Geta RAT
Geta RAT is a .NET-based remote access trojan frequently linked to the SideCopy cluster and reported in campaigns associated with the broader Transparent Tribe (APT36) espionage ecosystem. It has been used in active campaigns targeting Indian defense-sector and government-aligned organizations, with the stated objective of long-term intelligence collection through stealthy, resilient access.
Observed delivery relied on phishing emails carrying malicious attachments or links, including LNK and HTA files. In one documented Windows infection chain, a malicious LNK invoked mshta.exe to execute an HTA hosted on compromised legitimate domains. The HTA contained JavaScript that decrypted an embedded DLL payload. That DLL processed embedded data to write and display a decoy PDF, connected to a hard-coded C2 server, checked for installed security products, and adapted persistence methods before deploying Geta RAT. Reporting also states the chain abused legitimate Windows components, including mshta.exe, used XAML deserialization, and executed payloads in memory to reduce file-based detection opportunities. Persistence on Windows was established through layered startup mechanisms.
Capabilities directly described for Geta RAT include collecting system information, enumerating running processes, terminating specified processes, listing installed applications, gathering credentials, retrieving and replacing clipboard contents, capturing screenshots, performing file operations, running arbitrary shell commands, and harvesting data from connected USB devices. The malware is characterized as providing a lightweight but durable foothold for reconnaissance, intelligence gathering, and long-term post-compromise operations on Windows systems.
High-confidence contextual associations in the reporting tie Geta RAT to SideCopy and to campaigns attributed to Pakistan-aligned SideCopy/APT36 (Transparent Tribe) activity. The primary targets explicitly mentioned are Indian government and defense organizations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One active campaign targeted Windows systems using phishing emails that delivered LNK and HTA files. These files ultimately deployed GETA RAT, a .NET-based remote access trojan frequently linked to the SideCopy cluster.
"...use of malware families like Geta RAT..." / "...prior to deploying Geta RAT on the compromised host."
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueOne active campaign targeted Windows systems using phishing emails that delivered LNK and HTA files.
Execution
4 techniques"...including mshta.exe and XAML deserialization—to evade traditional file-based detection mechanisms."
"...spear-phishing and weaponized documents to quietly embed themselves in target environments."
One active campaign targeted Windows systems using phishing emails that delivered LNK and HTA files.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniques"The HTA payload contains JavaScript to decrypt an embedded DLL payload..."
The infection chain abuses legitimate Windows components—including mshta.exe, XAML deserialization, and in-memory payload execution— to evade traditional file-based detection.
The infection chain abuses legitimate Windows components—including mshta.exe, XAML deserialization, and in-memory payload execution— to evade traditional file-based detection.
Credential Access
1 techniqueDiscovery
2 techniques"Geta RAT supports various commands to collect system information, enumerate running processes..."
"After the lure document is displayed, the malware checks for installed security products..."
Collection
3 techniques"...retrieve and replace clipboard contents with attacker-supplied data..."
Command and Control
1 technique"...connects to a hard-coded command-and-control (C2) server..."
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan used in campaigns targeting Indian defense sector and government-aligned organizations; used to steal sensitive data and maintain access.
Cross-platform remote access trojan used in campaigns targeting Indian defense/government-aligned orgs. Provides persistent remote access, reconnaissance, data collection/exfiltration, command execution, credential theft, clipboard manipulation, screenshot capture, file operations, and USB data harvesting; connects to hard-coded C2 and uses decoy documents.
Remote access trojan deployed on Windows via phishing; leverages living-off-the-land execution (mshta.exe) and XAML deserialization to evade file-based detection and maintain stealthy access for espionage.
.NET-based remote access trojan used in Windows phishing campaigns. It abuses legitimate Windows components such as mshta.exe, XAML deserialization, and in-memory payload execution to evade file-based detection, and uses layered startup mechanisms for persistence.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.