{ "id": "5d5e096d-b3c2-40d4-8d7e-ad3c6001caf7", "created_at": "2026-04-06T00:13:39.52234Z", "updated_at": "2026-04-10T13:11:24.716345Z", "deleted_at": null, "sha1_hash": "03e076b165440aa72692d2494eecb62ba5f4ac9c", "title": "ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1279740, "plain_text": "ProjectM: Link Found Between Pakistani Actor and Operation\r\nTransparent Tribe\r\nBy Robert Falcone, Simon Conant\r\nPublished: 2016-03-25 · Archived: 2026-04-02 11:06:16 UTC\r\nBe the first to receive the latest news, cyber threat intelligence and research from Unit 42. Subscribe Now. \r\nUnit 42 is currently researching an attack campaign that targets government and military personnel of India. This\r\nattack appears to overlap with the Operation Transparent Tribe and Operation C-Major campaigns that targeted\r\nIndian embassies in Saudi Arabia and Kazakhstan, as well as the Indian military.\r\nWe are tracking the group of actors involved in this campaign as ‘ProjectM.’ During our research, we found a\r\nlinkage between the infrastructure used by ProjectM and an individual from Pakistan. We cannot definitively\r\nconfirm this individual is involved with this attack campaign, but the evidence that we will discuss in this blog\r\npost suggests that it is highly likely that this individual has some involvement with the threat group.\r\nThis blog post highlights the trail of evidence individuals leave on the Internet when they are not careful about\r\ndisguising their identity. All of the information collected about this actor is public and accessible through open\r\nsource research.\r\nOverview of Transparent Tribe\r\nThe ProjectM actors rely on both spear-phishing emails and watering hole sites to deliver a variety of different\r\ntools to target the Indian government and military. ProjectM actors used a blog with a theme related to the Indian\r\nmilitary titled “India News Tribe” (intribune.blogspot.com) as a watering hole to deliver their payloads. This\r\ngroup also used spear-phishing emails with malicious RTF files exploiting CVE-2010-3333 or CVE-2012-0158, in\r\naddition to Excel files that contained malicious macros to download and install their payloads as well.\r\nThe actors have access to a sizeable toolset of Trojans that they use in their attack campaigns, including custom\r\ndeveloped tools called Crimson and Peppy, along with off-the-shelf remote administration tools (RATs) and\r\ndownloaders, such as DarkComet and Bozok. Another interesting part of this campaign is the use of techniques\r\nand Trojans often seen in cybercrime attacks, such as the use of the Andromeda Trojan as an initial payload in\r\ntheir attacks to download and execute other tools in their toolset. The Operation Transparent Tribe report by\r\nDarien Huss of Proofpoint provides an excellent analysis of the various tools used by this group, including\r\nCrimson and Peppy and their associated infrastructure.\r\nRegistration Slip Up\r\nDuring our research, we analyzed the registration information of the Andromeda, Crimson and Peppy Trojan\r\ncommand and control domains used by ProjectM. A majority of the infrastructure associated with ProjectM was\r\nregistered using WHOIS protection services, which conceals the actual registrant’s information (name, email, etc.)\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 1 of 11\n\nused to register the domain name. However, we discovered that the actors had in all likelihood, inadvertently\r\nneglected to use WHOIS protection on two domains in their infrastructure that they used to host C2 servers for the\r\nAndromeda Trojan.\r\nThe two undisguised domains were “winupdater[.]info” and “ordering-checks[.]com”, which were registered\r\nusing the email address “mshoaib.yaseen [at] gmail.com”, as seen in Figure 1. The Andromeda samples used these\r\nundisguised domains to deliver Peppy Trojans that used the previously observed ProjectM domain\r\n“bbmdroid.com” as a C2 server. The email address and information used to register these domains appears to be\r\nreal and associated with the actor, which differs from most infrastructure used in targeted attacks that use fake\r\ninformation and a disposable email account during registration. On August 5, 2014, the actor seemingly\r\ndiscovered his mistake as the “ordering-checks[.]com” domain was updated with WHOIS protection.\r\nDomain Name: winupdater.info\r\nRegistrant ID: CR144993459\r\nRegistrant Name: Xtex Studios\r\nRegistrant Organization: Xtex Studios\r\nRegistrant Street: R-240 Sector 15A\r\nRegistrant City: Karachi\r\nRegistrant State/Province: Sindh\r\nRegistrant Postal Code: 74200\r\nRegistrant Country: PK\r\nRegistrant Phone: +92.3452183117\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: mshoaib.yaseen@gmail.com\r\nDomain Name: ordering-checks.com\r\nCreated On: 2014-02-11\r\nExpiration Date: 2015-02-11\r\nRegistrant Name: Muhammad Kamran\r\nRegistrant Street1: R02323 Karachi\r\nRegistrant City: Karachi\r\nRegistrant State/Province: Sindh\r\nRegistrant Postal Code: 74200\r\nRegistrant Country: PK\r\nRegistrant Phone: +92 3452183117\r\nRegistrant Fax: +92 3452183117\r\nRegistrant Email: mshoaib.yaseen@gmail.com\r\nFigure 1 WHOIS Information for Two Command and Control Domains without Whois Protection\r\nWho is in ProjectM?\r\nThe Gmail address seen in Figure 1 is directly linked to Facebook, LinkedIn, Google+, and Skype accounts. All of\r\nthe accounts have corroborative biographical content, giving us a possible identity of a potential actor, who\r\nappears to be a 26-year-old individual from Karachi, Pakistan. At this time, we cannot absolutely confirm this\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 2 of 11\n\nindividual’s involvement with ProjectM, Operation Transparent Tribe or Operation C-Major campaigns; however,\r\nstrong evidence was discovered linking this individual’s online presence to entities related to the threat group,\r\nwhich can be seen in the chart in Figure 2. Additionally, content posted to the social networking accounts suggest\r\nthat the actor has an anti-Indian sentiment, which may be a motivating factor for the actor to participate in such\r\nattack campaigns.\r\nFigure 2 Diagram of links between the actor and ProjectM\r\nWeb Designer by Trade\r\nWe believe the individual associated with the email address “mshoaib.yaseen [at] gmail.com” was at one time and\r\npossibly still involved in web design services, as well as revenue generating efforts using Google AdSense.\r\nInterestingly, it appears that the individual reused servers and domains set up during web design efforts to host\r\nmalicious content used in attack campaigns as well.\r\nThe web design and technology services company hosted at “apnits[.]4t[.]com” listed the phone number \"0345-\r\n2183117\" for its chief executive and as its support number. This phone number is the same as seen in the\r\nregistration information in Figure 1 without the country code “+92”. We did not find any malicious content on this\r\nsite; however, we did find content that suggests it was last revised in November 2006.\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 3 of 11\n\nAnother web design company created by the individual was discovered at “xtexhosts.com”. The phone number\r\n“+92.3452183117” was also found in the WHOIS information and was registered using the email “spid3rsoft [at]\r\ngmail.com”. We do not have any indication of malicious content hosted on xtexhosts.com, but it appears that the\r\nactor created it for Xtex Studios, which appears to be another web design company started by the actor.\r\nWe found a third domain, “easternkingsology[.]com,” that contained registration information with the name “Xtex\r\nStudios” and the registration email of “mshoaib.yaseen [at] gmail.com” until the domain expired in December\r\n2015. The “easternkingsology[.]com” domain hosted a Bozok RAT sample at\r\nhxxp://easternkingsology[.]com/det/dllbb.exe (SHA256:\r\ne4dfcf3db512260e1a4ff414907610d5d5279143fa9ade9219d8691be02e512f), which suggests the threat actor\r\nhosted this Trojan on an Xtex Studios related domain for use in a ProjectM campaign. Figure 3 shows an\r\nadvertisement of the services provided by Xtex Studios using “mshoaib.yaseen [at] gmail.com” and\r\n“karachian.gem [at] hotmail.com” for contact purposes.\r\nFigure 3 Website Advertising Xtex Studios Services Linking Two Email Addresses\r\nWe found the registration phone number and email address for xtexhosts[.]com on an advertisement for another\r\nweb design company called SPID3R[.]SOFT. The advertisement seen in Figure 4 was hosted on\r\n“sahirlodhi[.]com”, which was a domain also used by ProjectM as the download location for a sample of the\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 4 of 11\n\nCrimson tool. At first we hypothesized that sahirlodhi[.]com may have been a compromised site, as it appeared to\r\nbe the official site for the Pakistani television actor Sahir Lodhi. On May 10, 2008, the domain registration\r\ninformation was updated to include the registrant email of “mshoaib.yaseen[at]gmail.com”, suggesting the threat\r\nactor was involved in the creation of this website. The registration information for this domain remained the same\r\nuntil May 21, 2014 when it was updated to include WHOIS privacy protection. We believe that the threat actor\r\nstill had access to the sahirlodhi[.]com webserver and used it to host the payload for ProjectM, further suggesting\r\nthat the actor reuses domains and servers to host content and payloads unrelated to its original purpose.\r\nFigure 4 Advertisement of SPID3R.SOFT Web Design\r\nIn addition to xtexhosts[.]com, the domain “thefriendsmedia[.]com” was also registered using the email\r\n“spid3rsoft[at]gmail.com”. This domain hosts a multimedia website that claims it is “Asia’s Biggest Entertainment\r\nPortal”. Unit 42 saw this domain hosting several ProjectM tools, including the exact same Andromeda and Peppy\r\nsamples as those previously observed using bbmdroid[.]com as a C2, which were hosted at “/est/estma.exe” and\r\n“/est/controller.exe” respectively.\r\nThe “thefriendsmedia[.]com” site makes references to “thefriendsfm[.]com”, which was originally registered in\r\nOctober 2010 using the email “mshoaib.yaseen[at]gmail.com”. On March 24, 2014, the actor shared a link on his\r\nFacebook (figure 5) and Google+ accounts to an article hosted on “thefriendsfm[.]com” titled “MOD Assistant\r\nDirector and Staff Grade NTS Results 2014”, which is currently still present on the “thefriendsmedia[.]com”\r\ndomain. The post discusses applying for positions at the Pakistani Ministry of Defense (MOD), but we do not\r\nhave any conclusive evidence that the actor applied to or is connected in anyway with the MOD.\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 5 of 11\n\nFigure 5 Actor's Facebook post to an article regarding jobs in Pakistan's Ministry of Defense\r\nSocial Media Activity\r\nThe email address “karachian.gem[at]hotmail.com” seen in the advertisement of Xtex Studios led to the discovery\r\nof the possible identity of an individual that is likely involved with ProjectM. Unit 42 found the individual’s\r\nGoogle+ profile, seen in Figure 6 and noticed that the profile had several posts that included domains that had\r\nhosted payloads or were C2 servers associated with ProjectM, such as:\r\nbbmdroid[.]com (Peppy, Bozok)\r\nshobitech[.]com (Peppy, DarkComet, Andromeda)\r\nmustache-styles[.]com (Andromeda)\r\nmessagerieneuf[.]com (Crimson)\r\nsahirlodhi[.]com (Crimson)\r\nFigure 6 Possible Actor Involved with ProjectM\r\nAlso, Facebook and Google+ posts include \"Bind an exe in excel file | Microsoft Excel Exploit | ShobiTech\"\r\n(Figure 7), which is interesting as ProjectM has used malicious Excel delivery documents with macros to\r\ndownload and install payloads in its attack campaign.\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 6 of 11\n\nFigure 7 - Actor discusses technique seen in campaigns\r\nThe “shobitech[.]com” domain also appeared in one of the actor’s Facebook accounts. This Facebook account\r\nprovided a great deal of information about the actor, specifically in the photos section. The actor used the\r\nshobitech[.]com domain in 2013 to host details of a training course (Figure 8) that he was conducting on how to\r\nmonetize YouTube using Google AdSense.\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 7 of 11\n\nFigure 8 Advertisement Associated with a Training Conducted by Actor\r\nThe photos also show the actor obtained a certificate for completing the “Windows Exploit Development\r\nMegaprimer” online course hosted on udemy.com and screenshots of the actor using various offensive security\r\ntools, such as Metasploit on Kali Linux (Figure 9). The Operation Transparent Tribe report suggested that\r\nMeterpreter samples were used as payloads in the campaign, which is interesting as Meterpreter is part of the\r\nMetasploit Framework that the individual has had experience with according to the photos uploaded to his\r\nFacebook account.\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 8 of 11\n\nFigure 9 Photo Uploaded to Facebook Account of Individual Using Metasploit\r\nFurthermore, another Facebook account belonging to this actor points to “shoaibyaseen[.]com”, which appears to\r\nhost this individual’s personal blog. The blog has a total of twelve posts between February 29, 2016, and March 2,\r\n2016. The topics posted to this blog include network port scanning and data gathering techniques, as well as\r\ncommands to run using Metasploit and Meterpreter to accomplish various tasks to exploit systems and carry out\r\npost-exploitation activities. While the use of Meterpreter in Figure 9 and the topics in the “shoaibyaseen[.]com”\r\nblog in Figure 10 do not directly implicate this individual, it does strongly suggest that he possesses skills that\r\nwould be valuable to offensive campaigns like those conducted by ProjectM.\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 9 of 11\n\nFigure 10 Recent posts on the actor's blog with topics including Metasploit and post exploitation activities\r\nAnother interesting observation about this actor is that his name shows up in the debug symbol path of several\r\nCrimson tools. The actor’s name appears in the debug symbol path of samples of the Crimson downloader and the\r\nremote administration tool, suggesting the actor may have been involved with the development of this Trojan. For\r\ninstance, the following shows an example of the actor's name in the debug symbol path of a Crimson downloader\r\n(SHA256: dc8bd60695070152c94cbeb5f61eca6e4309b8966f1aa9fdc2dd0ab754ad3e4c):\r\nE:\\Projects\\m_project\\main\\mj shoaib\\Thin Client\\secure_scan\\secure_scan\\obj\\x86\\Debug\\secure_scan.pdb\r\nActor's Early Blogging\r\nThe email address “karachian.gem[at]hotmail.com” also led us to the individual’s blogger account, which was\r\ncreated in April 2008. The “About Me” section of this blogger account states that this individual lives in Karachi,\r\nPakistan and studied computer science. This account also created several other blogs as well, most of which had\r\nlittle content of interest with the following exceptions:\r\nbbmdroid[.]blogspot[.]com\r\nindian-attack[.]blogspot[.]com\r\nFreeowlsofminerva[.]blogspot[.]com\r\nFigure 11 Picture of Individual Associated with Blogger Accounts\r\nThe first related blog of interest is bbmdroid[.]blogspot[.]com that contains a link to “bbmdroid[.]com”, which\r\nhosted C2 services for various ProjectM tools. The indian-attack[.]blogspot[.]com does not contain any malicious\r\nexploit code or payloads, but has a theme of terrorism in India. A blog with a theme related to India closely\r\nresembles the India News Tribe (intribune[.]blogspot[.]com) blog that ProjectM used in Operation Transparent\r\nTribe to deliver Crimson payloads.\r\nThe “freeowlsofminerva[.]blogspot[.]com” blog was created on August 24, 2013, to offer a service for players of\r\nthe MapleStory MMORPG. The links on the blog point to Excel spreadsheets hosted on “microsoftexcel[.]united-host[.]us”, such as:\r\nhxxp://microsoftexcel[.]united-host[.]us/Downloads/(Bera)%20FM%20Price%20List.xls\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 10 of 11\n\nThe blog also includes a link at the bottom of the page to a VirusTotal scan of a file named “(Bera) FM Price\r\nList.xlsx” that showed that no antivirus vendors detected the file as malicious. We do not have access to the\r\nspreadsheets hosted “microsoftexcel[.]united-host[.]us” to confirm if they were malicious or not; however, we did\r\nobserve a DarkComet payload (SHA256:\r\ncc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157) hosted on this server at\r\n“microsoftexcel[.]united-host[.]us/update.exe”. The fact that a payload was hosted on this server leads us to\r\nbelieve the inclusion of the link to a VirusTotal analysis is a social engineering attempt to increase the likelihood a\r\nvictim would click the links.\r\nFigure 12 Use of VirusTotal Report to Increase Likelihood of Victim Clicking Links\r\nConclusion\r\nProjectM is a threat group conducting targeted attacks on government and military personnel of India. Unit 42 has\r\nlinked several different domains within ProjectM’s infrastructure to an individual residing in Pakistan. This\r\ncorresponds with the suspicions of David Sancho and Feike Hacquebord at Trend Micro, who documented a likely\r\nPakistani link to the activity in their Operation C-Major report.\r\nAt this time, we cannot elaborate on the extent of this individual’s involvement with the targeted attacks; however,\r\nit does appear that the individual was involved with setting up some portion of the infrastructure used by the\r\nvarious payloads delivered in the attack campaign. According to the individual’s social media pages and blogs, it\r\nstrongly suggests he possesses skills to carry out offensive activities in ProjectM campaigns. Also, the individual’s\r\nname appearing within Crimson Trojan samples suggests that he may have been involved with the creation of the\r\nmalware as well.\r\nTrend Micro reported finding gigabytes of personal identifiable information (PII) in open directories on C2 servers\r\nrelated to ProjectM, mostly belonging to Indian Army personnel. Although such PII might be used for financial\r\ngain, we find multiple instances in social media and blogs where this actor states anti-Indian sentiments,\r\nsuggesting he is potentially politically motivated.\r\nWhile knowing the identity and motivations of a possible actor is not necessarily actionable from a defensive\r\nperspective, it does provide a good reminder that people are always behind an attack, as it is easy to become\r\nfixated solely on the technical aspects of malware and infrastructure.\r\nSource: https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "report_names": [ "unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434419, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03e076b165440aa72692d2494eecb62ba5f4ac9c.pdf", "text": "https://archive.orkl.eu/03e076b165440aa72692d2494eecb62ba5f4ac9c.txt", "img": "https://archive.orkl.eu/03e076b165440aa72692d2494eecb62ba5f4ac9c.jpg" } }