Twitter Feed - nextronresearch - 17-06-2026

June 18, 2026, 8:05 p.m.

Description

SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections.

External References

https://otx.alienvault.com/pulse/6a3363abf0061625f1a7b54a
https://x.com/nextronresearch/status/2067230614424600844
Tags
rat
transparent tribe
apt36
2026-06-18
decoy document
double extension
indian defense targeting
pdfdocs rat
persistence hkcu
powershell stager

Date

  • Created: June 18, 2026, 3:19 a.m.
  • Published: June 18, 2026, 3:19 a.m.
  • Modified: June 18, 2026, 8:05 p.m.

Indicators

  • ad7e4f47f9ddb2f97c8818d89374a82278922bac1bc41209ecd0b5ad027dcb45
  • b3007c3b0f140df374a6756215bde55409124822203d309dcc82e10aa8115a91
  • e9f8a7e6275c263d2a1c9c5c9725addbf484c77c1aa8387093c16f50ebdc11ab
  • db1cb4aaee4ad2f1b2907b2c2d3393544a6a05f9a4d8819eb0078606402c416c
Download all indicators here!

Attack Patterns

  • pdfdocs RAT
  • SideCopy

Additional Informations

  • Defense
  • India
  • British Indian Ocean Territory