Pakistan-Linked Hackers Expand Targets in India with New Malware

A Pakistan-affiliated hacking group has escalated its cyber operations against Indian entities, introducing advanced malware tools such as CurlBack RAT and Spark RAT. These attacks, identified by SEQRITE in December 2024, have targeted India’s railway, oil and gas, and external affairs ministries, indicating a broader focus beyond previous targets like defense and maritime sectors.

The group has transitioned from using HTML Application (HTA) files to Microsoft Installer (MSI) packages for malware deployment, enhancing their ability to bypass security measures. Phishing emails containing deceptive documents—such as holiday lists for railway staff or cybersecurity guidelines from Hindustan Petroleum Corporation Limited (HPCL), serve as lures. Once executed, CurlBack RAT can collect system information, download files, execute arbitrary commands, elevate privileges, and list user accounts. Spark RAT, being cross-platform, poses threats to both Windows and Linux systems. Security experts attribute these activities to the SideCopy subgroup within the Transparent Tribe (APT36) threat actor, known for its focus on Windows systems and evolving malware arsenal.