A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that’s used by Indian government officials.
Cybersecurity firm Securonix dubbed the activity STEPPY#KAVACH, attributing it to a threat actor known as SideCopy based on tactical overlaps with prior attacks.
“.LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan (RAT),” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new report.
SideCopy, a hacking crew believed to be of Pakistani origin and active since at least 2019, is said to share ties with another actor called Transparent Tribe (aka APT36 or Mythic Leopard).
It’s also known to impersonate attack chains leveraged by SideWinder, a prolific nation-state group that disproportionately singles out Pakistan-based military entities, to deploy its own toolset.
That said, this is not the first time Kavach has emerged as a target for the actor. In July 2021, Cisco Talos detailed an espionage operation that was undertaken to steal credentials from Indian government employees.
Kavach-themed decoy apps have since been co-opted by Transparent Tribe in its attacks targeting India since the start of the year.