{
  "name": "Twitter Feed - nextronresearch - 17-06-2026",
  "slug": "twitter-feed-nextronresearch-17-06-2026",
  "description": "SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections.",
  "published": "2026-06-18T03:19:07.460000+00:00",
  "created_at": "2026-06-18T20:05:16.730000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-18T20:05:16.730000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "apt36",
    "decoy document",
    "double extension",
    "indian defense targeting",
    "pdfdocs rat",
    "persistence hkcu",
    "powershell stager",
    "rat",
    "transparent tribe"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "539c26d6-2f77-410c-ab18-fbe804ec4ccd",
        "name": "ad7e4f47f9ddb2f97c8818d89374a82278922bac1bc41209ecd0b5ad027dcb45"
      },
      {
        "id": "4601e6f4-2a8f-4c19-aee7-221f1c7e2692",
        "name": "b3007c3b0f140df374a6756215bde55409124822203d309dcc82e10aa8115a91"
      },
      {
        "id": "f1bb134b-20b8-45d4-b19b-669d87a6c4e7",
        "name": "e9f8a7e6275c263d2a1c9c5c9725addbf484c77c1aa8387093c16f50ebdc11ab"
      },
      {
        "id": "03891744-9909-473f-973d-83163971c49e",
        "name": "db1cb4aaee4ad2f1b2907b2c2d3393544a6a05f9a4d8819eb0078606402c416c"
      }
    ],
    "intrusion_sets": [
      {
        "id": "5b8f41cb-d358-4eb6-8db3-05bb73617e91",
        "name": "SideCopy",
        "slug": "sidecopy"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "malware": [
      {
        "id": "3a86ae94-b588-456f-a88d-3e3f9d1016f1",
        "name": "pdfdocs RAT"
      }
    ]
  },
  "external_refs": [
    {
      "id": "73d63531-0686-4a5f-8dff-bbc775771dec",
      "standard_id": "external-reference--09bb0bf4-d52d-5aca-8058-a8bf2892b0f5",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3363abf0061625f1a7b54a",
      "hash": null,
      "external_id": "6a3363abf0061625f1a7b54a",
      "created": "2026-06-18T20:05:08.674Z",
      "modified": "2026-06-18T20:05:08.674Z",
      "createdById": null
    },
    {
      "id": "ce19963b-6179-4488-ac79-1ef5f7e1ea1d",
      "standard_id": "external-reference--51c9e329-d439-5aed-a729-ef582f2b0db7",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://x.com/nextronresearch/status/2067230614424600844",
      "hash": null,
      "external_id": null,
      "created": "2026-06-18T20:05:08.702Z",
      "modified": "2026-06-18T20:05:08.702Z",
      "createdById": null
    }
  ]
}