APT36 Exploits ISO Attachments to Deploy Crimson RAT in Indian Startups

Pakistan‑aligned APT36 has shifted its focus to India’s fast‑growing startup ecosystem. The group is delivering spear‑phishing emails that contain ISO‑based attachments. When opened, the ISO automatically extracts a malicious Windows shortcut (LNK) which executes a payload that installs the Crimson Remote Access Tool. Crimson RAT provides the attackers with full system control, enabling credential theft, keylogging, screenshot capture, and exfiltration of sensitive business data.

The campaign threatens the confidentiality of proprietary technology, financial information, and intellectual property held by these young companies, and could serve as a foothold for broader supply‑chain intrusion. Defenders must prioritize detection of ISO‑based delivery methods, block execution of shortcut files, and monitor for known Crimson RAT indicators on endpoints and network traffic. Strengthening email filtering, user awareness training, and rapid incident response are essential to mitigate this emerging threat.

Categories: Threat Intelligence, Vulnerabilities & Exploits, Compliance & Regulation

Source: Read original article