{
  "name": "Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks",
  "slug": "goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks",
  "description": "Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customized open-source tools such as Xeno RAT and Spark RAT, and deploying a new CurlBack RAT. The attackers use compromised domains and fake sites for credential phishing and payload hosting. New tactics include reflective loading, AES decryption via PowerShell, and multi-platform attacks targeting both Windows and Linux systems. The group continues to evolve its methods to enhance persistence and evade detection.",
  "published": "2025-04-08T17:06:13+00:00",
  "created_at": "2025-04-08T17:06:13+00:00",
  "modified_at": "2025-04-08T19:40:28+00:00",
  "created_at_opencti": "2025-04-08T17:06:13+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-08",
    "apt",
    "curlback rat",
    "dll side-loading",
    "msi",
    "multi-platform",
    "phishing",
    "rat",
    "spark rat",
    "xeno rat"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "www.pakora.egovservice.in"
      },
      {
        "id": "",
        "name": "www.pakola.egovservice.in"
      },
      {
        "id": "",
        "name": "www.egovservice.in"
      },
      {
        "id": "",
        "name": "www.cmc.egovservice.in"
      },
      {
        "id": "",
        "name": "www.dss.egovservice.in"
      },
      {
        "id": "",
        "name": "webmail.egovservice.in"
      },
      {
        "id": "",
        "name": "webdisk.egovservice.in"
      },
      {
        "id": "",
        "name": "updates.widgetservicecenter.com"
      },
      {
        "id": "",
        "name": "updates.biossysinternal.com"
      },
      {
        "id": "",
        "name": "pakora.egovservice.in"
      },
      {
        "id": "",
        "name": "pen.egovservice.in"
      },
      {
        "id": "",
        "name": "pakola.egovservice.in"
      },
      {
        "id": "",
        "name": "nhp.mowr.gov.in"
      },
      {
        "id": "",
        "name": "mail.egovservice.in"
      },
      {
        "id": "",
        "name": "gadchiroli.egovservice.in"
      },
      {
        "id": "",
        "name": "dss.egovservice.in"
      },
      {
        "id": "",
        "name": "cpcontacts.egovservice.in"
      },
      {
        "id": "",
        "name": "cpcalendars.egovservice.in"
      },
      {
        "id": "",
        "name": "cpanel.egovservice.in"
      },
      {
        "id": "",
        "name": "cmc.egovservice.in"
      },
      {
        "id": "",
        "name": "pmshriggssssiwan.in"
      },
      {
        "id": "",
        "name": "modspaceinterior.com"
      },
      {
        "id": "",
        "name": "egovservice.in"
      },
      {
        "id": "",
        "name": "drjagrutichavan.com"
      },
      {
        "id": "",
        "name": "educationportals.in"
      },
      {
        "id": "",
        "name": "7fb2ab732966e984b009880d116c16c08a57c10ad2400f619076e38444b7397c"
      },
      {
        "id": "",
        "name": "a0dcf5d5c1bac633d44c99d43f3032ad5d9ae48814fc5a43e8edc2123da91742"
      },
      {
        "id": "",
        "name": "e3d2cf307b2ca718bf9e28e6c95921b5b08092175e8c6252bb2e61eb4c9ca289"
      }
    ],
    "malware": [
      {
        "id": "e37f2371-a0f6-4a56-bd94-cd56eb67edb8",
        "name": "CurlBack RAT",
        "slug": "curlback-rat"
      },
      {
        "id": "443abe9e-4762-4ff3-9725-694e7f783bd6",
        "name": "Spark RAT",
        "slug": "spark-rat"
      },
      {
        "id": "ac560421-35ba-4231-8a62-a4eaf34768be",
        "name": "Xeno RAT",
        "slug": "xeno-rat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "5b8f41cb-d358-4eb6-8db3-05bb73617e91",
        "name": "SideCopy",
        "slug": "sidecopy"
      }
    ],
    "attack_patterns": [
      {
        "id": "edd1455b-2879-4b08-be3e-2aa78fb15652",
        "name": "T1585.002"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "2c3d4267-2bae-41ae-8486-5876953a1748",
        "name": "T1129"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "Energy"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Transportation"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/",
    "https://otx.alienvault.com/pulse/67f573a5bed936092f4a65fd"
  ]
}