Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

SUMMARY :

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customized open-source tools such as Xeno RAT and Spark RAT, and deploying a new CurlBack RAT. The attackers use compromised domains and fake sites for credential phishing and payload hosting. New tactics include reflective loading, AES decryption via PowerShell, and multi-platform attacks targeting both Windows and Linux systems. The group continues to evolve its methods to enhance persistence and evade detection.

OPENCTI LABELS :

apt,rat,phishing,xeno rat,msi,dll side-loading,multi-platform,spark rat,curlback rat


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks