Multiple reporting described phishing-led intrusions that establish long-term remote access on victim endpoints using a mix of commodity RATs and layered backdoors. Indian defense and government-aligned organizations were targeted in campaigns attributed to Pakistan-aligned clusters APT36/Transparent Tribe and SideCopy, using malicious attachments/links to deliver Windows and Linux payloads including Geta RAT, Ares RAT, and DeskRAT. One documented Windows chain used a malicious LNK that invoked mshta.exe to run a remote HTA, which then decrypted and launched a DLL payload, reflecting continued reliance on living-off-the-land binaries and multi-stage loaders to maintain persistence and enable data theft and post-compromise operations across platforms.
Separately, a newly reported CrashFix campaign backdoored Windows by socially engineering users to run a command via the Windows Run dialog, then using Windows tools and in-memory scripts to deploy a primary Python implant plus additional Python scripts and a reflectively loaded DLL backdoor, followed by network mapping and Active Directory targeting—behavior consistent with interactive intrusion/access-brokerage tradecraft. FortiGuard Labs also detailed a phishing campaign delivering a new XWorm variant via a malicious Excel attachment exploiting CVE-2018-0802 to fetch an HTA, trigger PowerShell, and load a fileless .NET module that uses process hollowing to inject XWorm into Msbuild.exe, alongside analysis of encrypted C2 traffic and plugin-based capabilities enabling full remote control of compromised Windows systems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Multiple espionage campaigns targeting Indian defense-sector and government-aligned organizations were reported as using phishing to deliver cross-platform RATs for Windows and Linux, with activity attributed to Pakistan-aligned SideCopy and APT36.
Prior public reporting by CYFIRMA, Seqrite Labs, Sekoia, and QiAnXin XLab documented phishing-led Windows and Linux infection chains tied to SideCopy/APT36, including delivery of Geta RAT, Ares RAT, and DeskRAT against Indian targets.
Fortinet said protections were available across AntiSPAM, Web Filtering, IPS, and AntiVirus services and published campaign URLs, hashes, and the command-and-control endpoint associated with the XWorm activity.
The campaign was found to download an HTA and PowerShell stages, retrieve a hidden .NET loader from a Cloudinary-hosted JPEG, and inject XWorm v7.2 into a suspended Msbuild.exe process using process hollowing before connecting to an AES-encrypted C2 server.
FortiGuard Labs reported a phishing campaign targeting Windows users with business-themed emails carrying malicious Excel add-ins (.XLAM) that exploit Microsoft Equation Editor flaw CVE-2018-0802 to begin a multi-stage infection chain.
Binary Defense ARC Labs assessed that CrashFix deploys a Python implant, additional Python scripts, and a reflectively loaded DLL backdoor, then moves into network mapping and Active Directory targeting, resembling interactive intrusion or access-broker operations.
A newly reported 'CrashFix' intrusion campaign tricked Windows users into executing a command through the Windows Run dialog, after which attackers used built-in tools and in-memory scripts to deploy several backdoors for persistent access.
Reporting cited in the references assesses Pakistan-aligned SideCopy as a subdivision of Transparent Tribe (APT36) and notes it has been active since at least 2019.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurityonline.info
Open sourcethehackernews.com
Open sourcescworld.com
Open sourcefeeds.fortinet.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.