Acronis TRU tracked Transparent Tribe (APT36) shifting from government and defense targets to India’s startup ecosystem, delivering Crimson RAT via startup-themed ISO container files and malicious LNK shortcuts. The campaign reused established APT36 tooling, infrastructure and tradecraft — including spear-phishing ISO attachments, a batch runner for persistence, and C2 servers 93.127.133.9 and sharmaxme11.org — reinforcing attribution overlaps and the targeting of OSINT/cybersecurity startups. #TransparentTribe #CrimsonRAT
Keypoints
- Transparent Tribe (APT36) expanded targeting beyond government and education to include India’s startup ecosystem, particularly OSINT/cybersecurity firms.
- The initial access vector was a spear-phishing email delivering an ISO container (MeetBisht.iso) that contained a malicious LNK, a decoy XLSX, a batch runner, and the Crimson RAT payload.
- Crimson RAT was delivered disguised as an executable named “Excel” and executed via a runner batch script (mycsd.bat) that also acted as a persistence mechanism.
- Decoy material referenced a real startup (Voldebug) and OSINT-focused content to increase lure credibility and exploit proximity to law enforcement or government projects.
- Analysis showed overlap with previous Transparent Tribe campaigns through reused malware families, filenames and infrastructure, supporting high-confidence attribution.
- Acronis EDR/XDR detects and blocks the Crimson RAT activity associated with this campaign.
MITRE Techniques
- [T1566.001 ] Spearphishing Attachment – Initial access delivered via a spear-phishing email carrying a malicious ISO attachment (‘a spear-phishing email delivering a container-based ISO file named MeetBisht.iso’)
- [T1204.002 ] User Execution: Malicious File – Execution relied on user interaction with a malicious LNK shortcut inside the ISO (‘the ISO contains a malicious shortcut file named Meet Bisht.xlsx.lnk’)
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – A batch script was used as the execution runner to launch the payload (‘a batch script that acts as the execution runner and persistence mechanism’)
- [T1547.001 ] Boot or Logon Autostart Execution – The runner batch script also functioned to establish persistence on the victim system (‘a batch script that acts as the execution runner and persistence mechanism’)
- [T1071.001 ] Application Layer Protocol – Crimson RAT communicated with remote command-and-control servers to exfiltrate data and receive commands (‘Crimson RAT’s C&C server 93.127.133.9’ and ‘sharmaxme11.org’)
Indicators of Compromise
- [File name ] Malicious delivery and payload names observed in the campaign – MeetBisht.iso, Meet Bisht.xlsx.lnk
- [File hash (MD5) ] Hashes for container, shortcut, payload and runner – 5c4488b4eda72d245dac5382f3587f09, 4976ef0054b0283c0d013be2f442e17b, and 3 more hashes
- [Filename (payload) ] Deployed malware and supporting files – Excel (Crimson RAT), mycsd.bat
- [IP address ] Command-and-control infrastructure – 93.127.133.9 (Crimson RAT C2)
- [Domain ] Command-and-control infrastructure – sharmaxme11.org (Crimson RAT C2)