216.73.216.75

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

· Published 08/04/2025 19:06 · Modified 08/04/2025 21:40

Export JSON

Essential information

Published
08/04/2025 19:06
Modified
08/04/2025 21:40
Tags
2025-04-08 apt curlback rat dll side-loading msi multi-platform phishing rat spark rat xeno rat
Related entities
28 observables, 1 intrusion sets (apt), 9 techniques (mitre), 3 malware, 5 others

Description

Pakistan-linked SideCopy has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to packages for staging, employing advanced techniques like and reflective loading. They are leveraging customized open-source tools such as and , and deploying a new . The attackers use compromised domains and fake sites for credential and payload hosting. New tactics include reflective loading, AES decryption via PowerShell, and attacks targeting both Windows and Linux systems. The group continues to evolve its methods to enhance persistence and evade detection.

External references