One notable email address, “[email protected],” was created on January 10, 2025, in UAE and remained active until February 28, 2025, mimicking a legitimate National Informatics Centre email address “[email protected]” associated with India’s Ministry of Electronics and Information Technology. The ongoing campaign depicts how state-sponsored threat actors continue to evolve their tactics while leveraging open-source tools to maintain operational flexibility and reduce development costs, presenting an ongoing challenge for defenders protecting government networks. The researchers also uncovered that a fake domain mimicking an e-governance service portal hosted multiple phishing login pages targeting various City Municipal Corporations in Maharashtra state, with thirteen subdomains designed to harvest credentials from unsuspecting government employees. A sophisticated campaign by the Pakistan-linked SideCopy Advanced Persistent Threat (APT) group has emerged since late December 2024, targeting critical Indian government sectors with enhanced tactics. The group has significantly expanded its scope beyond traditional defense and maritime sectors to now include entities under railway, oil & gas, and external affairs ministries, demonstrating an alarming broadening of their cyber espionage activities. The attackers have been observed sending spear-phishing emails with subjects like “Update schedule for NDC 65 as discussed” and “Policy update for this course,” containing malicious download links. Additionally, a previously undocumented payload dubbed “CurlBack RAT” has been discovered that registers victim systems with command and control (C2) servers using unique identifiers. These shortcuts execute obfuscated commands that download and install MSI packages hosted on compromised domains, including an official National Hydrology Project website under the Ministry of Water Resources. Seqrite Labs APT researchers identified that the threat actors are leveraging open-source tools such as XenoRAT and SparkRAT to extend their capabilities, following their previous trend with AsyncRAT. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. SideCopy’s evolution includes a notable shift from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as their primary staging mechanism. This tactical change demonstrates the group’s persistent efforts to evade detection while maintaining their capability to compromise targeted systems through DLL side-loading and multi-platform intrusions across both Windows and Linux environments.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Apr 2025 11:15:11 +0000