Twitter Feed - nextronresearch - 17-06-2026
Essential information
- Published
- 18/06/2026 05:19
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- apt36 decoy document double extension indian defense targeting pdfdocs rat persistence hkcu powershell stager rat transparent tribe
- Related entities
- 4 indicators, 1 intrusion sets (apt), 14 techniques (mitre), 1 malware
Description
SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections.