·15 min read·Blog

APT 36 aka Transparent Tribe: Evolution & TTP Analysis

SS
Shailendra Singh Sachan

Security Researcher

APTTransparent TribeEspionageThreatMITRE ATTACK
Image

What are we tracking here?

In this blog, we are tracking "APT36: Transparent Tribe” evolution across campaigns (2020- 2026) and the malware arsenal used by the threat actor to run those cyber attack campaigns.

Image

Understanding Adversary: APT36 (Transparent Tribe)

Transparent Tribe, also known as APT36, has established itself as a persistent cyber espionage group with a primary focus on Indian governmental, defense, and strategic sectors. Over the observed period from 2020 to 2026, the group has consistently relied on social engineering, while steadily evolving its malware ecosystem, delivery mechanisms, and command-and-control (C2) infrastructure. The analysis of MITRE ATT&CK tactics, techniques, and sub-techniques across campaigns reveals a clear progression from relatively straightforward phishing operations to highly modular, multi-platform, and stealth-driven attack chains.

ORIGIN Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan. MITRE GROUP ID G0134 ALIASES COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM, Earth Karkaddan, Operation C-Major, Transparent Tribe, Green Havildar, TMP.Lapis, APT-C-56, Storm-0156, Gorgon Group, Pasty Draco MOTIVATION Espionage, Information Theft INDUSTRIES TARGETED Indian diplomatic, military, Defence, and aerospace sectors COUNTRIES TARGETED Majorly: India and other South Asian countries

Evolution Tracking: Transparent Tribe Operational Patterns & TTP Analysis

Transparent Tribe has shown its ability to refine the tactics, techniques, and procedures (TTPs) in response to defensive advancements, making it a case study in modern APT evolution.

Time Period: 2020–2021

During 2020–2021, the group relied heavily on spear-phishing campaigns delivering malicious documents and remote access trojans such as Crimson RAT. These attacks primarily leveraged Phishing and user Execution, with macro-enabled documents acting as initial payloads. Persistence was commonly achieved through T1547.001 (Registry Run Keys), while basic defense evasion included T1036 (Masquerading), typically disguising malicious files as government-related documents. These early campaigns established a repeatable infection chain centered on human interaction and trust exploitation.

Time Period: 2022

By 2022, APT36 significantly expanded its operational sophistication, as observed in campaigns leveraging the Limepad malware. The group incorporated a broader set of tactics, including Reconnaissance like “Gathering Victim Organization Information” and Resource Development (T1583.001: Acquire Infrastructure: Domains), registering domains such as kavach-app[.]com and nic-updates[.]in to impersonate Indian government services. The use of Web Services, specifically abusing Google Ads to promote malicious sites, demonstrated an innovative approach to traffic manipulation. Initial access relied on both T1189 (Drive-by Compromise) and T1566.002 (Spearphishing Link), where victims were redirected to credential harvesting portals. Execution techniques evolved to include Python through PyInstaller-packaged Limepad binaries, often delivered within VHDX containers. Persistence mechanisms such as shortcut Modification ensured execution via startup folders (e.g., %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Limepad.dll). At the same time, Defense Evasion became more targeted with Environmental Keying, restricting execution to systems within the Indian Standard Timezone (IST). Credential harvesting through spoofed authentication portals and continuous data exfiltration marked a shift towards more structured intelligence collection operations.

Time Period: 2023-2024

In 2023, APT36 diversified its operational landscape by introducing multi-platform malware, including Linux-based Poseidon and Android spyware such as CapraRAT. The Poseidon campaign, targeting Linux users in Indian government environments, leveraged spearphishing attachments via malicious archives that required the execution of ELF binaries. Execution through Unix shell and persistent cron jobs highlighted adaptation to non-Windows environments. Credential access expanded to include Private Keys targeting SSH credentials and OS Credential Dumping from system files like /etc/shadow. Simultaneously, CapraRAT campaigns demonstrated APT36’s growing mobile surveillance capabilities; techniques such as T1426 (System Information Discovery), T1513 (Screen Capture), T1429 (Audio Capture), and T1636.004 (SMS Messages Access) enabled extensive monitoring of infected devices. The use of Event-Triggered Execution via Broadcast Receivers ensured persistence and activation based on system events. Communication over non-standard ports further emphasized the need for stealth in mobile environments.

Later in 2023, the introduction of ElizaRAT and its variants marked a major leap in sophistication. Distributed via Control Panel files, these campaigns heavily leveraged legitimate services such as Slack, Telegram, and Google Drive for C2. Defense evasion included Binary Padding and hidden data storage using SQLite databases. Credential harvesting via Keylogging and automated data collection reinforced APT36’s focus on long-term espionage. This trend continued into 2024, where campaigns such as the “Circle Campaign” maintained a consistent attack framework built around ElizaRAT variants. The group demonstrated operational stability, reusing proven techniques like phishing, user execution, and scheduled task persistence. However, the increasing reliance on cloud-based services for both C2 and exfiltration highlighted a strategic shift toward blending malicious activity with legitimate infrastructure. Environmental targeting and advanced obfuscation ensured that only intended victims were affected, reducing exposure and detection risk.

Time Period: 2025

In 2025, APT36 significantly intensified its operations, launching multiple campaigns across Windows, Linux, and mobile platforms. Phishing remained the dominant initial access vector, particularly through macro-enabled documents and spearphishing links. The Pahalgam-themed campaign is a notable example, where attackers used emotionally charged decoys to deliver Crimson RAT. Embedded links in PDFs redirected victims to credential harvesting portals, while persistence was maintained via registry keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run). Defense evasion techniques became more layered, incorporating Hidden Files/Directories, Obfuscation, and Mshta Execution to execute payloads through trusted binaries. Discovery activities expanded with commands such as whoami, systeminfo, and tasklist. Data collection techniques like T1113 (Screen Capture) and file enumeration commands (listf, fldr) enabled targeted intelligence gathering. Additionally, campaigns such as ClickFix demonstrated innovative execution chains using mshta.exe to run remote scripts, while Linux-focused attacks leveraged shell scripts and cron-based persistence. Mobile campaigns using DeskRAT further extended surveillance capabilities, incorporating “Capture SMS Messages”, “Capture Contacts”, and “Exfiltration Over C2 Channel”, highlighting APT36’s multi-platform espionage strategy.

Time Period: 2026

By 2026, APT36 had evolved into a highly modular and multi-vector threat actor. Campaigns observed during this period utilized complex delivery mechanisms involving ZIP archives containing LNK shortcut files and macro-enabled PowerPoint add-ins. Execution chains combined User Execution with Windows Command Shell and VBA Macros, enabling the deployment of a multi-stage payload. Persistence mechanisms expanded to include T1546 (Event Triggered Execution) and T1543 (Create or Modify System Process), indicating deeper system integration. Defense evasion reached a high level of sophistication, with Obfuscated/Encrypted Payloads, multi-stage payload reconstruction, and extensive use of legitimate system binaries to bypass security controls. Discovery capabilities became comprehensive, spanning registry queries, network share discovery, and software enumeration. Command-and-control mechanisms incorporated both application-layer protocols and raw TCP communication, often secured through encrypted channels. Data exfiltration remained consistent, ensuring continuous intelligence extraction.

Detection Opportunities

1. Initial Access: Phishing Detect attachments with .docm, .xlsm, .zip, .vhdx, and provide URL filtering for lookalike domains (typosquatting). Across all observed years, the group used spear-phishing emails containing macro-enabled documents (such as .docm, .xlsm) and embedded links that redirected victims to malicious payloads or credential harvesting pages. Campaigns included impersonation of government-related services through domains resembling legitimate entities (e.g., nic, kavach-themed domains), and PDFs embedding phishing URLs. Organizations should monitor for suspicious attachments, particularly those requiring macro execution, and flag domains exhibiting typosquatting or recently registered infrastructure.

2. Execution: User Execution and Script-Based Execution APT36 relies heavily on user-triggered execution mechanisms. Consistent use of VBA macros (T1059.005) embedded in malicious documents, which execute payloads upon user interaction. These macros often spawn child processes such as cmd.exe or PowerShell.exe. In some campaigns, execution expanded to include Python-based payloads (Limepad), Unix shell scripts for Linux systems, and command shell execution (T1059.003). Detecting abnormal parent-child relationships between office applications and scripting engines is a high-confidence indicator of compromise. On Linux systems, monitoring shell processes spawning unfamiliar binaries is important (/bin/bash spawning unknown binaries).

3. Persistence: Registry, Scheduled Tasks, and Cron Jobs APT36 employs persistence mechanisms via the use of Windows Registry Run keys, specifically under paths such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run, to ensure malware execution upon system startup. Additionally, scheduled tasks (T1053.005) and Linux cron jobs (T1053.003) are used to maintain persistence across reboots. In some campaigns, shortcut modification (T1547.009) and event-triggered execution (T1546) were also observed. So for Windows, look for "Sysmon Event ID 13 (Registry modification)" & Scheduled task creation logs, and for Linux, monitor /etc/crontab, /var/spool/cron

4. Defense Evasion: Masquerading, Obfuscation, and Environmental Awareness APT36 uses defense evasion techniques that blend malicious activity with legitimate system behavior. Techniques such as masquerading, where malicious executables are disguised as government documents or legitimate files, often using deceptive naming conventions such as double extensions (e.g., .pdf.exe). Obfuscation (T1027), including encrypted or encoded payloads, is used to bypass static detection mechanisms. Environmental keying (T1480.001) was observed, where malware executes only on systems configured for specific conditions, such as Indian Standard Time (IST). Additionally, hidden files and directories (T1564.001) are used to hide artifacts. So, identifying mismatches between file extensions and actual file types [Double extensions (.pdf.exe)], detecting execution failures in sandbox environments (fails outside IST), and monitoring hidden or unusual file locations (Unusual files in %APPDATA%, /tmp).

5. Credential Access: Keylogging and Credential Store Access Use of keylogging (T1056.001) in malware such as Crimson RAT and ElizaRAT, enabling continuous capture of user input. In Linux-focused campaigns, attackers accessed sensitive credential files, including /etc/shadow and SSH private keys (~/.ssh/id_rsa), aligning with T1552.004 (Unsecured Credentials). Additionally, access to browser-stored credentials (T1555) was observed. These actions can be detected by monitoring processes that interact with credential storage locations or invoke APIs associated with keyboard input capture. Any non-administrative process attempting to access sensitive credential files should be treated as highly suspicious.

6. Discovery: System and Network Enumeration Once inside a system, APT36 conducts extensive reconnaissance to understand the environment. The use of native commands such as whoami, systeminfo, tasklist, and ipconfig to gather system, process, and network information. Additional discovery activities include registry queries (T1012), account enumeration (T1087), and network share discovery (T1135). Monitor command-line activity and identify these reconnaissance commands executed within a short timeframe.

7. Collection: File Aggregation, Screenshots, and Mobile Surveillance File collection activities (T1005), including the use of commands such as "listf" and "fldr" to enumerate and gather files. Screen capture (T1113) is used to obtain visual information from compromised systems, while automated collection (T1119) facilitates systematic data harvesting. In mobile campaigns, spyware such as CapraRAT and DeskRAT enabled the capture of SMS messages, contacts, and audio recordings. These activities can be detected by monitoring unusual file access patterns, repeated invocation of screenshot-related APIs, and applications requesting excessive permissions on mobile devices.

8. Command and Control: Web, Cloud, and Raw TCP Communication Communication over HTTP/HTTPS (T1071.001), as well as the use of legitimate cloud platforms such as Slack, Telegram, and Google Drive (T1102.002) for command and control. In some cases, non-application layer protocols (T1095) and non-standard ports were used for direct communication with attacker-controlled infrastructure. These techniques are designed to blend malicious traffic with normal network activity. Detection strategies should focus on identifying anomalous outbound connections, particularly to cloud services that are not typically accessed by endpoints, or API communications originating outside of standard applications (e.g., Slack API calls from non-browser processes).

9. Exfiltration: Data Transfer via C2 and Cloud Services The final stage of APT36 operations involves data exfiltration. The data is exfiltrated either through established C2 channels (T1041) or via cloud storage services such as Google Drive (T1567.002). This activity often involves compressing and uploading sensitive files, sometimes using legitimate tools. Network traffic analysis and monitoring for unusually large outbound data transfers. Uploads to unfamiliar domains or cloud services, especially when initiated by non-standard processes.

ATT&CK Matrix

Reconnaissance Gather Victim Organization Information (T1591) Resource Development Acquire Infrastructure: Domains (T1583.001) Resource Development Acquire Infrastructure: Web Services (T1583.006) Initial Access Phishing: Spearphishing Attachment (T1566.001) Initial Access Phishing: Spearphishing Link (T1566.002) Initial Access Drive-by Compromise (T1189) Execution User Execution: Malicious File (T1204.002) Execution Command and Scripting Interpreter: Visual Basic (T1059.005) Execution Command and Scripting Interpreter: Windows Command Shell (T1059.003) Execution Command and Scripting Interpreter: Unix Shell (T1059.004) Execution Command and Scripting Interpreter: Python (T1059.006) Execution System Binary Proxy Execution: Control Panel (T1218.002) Execution System Binary Proxy Execution: Mshta (T1218.005) Persistence Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Persistence Scheduled Task/Job: Scheduled Task (T1053.005) Persistence Scheduled Task/Job: Cron (T1053.003) Persistence Event Triggered Execution (T1546) Persistence Shortcut Modification: Shortcut Modification (T1547.009) Defense Evasion Masquerading: Match Legitimate Name or Location (T1036.005) Defense Evasion Obfuscated Files or Information: Obfuscated/Encrypted Payloads (T1027.005) Defense Evasion Hidden Files and Directories: Hidden Files and Directories (T1564.001) Defense Evasion Execution Guardrails: Environmental Keying (T1480.001) Credential Access Input Capture: Keylogging (T1056.001) Credential Access Unsecured Credentials: Private Keys (T1552.004) Credential Access Credentials from Password Stores (T1555) Discovery System Information Discovery (T1082) Discovery Process Discovery (T1057) Discovery File and Directory Discovery (T1083) Discovery Account Discovery (T1087) Discovery Registry Discovery (T1012) Discovery Network Share Discovery (T1135) Collection Data from Local System (T1005) Collection Screen Capture (T1113) Collection Audio Capture (T1429) Collection Automated Collection (T1119) Command and Control Application Layer Protocol: Web Protocols (T1071.001) Command and Control Web Service: Bidirectional Communication (T1102.002) Command and Control Non-Application Layer Protocol (T1095) Exfiltration Exfiltration Over C2 Channel (T1041) Exfiltration Exfiltration Over Web Service: Cloud Storage (T1567.002)

Conclusion

The group's integration of cloud infrastructure, cross-platform malware variants, and advanced obfuscation underscores a deliberate focus on stealth, scalability, and the maintenance of long-term persistence within target environments. For defensive teams, this evolution necessitates a shift toward behavior-based detection, rigorous monitoring of legitimate service exploitation, and comprehensive visibility across endpoint, network, and cloud ecosystems to mitigate such adaptive and persistent threats.

IOCs

ElizaRAT Malware

Campaign: Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT: SLACK CAMPAIGN, CIRCLE CAMPAIGN, GOOGLE DRIVE CAMPAIGN.

108.61.163[.]195:7443 64.176.40[.]100:7443

Linux desktop entry file retrieves the malicious Linux payloads from the servers at:

64.227.138[.]127 134.209.159[.]9

Metadata of Linux payloads:

MD5 hash: 98279047a7db080129e5ec84533822ef Filename: pickle-help MD5 hash: 248d4e6bb0f32afd7a1cfb975910235a Filename: ziputils-help

Files

"ElizaRAT Dropper BaseFilter.dll (amended copy.cpl)" MD5 730f708f2788fc83e15e93edd89f8c59 SHA1 549d80d0d2c3e2cf3ea530f37bfc0b9fe0cbd5f4 SHA256 06d9662572a47d31a51adf1e0085278e0233e4299e0d7477e5e4a3a328dea9d1

"ElizaRAT BaseFilteringEngine.dll" MD5 0cd16d0a2768b9ec0d980ccf875b2724 SHA1 88fd8d71d879257b6cbf2bc12b6493771b26d8a0 SHA256 a7fd97177186aff9f442beb9da6b1ab3aff47e611b94609404e755dd2f97dce8 "ElizaRAT Dropper BaseFilter.dll (Tarang Shakti)" MD5 0673341ccceeace3f0b268488f05db80 SHA1 bc62b98437abd81a1471633afb9cff5dd898cdf8 SHA256 70bafcf666e8e821212f55ea302285bb860d2b7c18089592a4a093825adbaa71 "ElizaRAT SlackAPI.dll" MD5 2b1101f9078646482eb1ae497d44104c SHA1 6ac91c9e6beeacd74c56dfde9025e54e221b016c SHA256 60b0b6755cf03ea8f6748a1e8b74a80a3d7637c986df64ee292f5ffefcd610a2 "ElizaRAT Dropper circledrop.cpl" MD5 795d1be0915ec60c764b7a7aa6c54334 SHA1 86afc3e8046dfff3ec06bd50ae38f1da7797c3e2 SHA256 7e04e62f337c5059757956594b703fc1a995d436c48efa17c45eb0f80af8a890 "ElizaRAT Circle.cpl" MD5 8703b910ece27b578f231ce5eb1afd8f SHA1 f7424286b6b5f8dbad86856ef178745e34c8e83a SHA256 2b6a273eae0fb1835393aea6c30521d9bf5e27421c2933bfb3beee8c5b27847e "ApoloStealer SlackFiles.dll" MD5 009cb6da5c4426403b82c79adf67021c SHA1 f98019e637a2ae58d54ff903770b35eefb106432 SHA256 d66ba4ee97a2f42d85ca383f3f61a2fac4f0b374aad1337f5f29245242f2d990 "ApoloStealer SpotifyAB.dll" MD5 3a2c701408d94bbcdcf954793f6749bc SHA1 0db24c0a4dd12e5fa412434222d81de8e2de4b3c SHA256 dca78e069bfd9ca4638b4f9cb21dff721530d16924e502c03d8c9aa334b7ca0d "ApoloStealer Spotify-News.dll" MD5 1bac7ea5a9558d937eaf0682523e6a06 SHA1 b7814d9f6f2096f5a9573ade52547a447eff33bb SHA256 348c0980c61d7c682cce7521aaad13a20732f7115cb5559729b86ca255f1af7f "ApoloStealer Spotify-Desk.dll" MD5 d3fe72a3b9cb5055662e6a0e19b8f010 SHA1 c4c9aaeb74782cd9b5b8701d46e55cf299277215 SHA256 6f839ded49ebf1dad014d79fbab396e2067c487685556a8402f3acdeb1600d98 "USB Stealer EmergencyBackup.dll" MD5 b54512bf0ed75a9f2dee26a4166461a2 SHA1 b09d059e8d6b87f3a6165e4d71901187d0aa99d5 SHA256 0a52c0ac04251ac1a8bc193af47f33136ae502b0c237de5236d1136acc3b1140 "USB Stealer ConnectX.dll" MD5 ab127d76a40f1cb0cfd81ba1e786d983 SHA1 115e612a4e653cd915d5fc07246a00369fe38cde SHA256 b41e1d6340388b08694ae649a54fa09372f92f4038fd84259a06716fa706b967 "ElizaRAT Dropper Award Verification to Air Cmde GS Matharu.cpl" MD5 b9d9e75a2e6b81277f2052a1f0b14e45 SHA1 1fc28b9e902dd2a8b771b1dc7ec3a62ad04fb02b SHA256 6296fb22d94d1956fda2a6a48b36e37ddd15cf196c434ab409c787bf8aa47ac3 "ElizaRAT WordDocument.cpl" MD5 58643299e340ae7b01efc67ef09ed369 SHA1 e5377172ee4bae1508405370ee41bee646837c04 SHA256 263f9e965f4f0d042537034e33699cf6d852fb8a52ac320a0e964ce96c48f5e5 "Persistence tool Aboutus.dll" MD5 16ea7ce77c875a17049e9607323d1be4 SHA1 0c9400e6b8c9244fd187a9f021d0da0b70b6f6fd SHA256 8d552547fe045f6006f113527eb5dd4a8d5918c989bf11090c7cb44806d595be

"USB Stealer DonateUS.dll" MD5 47990d1df44767ee3a6c4a6673ee76e9 SHA1 43ac372b9cd05eefae3f50a0e487562759f3b0d9 SHA256 308c84c68c18af8458ae61afe1f2eec78f229e188724e271bd192a144fd582fc "ElizaRAT Dropper Profile Verificition for Award.cpl WordDocument.dll" MD5 7ecaa3c5a647d671a9aa4369d4a43b83 SHA1 ee3162e649183490038da015e51750f23ae18d0f SHA256 b9e10e83a270e1995acaceb88ce684fb97df6156a744565b20b6ec3bc08c2728 "ElizaRAT WordDocument.cpl" MD5 af2ec3dcfdbb7771b0a7a3d2035e7e99 SHA1 2e8139275a48cd048c21e1942b673ae0781dd0b8 SHA256 b30a9e31b0897bfe6ab80aebcd0982eecf68e9d3d3353c1e146f72195cef0ef5 Network

C2 server – Google Drive campaign 84.247.135[.]235 143.110.179[.]176 64.227.134[.]248

C2 server – Circle campaign 38.54.84[.]83 83.171.248[.]67

CrimsonRAT Malware

Campaign: Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector

https://github.com/Cisco-Talos/IOCs/blob/main/2022/07/transparent-tribe-targets-education.txt

SHA1 Description 738d31ceca78ffd053403d3b2bc15847682899a0 Malicious document 9ed39c6a3faab057e6c962f0b2aaab07728c5555 Malicious document af6608755e2708335dc80961a9e634f870aecf3c Malicious document e000596ad65b2427d7af3313e5748c2e7f37fba7 Malicious document fd46411b315beb36926877e4b021721fcd111d7a Malicious document 516db7998e3bf46858352697c1f103ef456f2e8e Crimson RAT 842f55579db786e46b20f7a7053861170e1c0c5e Crimson RAT 87e0ea08713a746d53bef7fb04632bfcd6717fa9 Crimson RAT 911226d78918b303df5110704a8c8bb599bcd403 Crimson RAT 973cb3afc7eb47801ff5d2487d2734ada6b4056f Crimson RAT

Domain C2 server: richa-sharma.ddns[.]net Malware hosting location: cloud-drive[.]store drive-phone[.]online s1.fileditch[.]ch

ObliqueRAT Malware

Campaign: ObliqueRAT: New RAT hits victims' endpoints via malicious documents Maldocs 057da080ae0983585ae21195bee60d82664355a7fd78c25f21791b165c250212 dfad2a80dac91e7703266197ebbf5d67ef77467ab341dd491ad25d92d8118cac

Dropper (for Variant #0) 4a25e48b8cf515f4cdd6711a69ccc875429dcc32007adb133fb25d63e53e2ac6

2nd Stage Malicious EXEs ObliqueRAT - 37c7500ed49671fe78bd88afa583bfb59f33d3ee135a577908d633b4e9aa4035 Variant #0 - 9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c

Persistence Component ad17ada0171b9e619000902e62b26b949afb01b974a65258e4a7ecd59c248dba

Mutexes Created by 2nd Stage EXEs: “Oblique”

C2 IP Addresses and URLs: 185[dot]117.73.222:3344

CrimsonRAT Maldocs: 965b90d435c1676fa78cdce1eee2ec70e3194c0e4f0d993bc36bfd9f77697969

Next Stage Malicious ZIPs & EXEs 3671b7ed9f67098d2a534673ed9ff46e90c03269c0bdd9b6f39ae462915ecdcb [ZIP] 2911a3da2299817533ca27a0d44c8234fdf9ecd0a285358041da245581673d6f [ZIP] 98894973a86aa01c4f7496ae339dc73b5e6da2f1dbcd5fe1215f70ea7b889b85 [exe] e436be68cdbdb7ea20e5640ad5fa5eca1da71edb9943c3bde446b4c75dacfbd0 [exe]

Campaign: ObliqueRAT returns with new campaign using hijacked websites Maldocs 2ad362e25989b0b1911310345da90473df9053190737c456494b0c26613c8d1f 0196bc9ac3db6f02cfa97323c8fce6cc7318b8f8fadb3e73bdf7971b3c541964 b85536589c79648a10868b58075d7896ec09bbde43f9c4bad95ed82a200652bc

Image files 553502bfe265a7e75a1d2202776fd816cabccfcdb200cc180dc507f4d45668d2 ec85e270c5cb159255a3178117197d275a6a90295fd31248b397dc03bcc4f3e4 84aa777badab889d066e3a57c6a3d2096bc978c01499ea3dd8dd65fe44a3c98f

ObliqueRAT payloads 5a425372fac8e62d4b5d5be8054967eabe1e41894bcb8c10e431dd2e06203ca0 bdb184f4c8416c271ad2490c1165ee4d6e2efcf82a1834ba828393c74e190705 926d3f258fe2278bd1d220fafb33f246f9db9014204337f05a25d072bb644b6d 0ade4e834f34ed7693ebbe0354c668a6cb9821de581beaf1f3faae08150bd60d

Malicious domains larsentobro[.]com

URLs hxxp://iiaonline[.]in/DefenceLogo/theta.bmp hxxp://iiaonline[.]in/timon.jpeg hxxp://iiaonline[.]in/9999.jpg hxxp://iiaonline[.]in/merj.bmp hxxp://iiaonline[.]in/111.jpg hxxp://iiaonline[.]in/sasha.jpg hxxp://iiaonline[.]in/111.png hxxp://iiaonline[.]in/camela.bmp hxxp://larsentobro[.]com/mbda/goliath1.bmp hxxp://larsentobro[.]com/mbda/mundkol hxxp://drivestransfer[.]com/myfiles/Dinner%20Invitation.doc/win10/Dinner%20Invitation.doc

ObliqueRAT CnCs micrsoft[.]ddns.net 185[.]183.98.182:4701

Related RevengeRAT payloads 47bed59051a727911b050c2922874ae817e05860e4eee83b323f9feab710bf5c 23577ceb59f606ae17d9bdabaccefcb53dc2bac19619ce8a2d3d18ecb84bcacd a9d9d7f6dd297af2bb3165ad0bfe3bbb88969393a3534bd33ef9aad062aefd05

RevengeRAT CnC micrsoft[.]ddns.net:4313 yepp[.]ddns.net:4315

CapraRAT Malware

Campaign: CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts

SHA1 Name 28bc3b3d8878be4267ee08f20b7816a6ba23623e TikTok signed.apk c307f523a1d1aa928fe3db2c6c3ede6902f1084b Crazy Game signed.apk dba9f88ba548cebfa389972cddf2bec55b71168b Sexy Videos signed.apk fff24e9f11651e0bdbee7c5cd1034269f40fc424 Weapons signed.apk

Network Indicators Domain/IP Description shareboxs[.]net C2 domain 173[.]212[.]206[.]227 Resolved C2 IP address, hosts shareboxs.net 173[.]249[.]50[.]243 Hardcoded failover C2 IP address

Limepad Malware

Campaign: APT-36 Uses New TTPs and New Tools to Target Indian Governmental Organizations

Update Portal.vhdx: 123b180ed44531bfbac27c6eb0bbe01d Student online update.exe: 3817590cf8bec4a768bb84405590272f NvidiaUpdate (2).scr: 0ed6451ffe34217e44355706f4900ecc Student detail.vhdx: 94daa776792429d1cb65edc1d525e2fc Confirmation_ID.vhdx: c195d6bb06c93b94d39e5c1a2dfc6792 details.exe: 889c5c98e88c4889220617f57f5480f7 Confirmation_ID.exe: ac3f2c8563846134bb42cb050813eac8

Limepad C2 domains ncloudup[.]com gcloudsvc[.]com

Credential harvesting sites nic-updates[.]in kavachmail-govin[.]rf[.]gd

Attacker-registered domains spoofing Kavach site kavach-app[.]com kavachguide[.]com kavach-app[.]in get-kavach[.]in getkavach[.]com kavachsupport[.]com kavachdownload[.]in kavachauthentication.blogspot[.]com

Post-infection IOCs 139.59.79[.]86 139.59.79[.]86/song.mp3 139.59.79[.]86/OneDriveHandler45_bf.zip 139.59.79[.]86/OneDriveHandler45.zip 139.59.79[.]86/C2L!Dem0&PeN/A@llPack3Ts/Cert.php wzxdao[.]com wzxdao[.]com/onedrivehandlerx86.zip wzxdao[.]com/OnrDriveHandlerx86.zip

Decoy file URLs hxxp://139.59.23[.]88/confirmation_id.pdf hxxps://ncloudup[.]com/trendmic/details.pdf hxxp://wzxdao[.]com/resultupdate.jpg http://139.59.79[.]86/Pictures.jpg

DeskRAT Malware

Campaign: TransparentTribe targets Indian military organisations with DeskRAT

ZIP file details

ZIP filename: 4th_SOM_Meeting_Dated_24_September_2025.zip. ZIP MD5 hash: 4c56fedd177108a8849cec423f020625. ZIP SHA1 hash: 8c1638bfd93071eeb6b1244e4a9552866a688b19. ZIP SHA256 hash: 43715401531e0060827d3dcfd406add434829192051fe76d5ffdbb22602cc136.

Linux desktop entry file details

Filename: 4th_SOM_Meeting_Dated_24_September_2025.desktop. MD5 hash: 0d0a8e0ea9186e04e58d8fd850b6982a. SHA1 hash: 98bb6ac8efea006ac7e8f05c7f17428417db48a4. SHA256 hash: a82b9aa03503f5c347d8932f509c37ff9872e51b9376c7d314e7bd7e453668fe.

Dropped ELF file MD5 hash: 3563518ef8389c7c7ac2a80984a2c4cd. SHA1 hash: 6dda9056917355b487bc591a828cf85a7e7d577c. SHA256 hash: 567dfbe825e155691329d74d015db339e1e6db73b704b3246b3f015ffd9f0b33.

Domains & URLs modgovindia[.]com hxxps[://]modgovindia[.]com/download[.]php?file=Gimpfile[.]txt hxxps[://]modgovindia[.]com/CDS_Directive_Armed_Forces[.]pdf

Poseidon Malware

Campaign: Deciphering APT-36's Latest Linux Malware Campaign: Unveiling Cyber Espionage in India

Kavach: c82bf2c50900b89b66e9f62d68c415ab confirmationId_ksb: 382285738bae358060011ad847e845d2 confirmationId_rodra: 02796a813b79928c95b2475798a14688 Bosshelp: aeb3ad3426794d4e90de4d139e92ee4d Bossstart: 21316422f8c7f0f3ab2b9a282cdacd03 Bosstype: 7b163e400e481519d74e06c1116a5200 Kavachelf: 9b64528352dd683e55eb308919a596fa

URLS & IP sharing1[.]filesharetalk.com/bosshelp ksboard[.]in rodra[.]in tt1[.]apktrial[.]com 70[.]34[.]214[.]252

Related articles

Fileless Malware and Process-Based Attacks Analysis

Fileless malware is one of the most dangerous and evasive attack techniques. Unlike traditional malware, it leaves no files on disk; instead, it hides inside the system's own trusted processes and tools, making it nearly invisible to conventional security software. In this article, we break down how fileless and process-based attacks work, how attackers use built-in Windows utilities like PowerShell and WMI to execute malicious code entirely in memory, and what defenders need to do to detect and stop them before it's too late.

ATT&CKv19: Changes in MITRE ATT&CK® Framework

MITRE ATT&CK v19.1 introduces significant updates across the Enterprise, Mobile, and ICS domains, enhancing the framework’s ability to model modern adversary behavior. Key changes include the introduction of the new Defense Impairment tactic, the renaming of Defense Evasion to Stealth, expanded threat intelligence coverage with new threat groups, software, and campaigns, and the addition of ICS sub-techniques for greater analytical granularity. This article explores the major differences between ATT&CK v18.1 and v19.1, highlighting the impact of these changes on threat intelligence, detection engineering, and cybersecurity operations.

Mustang Panda: Evolution & TTP Analysis

Threat Research & Intelligence (TRI) team at Bloo performs profiling and ongoing monitoring of threat actors and their related campaigns to keep a track of the latest Advanced Persistent Threats (APTs). To support threat research and detection engineering, the APT tracking task includes threat actor profiling and attribution, campaign tracking and analysis, infrastructure mapping, Tactics, Techniques, and Procedures (TTPs) analysis, historical activity correlation, and geographic attribution. This tracking framework systematically captures and analyzes key parameters for each identified campaign, including the year of activity, campaign involved, malware or tools deployed by the threat actor, malware classification, targeted sectors or victims, assessed motivation, and critical Indicators of Compromise (IOCs) such as malware hashes, command-and-control (C2) infrastructure details, and associated network artifacts.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy