencies mentioned above ( Aryaka, CYFIRMA, Seqrit Labs, SEKOIA and reference repositories as MITRE ATT & CK).