Pakistan-Linked Cyber Operations Under Scrutiny as Indian Sectors Accuse Pakistani Hackers

Indian cybersecurity circles are now voicing strong accusations against Pakistani-linked cyber operatives after a series of high-profile attacks allegedly targeted key governmental sectors. In December 2024, cybersecurity firm SEQRITE reported that these cyberattacks hit critical areas including railways, oil and gas, and external affairs. Experts say that the threat actors behind the attacks are part of a sub-cluster known as SideCopy—a supposed offshoot of the APT36 group, which has been active in cyber espionage since at least 2019 and is often compared to the notorious SideWinder due to similar tactics.

What makes this episode particularly concerning is the reported shift in tactics. Rather than employing the HTML Application files once commonly used, the attackers have moved to launching malware via Microsoft Installer packages—an innovation aimed at boosting their infection success. Among the tools deployed are several remote access trojans (RATs) including Xeno RAT, Spark RAT, and a newcomer identified as CurlBack RAT. This latest tool can perform functions like retrieving system information, escalating privileges, listing user accounts, and stealing sensitive files.

The malware delivery techniques have also grown more sophisticated. Phishing emails carrying decoy documents—disguised as official files such as railway holiday lists and cybersecurity guidelines—have been used to lure victims into downloading the malicious software. Some email campaigns have even been designed to compromise both Windows and Linux systems, further showcasing the evolving threat landscape. Additionally, the operatives behind the attack appear to be using advanced evasion methods like DLL side-loading, reflective loading, and AES decryption executed through PowerShell, making detection all the more challenging.

While Indian authorities have accused Pakistani-linked hackers of carrying out these cyberattacks, there has been no official response from the alleged actors. The groups in question have neither acknowledged nor denied involvement. As investigations unfold, the absence of a clear stance highlights the murky dynamics of cyber warfare, where attribution is difficult and geopolitical tensions continue to blur the lines of responsibility.