CYFIRMA researchers exposed a sophisticated campaign by Pakistan-aligned Transparent Tribe (APT36) targeting Indian government and defense organizations using social-engineered ZIPs and a multi-stage infection chain for long-term espionage. The operation uses deceptive LNK shortcuts and a PowerPoint PPAM with macro-based payload reconstruction to deploy a RAT (hsuzoiaisaacrhy.exe) that connects to a hardcoded C2 and enables covert data exfiltration. #TransparentTribe #hsuzoiaisaacrhy.exe
Keypoints
- Transparent Tribe (APT36) targets Indian government-associated and defense organizations for long-term espionage.
- The initial lure is a ZIP archive containing a deceptive shortcut file named “Approved Documents 2026.pdf.lnk”.
- A PowerPoint add-in (Brief.ppam) with Auto_Open VBA macros performs macro-based payload reconstruction and OS-specific deployment.
- The malware establishes persistence, removes Mark-of-the-Web, uses junk code for evasion, and self-deletes via fimsrwvar.exe.
- The final RAT, hsuzoiaisaacrhy.exe, connects to a hardcoded C2 (93.127.130.89) to enable remote monitoring and staged data exfiltration.