Desk RAT
Desk RAT is a Go-based remote access trojan observed in campaigns attributed to the Transparent Tribe (APT36) espionage ecosystem and the closely aligned SideCopy cluster. It has been delivered via malicious PowerPoint Add-In files (PPAM). Reported functionality includes collecting detailed host telemetry and system diagnostics from compromised machines, and communicating with operators over WebSocket-based command-and-control, including structured heartbeat and client information exchanges. The malware was reported alongside other RATs used in campaigns targeting Indian defense and government-aligned organizations, reflecting a broader emphasis on stealthy, persistent, long-term intelligence collection and cross-platform surveillance. High-confidence delivery and behavioral details directly mentioned in the content are the PPAM infection vector, host telemetry collection, system diagnostics gathering, and WebSocket C2 communications.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The report analyzes three RATs recently used by the group in attacks, namely Geta, Ares, and Desk RAT.
Aryaka Threat Research Labs also observed campaigns delivering Desk RAT, a Go-based remote access trojan distributed via a malicious PowerPoint Add-In (PPAM).
Additionally, an emerging tool named Desk RAT, distributed via malicious PowerPoint Add-Ins, highlights the group’s ongoing innovation in surveillance.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Discovery
1 technique
Discovery
Command and Control
1 technique
Command and Control
Cross-platform payloads, memory-resident execution, and increasingly covert command-andcontrol channels now form the backbone of an ecosystem designed for patience rather than speed... It collects detailed system diagnostics and communicates with its operators using WebSocket-based command-and-control, exchanging structured heartbeat and client information messages.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan referenced as used in recent Transparent Tribe (APT36) activity.
Emerging remote access tool distributed through malicious PowerPoint add-ins, used for surveillance/espionage operations.
Go-based remote access trojan emphasizing host telemetry and real-time monitoring. It collects detailed system diagnostics and uses WebSocket-based command-and-control with structured heartbeat and client information messages.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.