Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks
Essential information
- Published
- 08/04/2025 19:06
- Modified
- 08/04/2025 21:40
- Tags
- 2025-04-08 apt curlback rat dll side-loading msi multi-platform phishing rat spark rat xeno rat
- Related entities
- 28 observables, 1 intrusion sets (apt), 9 techniques (mitre), 3 malware, 5 others
Description
Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customized open-source tools such as Xeno RAT and Spark RAT, and deploying a new CurlBack RAT. The attackers use compromised domains and fake sites for credential phishing and payload hosting. New tactics include reflective loading, AES decryption via PowerShell, and multi-platform attacks targeting both Windows and Linux systems. The group continues to evolve its methods to enhance persistence and evade detection.