Indian Government: APT36 Hacker Group Attacking Linux Systems with New Tools to Disturb Services

Indian Government and Defense Sectors Targeted by Persistent Cyber Espionage Campaigns

For over a decade, Indian government and defense organizations have faced sustained cyber espionage from advanced threat groups, primarily Transparent Tribe (APT36) and the SideCopy cluster. These state-sponsored actors employ spear-phishing and weaponized documents to establish long-term access for intelligence gathering, prioritizing stealth and resilience over rapid attacks.

Recent campaigns reveal evolving tactics across Windows and Linux environments. A Windows-focused operation used phishing emails to deliver Geta RAT, leveraging legitimate tools like mshta.exe and XAML deserialization to evade detection. Meanwhile, a Linux-targeted campaign deployed a Go-based downloader to install Ares RAT, a Python-based remote access tool. The malware achieved persistence via systemd user services, ensuring survival across reboots while blending into normal system activity.

Security experts, including Aditya K Sood of Aryaka, highlight the threat posed by these "espionage ecosystems", which operate as coordinated, mature networks rather than isolated incidents. The groups have expanded their tooling to include cross-platform payloads and memory-resident execution, reinforcing their ability to maintain access undetected.

Additionally, Desk RAT, distributed through malicious PowerPoint Add-Ins, underscores the attackers’ ongoing innovation in surveillance. Defenders must monitor for unusual service creations and network anomalies to disrupt these persistent threats before sensitive data is compromised.

Source: https://cybersecuritynews.com/apt36-hacker-group-attacking-linux-systems/

National Council of Urban Indian Health cybersecurity rating report: https://www.rankiteo.com/company/national-council-of-urban-indian-health

"id": "NAT1770738873",
"linkid": "national-council-of-urban-indian-health",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Defense/Government',
                        'location': 'India',
                        'name': 'Indian government organizations',
                        'type': 'Government'},
                       {'industry': 'Defense/Government',
                        'location': 'India',
                        'name': 'Indian defense organizations',
                        'type': 'Defense'}],
 'attack_vector': ['Spear-phishing', 'Weaponized documents'],
 'data_breach': {'data_exfiltration': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Sensitive government and defense '
                                             'data'},
 'description': 'For over a decade, Indian government and defense '
                'organizations have faced sustained cyber espionage from '
                'advanced threat groups, primarily Transparent Tribe (APT36) '
                'and the SideCopy cluster. These state-sponsored actors employ '
                'spear-phishing and weaponized documents to establish '
                'long-term access for intelligence gathering, prioritizing '
                'stealth and resilience over rapid attacks. Recent campaigns '
                'reveal evolving tactics across Windows and Linux '
                'environments, including the use of Geta RAT, Ares RAT, and '
                'Desk RAT for surveillance and data exfiltration.',
 'impact': {'data_compromised': 'Sensitive government and defense data',
            'operational_impact': 'Long-term unauthorized access',
            'systems_affected': ['Windows', 'Linux']},
 'initial_access_broker': {'backdoors_established': True,
                           'entry_point': ['Spear-phishing',
                                           'Weaponized documents'],
                           'high_value_targets': 'Government and defense '
                                                 'organizations'},
 'lessons_learned': 'The threat posed by coordinated espionage ecosystems '
                    'requires monitoring for unusual service creations and '
                    'network anomalies to disrupt persistent threats before '
                    'sensitive data is compromised.',
 'motivation': 'Intelligence gathering',
 'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
                                                  'unusual service creations '
                                                  'and network anomalies',
                            'root_causes': ['Spear-phishing',
                                            'Weaponized documents',
                                            'Use of legitimate tools '
                                            '(mshta.exe) for evasion']},
 'recommendations': 'Defenders should monitor for unusual service creations '
                    'and network anomalies to disrupt persistent threats.',
 'references': [{'source': 'Aditya K Sood of Aryaka'}],
 'response': {'enhanced_monitoring': 'Monitoring for unusual service creations '
                                     'and network anomalies'},
 'threat_actor': ['Transparent Tribe (APT36)', 'SideCopy cluster'],
 'title': 'Indian Government and Defense Sectors Targeted by Persistent Cyber '
          'Espionage Campaigns',
 'type': 'Cyber Espionage',
 'vulnerability_exploited': ['XAML deserialization',
                             'Malicious PowerPoint Add-Ins']}

Indian Government: APT36 Hacker Group Attacking Linux Systems with New Tools to Disturb Services

URW and Westfield Mall of the Netherlands: Largest shopping center in the Netherlands affected by data breach

Mexican Government: AI Chatbots Weaponized in Massive Mexican Government Data Breach

Coupang: Data breaches push South Korea toward stricter corporate liability rules