CYBERWARFARE RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India Transparent Tribe (APT36) is targeting Indian defense and government sectors with GETA, ARES, and Desk RATs in a new wave of economic cyber espionage. By Kevin Townsend | February 10, 2026 (11:00 AM ET) Flipboard Reddit Whatsapp Email Indian government and defense organizations are being targeted by multiple espionage campaigns delivered by the Pakistan-attributed Transparent Tribe (aka APT36), according to a newly released threat report. These campaigns target both Windows and Linux. One active campaign employs GETA RAT (often specifically attributed to the SideCopy subgroup of Transparent Tribe). It is a dot-NET RAT that abuses legitimate Windows components (including mshta.exe, XAML deserialization, and in-memory payload execution) to avoid signature based detection. Persistence is achieved by layered startup mechanisms that ensure continued access. “The result,” writes Aditya Sood, VP of security engineering and AI strategy at Aryaka in a report-accompanying blog, “is a lightweight but durable foothold, well-suited for extended reconnaissance and intelligence gathering.” A separate campaign targets Linux environments with ARES RAT and system-level persistence. ARES, a Python-based tool long associated with Transparent Tribe, uses a Go-based downloader. When deployed, it performs system profiling, recursive file enumeration, and structured data exfiltration. “Persistence was achieved through systemd user services, allowing the malware to survive reboots while blending into normal system operations,” writes Sood. Aryaka has also detected Transparent Tribe campaigns using a newer and emerging tool: Desk RAT. This is Go-based and distributed via a malicious PowerPoint Add-In. It collects detailed system diagnostics and communicates with its operators using WebSocket-based command-and-control. “This design enables continuous situational awareness on compromised hosts, reinforcing APT36’s long-term surveillance objectives,” writes Sood. ADVERTISEMENT. SCROLL TO CONTINUE READING. (Earlier Go-based malware includes BlackCat/ALPHV ransomware, and the Vampire Bot job-seeker scam.) Aryaka provides a detailed examination of these three malwares and methods of infection in a separate report. The key elements are persistence and stealth. “Initial access in the observed campaigns relies on phishing emails delivering weaponized attachments or embedded download links that lead to malicious LNK files, ELF binaries, HTA scripts, and PowerPoint add-ins,” notes the analysis report. “Execution and loader activity abuses living-off-the-land binaries such as mshta.exe, PowerShell, and scripting engines to retrieve and execute payloads in memory,” it continues. “For command-and-control, the observed malware families – GETA RAT, ARES RAT, and Desk RAT – use encrypted TCP or WebSocket-based communication with periodic heartbeat patterns to maintain persistence.” Sood, however, is keen to stress that such state-sponsored attacks are indicative of a global increase in state espionage attacks. This is no longer adversarial nations pre-positioning themselves in critical industries in case of, or ahead of, a potential kinetic war, but economic intelligence gathering in the face of an increasing global trade and tariff war. “Sometimes,” explains Sood, “unexpected trade deals happen between nations, involving billions and billions of dollars in import or export. There’s a lot of money to be made for a nation’s economy through trade. India, for example, is raising its defense budget by 4% this year, and there are many nations that would like to know what they intend to do with the money.” Aryaka’s analysis of the Persistence Tribe campaigns serves two purposes. Firstly, it provides deep analytical insight into the type of tools used in this new global trade war, and secondly it highlights that politically adversarial nation states are no longer the primary ‘enemy’. Friendly nations will increasingly target other friendly countries and their potential rival companies seeking nothing more (nor less) than economic advantage in trade and tariff wars. The combination of nation state attacks caused by the continuing geo-political tensions together with growing economic attacks from elite groups such as Persistence Tribe, suggests we can expect more nation state attacks in the future. And the analyses of the GETA, ARES, and DESK RATs, with their focus on persistence and stealth, highlights the difficulties cybersecurity practitioners will face in the future. Related: Cyber Insights 2026: Cyberwar and Rising Nation State Threats Related: Pakistani APT Uses YouTube-Mimicking RAT to Spy on Android Devices Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing Related: Hugging Face Abused to Deploy Android RAT WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend New Paper and Tool Help Security Teams Move Beyond Blind Reliance on CISA’s KEV Catalog Researchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign Cyber Insights 2026: Cyberwar and Rising Nation State Threats Cyber Insights 2026: Malware and Cyberattacks in the Age of AI Aisy Launches Out of Stealth to Transform Vulnerability Management Cyber Insights 2026: Zero Trust and Following the Path Cyber Insights 2026: Offensive Security; Where It Is and Where It’s Going Rein Security Emerges From Stealth With $8M, Bringing Inside-Out AppSec Approach Latest News SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities Backslash Raises $19 Million to Secure Vibe Coding New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices New ‘SSHStalker’ Linux Botnet Uses Old Techniques BeyondTrust Patches Critical RCE Vulnerability Singapore: Rootkits, Zero-Day Used in Chinese Attack on Major Telecom Firms RSAC Releases Quantickle Open Source Threat Intelligence Visualization Tool Lema AI Emerges From Stealth With $24 Million to Tackle Third-Party Risk TRENDING Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit PEOPLE ON THE MOVE Pennsylvania has named Andy Ritter as CISO and Jim Sipe as executive deputy CIO. Hayete Gallot has rejoined Microsoft as Executive Vice President, Security. Torq has appointed industry veteran John White as Field CISO. More People On The Move EXPERT INSIGHTS Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Why Identity Security Must Move Beyond MFA By integrating identity threat detection with MFA, organizations can protect sensitive data, maintain operational continuity, and reduce risk exposure. (Torsten George) Forget Predictions: True 2026 Cybersecurity Priorities From Leaders Security leaders chart course beyond predictions with focus on supply chain, governance, and team efficiency. (Jennifer Leggio) Flipboard Reddit Whatsapp Email