India targeted by Pakistan‑linked APT36 in coordinated three‑pronged RAT campaign

Researchers have attributed a set of targeted, ongoing espionage operations against Indian defense and government networks to the Pakistan‑linked group commonly tracked as APT36. Analysts observed three primary malware families deployed to maintain covert, long‑lived access across both Windows and Linux endpoints. On Windows systems, operators employed a .NET remote access trojan delivered through loaders that abuse trusted OS components and favor in‑memory execution to minimize forensic artifacts. Linux hosts were compromised with a Python‑based RAT retrieved by a Go downloader; that implant performs comprehensive system inventory, deep file enumeration and structured data siphoning. A third, Go‑written RAT delivered via a malicious PowerPoint add‑in collected extensive host diagnostics and sustained a persistent control channel over WebSocket, allowing continuous operator oversight. Initial access vectors recorded in the campaign include phishing lures that lead to weaponized attachments or secondary downloaders; observed delivery formats include LNK shortcuts, ELF binaries, HTA scripts and Office add‑ins. Persistence mechanisms span startup chaining on Windows—where boot scripts and legitimate binaries are abused to recreate footholds—and user‑level systemd services on Linux that survive reboots and blend with normal process trees. Command‑and‑control frequently used encrypted TCP or WebSocket channels with heartbeat patterns, reducing noisy network indicators and enabling stealthy, stable connectivity. The adversary’s reliance on living‑off‑the‑land techniques, scripting runtimes and memory‑only execution complicates signature‑based detection and extends implant lifetimes. While the activity shows tactical focus on intelligence collection tied to procurement, budgeting and defense planning, its tradecraft is consistent with a wider class of long‑duration intrusion campaigns observed globally that combine persistent implants with session orchestration, credential capture and even telephone‑based social engineering to pressure live sessions. That broader pattern can blur the lines between criminal access operations and state‑directed espionage, making attribution and diplomatic responses more fraught. For defenders, effective detection and response requires fusing telemetry from endpoints, network flows, email gateways and identity/session logs, alongside identity‑first measures such as hardware‑backed MFA, rapid session revocation, stronger privileged access controls and zero‑trust segmentation. Prioritized mitigations also include stricter browser governance, segmented networks for high‑value assets and migration planning toward quantum‑resistant cryptography to reduce the risk of long‑term traffic collection being exploited in the future. The campaign underscores an evolving emphasis on low‑noise, high‑persistence collection that yields asymmetric strategic and economic intelligence over time, increasing remediation costs and diplomatic friction for affected states.