The attacks typically start with spear-phishing emails containing malicious attachments or links that exploit vulnerabilities to gain initial access to the target networks.

Cybersecurity firm Quick Heal Technologies has reported that Pakistan-based groups SideCopy and Transparent Tribe (also known as APT36) have been targeting India’s government and defence IT systems through malware attacks.

According to Sanjay Katkar, joint managing director at Quick Heal Technologies, the attacks typically start with spear-phishing emails containing malicious attachments or links that exploit vulnerabilities to gain initial access to the target networks. Once compromised, the attackers deploy various malware payloads, including the AllaKore and Crimson remote access trojans (RATs), which give them extensive remote control and unrestricted access to infected systems.

Katkar noted that the persistent targeting of the Indian government and defence entities by Pakistani APT groups is not new, but the recent increase in attack volumes and the growing sophistication of these adversaries indicate an evolving and dangerous cyber threat.

Quick Heal has detected three distinct campaigns launched by SideCopy in recent weeks, each characterised by deploying two instances of the AllaKore RAT as the final malicious payload. Meanwhile, Transparent Tribe (APT36), SideCopy’s parent entity, has used variants of the Crimson RAT, a sophisticated, NET-based remote access tool designed for extensive system control and persistent access.

According to the reports, Seqrite, the enterprise arm of Quick Heal, has observed an increase in the sale of access to Indian entities by initial access brokers in underground forums, alongside high-profile ransomware attacks.