BlackBerry researchers attribute ongoing Transparent Tribe (APT36) activity targeting India’s government, defense, and aerospace sectors to cross-platform tooling and the use of popular web services for C2 and data exfiltration from late 2023 through April 2024. The campaigns feature cross-language tooling (Python, Go, Rust), ISO-based delivery, and new “all-in-one” espionage capabilities, with infrastructure spanning numerous Indian (.in) domains and file-sharing services. #TransparentTribe #APT36 #GLOBSHELL #PYSHELLFOX #DiscordC2 #Telegram #GoLang #ShamelessISO
Keypoints
- Transparent Tribe (APT36) has targeted Indian government, defense, and aerospace sectors, with activity spanning late 2023 to April 2024 and likely to continue.
- The group is increasingly using cross‑platform languages (Python, Go, Rust) and widely used services (Telegram, Discord, Slack, Google Drive) for C2 and data exfiltration.
- A new Golang compiled “all-in-one” espionage tool was discovered, alongside updated Linux/Windows tools like Poseidon, GLOBSHELL, and PYSHELLFOX.
- ISO images emerged as an attack vector (first seen Oct 2023), including Pay statement.iso and other ISO-based lures targeting Indian defense entities.
- File exfiltration and credential‑theft extend across multiple delivery chains (ELF binaries, Python down loaders, Windows executables) with extensive use of Discord and Slack for C2/exfil.
- The threat group has built a broad network infrastructure with many in.in domains and exfil points (e.g., oshi.at) to support campaigns and data theft.
- Attribution is supported by multiple artifacts (time zone set to Asia/Karachi, geolocated samples, Pakistan-linked infrastructure), yielding moderate‑to‑high confidence of Pakistani nexus linking to Transparent Tribe.
MITRE Techniques
- [T1588.002] Acquire Capabilities – Transparent Tribe has obtained numerous open-source tools and adapted them to their own needs such as Go-Stealer, HackBrowserData. “Transparent Tribe has obtained numerous open-source tools and adapted them to their own needs such as Go-Stealer, HackBrowserData.”
- [T1566.001] Initial Access – Phishing: Spearphishing Attachment – Transparent Tribe utilizes spear-phishing attachments to deliver payloads. “Spearphishing Attachment”
- [T1566.002] Initial Access – Phishing: Spearphishing Link – Transparent Tribe uses spearphishing links to compromise victims. “Spearphishing Link”
- [T1059.004] Execution – Unix Shell – The threat group used obfuscated Shell scripts. “Command and Scripting Interpreter: Unix Shell”
- [T1059.006] Execution – Python – Python-based downloader scripts and ELF/PE payloads. “Command and Scripting Interpreter: Python”
- [T1053.003] Persistence – Cron – Script/tools are installed as cron jobs to persist. “Cron T1053.003”
- [T1547.013] Persistence – XDG Autostart Entries – The downloader creates autostart entries to run at login. “XDG Autostart Entries T1547.013”
- [T1547.001] Persistence – Registry Run Keys / Startup Folder – Run keys to start Win_service.exe and win_hta.exe. “Registry Run Keys / Startup Folder T1547.001”
- [T1027.010] Defense Evasion – Obfuscated Files or Information – Commands obfuscated (Base64). “Obfuscated Files or Information: Command Obfuscation”
- [T1564.001] Defense Evasion – Hidden Files and Directories – Hidden autostart desktop entries. “Hidden Files and Directories”
- [T1140] Defense Evasion – Deobfuscate/Decode Files or Information – Decompression of Firefox data via python-lz4. “Deobfuscate/Decode Files or Information”
- [T1071.001] Command and Control – Application Layer Protocol: Web Protocols – HTTP-based C2 communications. “Application Layer Protocol: Web Protocols”
- [T1113] Collection – Screen Capture – Capability to take screenshots. “Screen Capture”
- [T1082] Discovery – System Information Discovery – Gathers basic system information for exfiltration/targeting. “System Information Discovery”
- [T1217] Discovery – Browser Information Discovery – Firefox profile data exfiltration via Discord-C2; PyShellFox looks for Firefox tab data. “Browser Information Discovery”
- [T1547.001] Persistence – Registry Run Keys / Startup Folder – See above.
Indicators of Compromise
- [Hash] Hashes – d9f29a626857fa251393f056e454dfc02de53288ebe89a282bad38d03f614529, 44c8d8590197cf47adfd59571a64cd8ccce69ca71e2033abb2f7cf5323e59b85
- [File Name] context – Revised_NIC_Application, afd.exe
- [Domain] context – files[.]tpt123[.]com, twff247[.]cloud
- [IP] context – 223.123.17.36, 149.248.51.25:80, 149.248.51.25:7443