{ "id": "278305d9-84b4-438c-b0d7-4ca503591826", "created_at": "2026-04-06T00:09:05.086237Z", "updated_at": "2026-04-10T13:11:34.828597Z", "deleted_at": null, "sha1_hash": "0b98986989abf8c6c1b1e83f40f545a6d92e9f14", "title": "Stealth in the Cloud: How APT36's ElizaRAT is Redefining Cyber Espionage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2106554, "plain_text": "Stealth in the Cloud: How APT36's ElizaRAT is Redefining Cyber\r\nEspionage\r\nBy ABOUT THE AUTHOR\r\nPublished: 2024-11-26 · Archived: 2026-04-05 17:05:33 UTC\r\nAPT36, also known as Transparent Tribe, has consistently aimed its cyber-espionage arsenal at Indian government\r\nagencies, diplomatic personnel, and military installations. This well-known Pakistani threat actor group has shown\r\nit can widen the attack surface by targeting Windows, Linux, and Android systems, making it a persistent and\r\nevolving threat.\r\nAccording to the Check Point research team, the APT36 has made significant changes with a more sophisticated\r\nWindows Remote Access Trojan (RAT) known as ElizaRAT. Initially discovered in 2023, ElizaRAT has evolved,\r\ndemonstrating new evasion techniques and enhanced command-and-control (C2) capabilities. This article explores\r\nthe latest developments of ElizaRAT, focusing on the deployment tactics, payloads, and infrastructure used by\r\nAPT36.\r\nIntroduction of APT 36\r\nAPT 36, also known as Transparent Tribe, is a notorious advanced persistent threat (APT) group believed to\r\noriginate from Pakistan.\r\nCybersecurity experts have been closely monitoring the activities of the Transparent Tribe and have identified\r\ntheir primary objectives as data theft and espionage. The group's operations are characterized by frequent and\r\ntargeted attacks, often focusing on valuable targets in Afghanistan and India.\r\nThe APT36 is a group that uses various tactics to conduct cyber espionage, including:\r\n Credential harvesting and malware distribution attacks\r\n Custom-built tools for remote administration on Windows\r\n Lightweight Python-compiled tools for Windows and Linux\r\n Weaponized open-source frameworks like Mythic\r\n Trojanized installers of Indian government applications, including KAVACH\r\n Multi-factor authentication Trojanized Android apps\r\n Credential phishing sites targeting Indian government officials\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 1 of 11\n\nTo get the list of all the reported tools and TTPs the APT group has used, check the MITRE Framework.\r\nDifferent Names of APT36\r\nIntroduction to ELIZARAT\r\nFirst made public in September 2023, ElizaRAT is a powerful weapon in the Transparent Tribe toolbox that the\r\ngroup uses to launch accurate and persistent strikes.\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 2 of 11\n\nElizaRAT initially used a Telegram bot for C2 (Command \u0026 Control) communication, executing attacks through\r\nCPL files. Since its launch, it has evolved significantly in how it operates, hides, and communicates, as seen in\r\nthree major campaigns from late 2023 to early 2024. Each campaign comes up with a modified version of\r\nmalware that downloads customizable payloads designed to collect specific information from infected systems. \r\nThe following are the characteristics of ElizaRAT:\r\nWritten in .NET, with embedded .NET and assembly modules via Costura.\r\nExecution through.CPL files to evade direct detection.\r\nCloud services, such as Google, Telegram, and Slack, for distribution and C2 communication.\r\nDeployment of decoy documents or videos to mislead victims.\r\nUse of IWSHshell in most samples to create persistent shortcuts on infected systems.\r\nReliance on SQLite to temporarily store files on the victim's device before exfiltration.\r\nGeneration and storage of a unique victim ID in a separate file on the compromised machine.\r\nThe Story of the Slack Campaign\r\nOne of the key elements of ElizaRAT is a file called SlackAPI.dll. The DLL file (Dynamic Link Library) contains\r\nsome of the main codes that make ElizaRAT work. To uniquely identify each file hash generated in this case,\r\nSlackAPI.dll has an MD5 hash (or fingerprint) of 2b1101f9078646482eb1ae497d44104.\r\nSo why the name SlackAPI.dll? ElizaRAT uses Slack, the popular workplace communication app, to hide its\r\ncommunications! The hackers set up private Slack channels to act as their command center, which means they can\r\nsend commands to the infected computer directly through Slack messages.\r\nTo spread the campaign, the hackers use a type of file called a CPL file, which stands for a 'Control Panel' file.\r\nCPL files are usually linked to Windows settings and are used to open specific tools within the Control Panel. But\r\nin this case, they’re used to deliver malware. Since CPL files can run by themselves when you double-click them,\r\nthey’re a handy way for hackers to trick people into opening them, thinking it's a normal file.\r\nThe malware reads the contents of a file called Userinfo.dll and sends it to the hacker server. This file likely\r\ncontains information about the infected computer, such as the user's name, email, or other details. The malware\r\nchecks the hacker server every 60 seconds to see any new instructions or commands. This allows the hacker to\r\ncontrol the infected computer remotely.\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 3 of 11\n\nThe ElizaRAT malware uses Slack's API (Application Programming Interface) to communicate with the hacker's\r\nserver. Here's how it works:\r\n1. Polling the channel: The malware uses a function called ReceiveMsgsInList() to continuously check a\r\nspecific Slack channel (C06BM9XTVAS) for new messages.\r\n2. Using the Slack API: The malware sends a request to Slack's API at https://slack.com/api/conversations\r\nhistory to check for new messages in the channel.\r\n3. Using a bot token and victim ID: The malware uses a special token (like a password) and the victim's ID\r\nto authenticate the request and identify the infected computer.\r\nThe ElizaRAT malware uses the following functions to handle messages and files:\r\n1. Send messages: The SendMsg() function sends messages to the hacker's server by posting to Slack's API at\r\nhttps://slack.com/api/chat.postMessage with the message content and channel ID C06BWCMSF1S.\r\n2. Upload files: The SendFile() function uploads files to the same channel using Slack's API at\r\nhttps://slack.com/api/files.upload.\r\n3. Download files: The DownloadFile() function retrieves files from a provided URL and saves them to the\r\ninfected computer using the HttpClient and bot token for secure access.\r\nAnalysis of the SlackAPI.dll\r\nThe DLL file has been flagged as malicious by eight different security vendors (by the time of writing this article).\r\nSlackAPI.dll (Virustotal Detection)\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 4 of 11\n\nThe detailed analysis through Virustotl yields interesting findings, which are listed below:\r\n1. Contacted IP address\r\n13.107.21.237 (AS - 8068)- Flagged as malicious.\r\n204.79.197.203 (AS - 8068) - Flagged as malicious\r\n204.79.197.237 (AS - 8068) - Multiple communicating files that are malicious detected through this IP\r\naddress.\r\nSlack API.dll communicating IP address.\r\n2. Sandbox reports\r\nThe dynamic analysis shows 8 different MITRE ATT\u0026CK Tactics and Techniques.\r\nThe \\rundll32.exe.log (Full path -\r\nC:\\Users\\user\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\rundll32.exe.log) file is dropped during\r\nthe execution of SlackAPI.dll.\r\nThe hackers behind the ElizaRAT malware have deployed another piece of malware, which the researcher at\r\nCheck Point team called ApoloStealer. This new malware was added to specific targets, and it was compiled\r\n(created) one month after the ElizaRAT malware.\r\nThe Story of the Circle Campaign\r\nThe ElizaRAT malware has a new version called Circle ElizaRAT, which was created in January 2024. The latest\r\nversion is hard to detect because it uses a dropper component.\r\nThe Circle campaign uses the %appdata%\\SlackAPI folder as its working directory. A working directory is a\r\nfolder on the computer where the malware stores its files. \r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 5 of 11\n\nThe Circle campaign's use of a VPS (Virtual Private Server) instead of a cloud service makes the malware difficult\r\nto detect and track. VPSs are more challenging to monitor and analyze, offering attackers increased control and\r\nflexibility.\r\nCircle Chain Infection\r\nThe Circle infection chain performs the following actions:\r\n1. Checks the time zone: The malware checks if the computer's time zone is set to India Standard Time.\r\n2. Registers the victim's information: The malware stores the victim's information in a file called\r\nApplicationid.dll and Applicationinfo.dll in the %appdata%\\CircleCpl folder.\r\n3. Sends the information to the hacker: The malware sends the victim's information to the hacker's server at\r\nhttp://38.54.84.83/MiddleWare/NewClient.\r\n4. Retrieves the victim's IP address: The malware accesses the URL https://check.torproject.org/api/ip to\r\nget the victim's IP address.\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 6 of 11\n\nHTTP stream example (Checkpoint Research Team)\r\nThe malware’s designation to download the SlackFiles.dll payload and use the same working directory as the\r\nSlack campaign suggests that these two activity clusters are likely part of a single, coordinated campaign. This\r\nshared directory and overlapping payload point to a unified strategy, indicating that the Slack and Circle clusters\r\nare connected rather than isolated incidents.\r\nAnalysis of the Circledrop.dll\r\nThe initial examination of the DLL files shows that it is being flagged by 25 different security vendors (at the time\r\nof writing this article).\r\nCircledrop.dll (Virustotal)\r\nUpon closely examining the DLL through Virustotal we found three contacted IP addresses. The IP\r\n192.229.221.95 is detected by two security vendors and marked as malicious.\r\nThe Story of the Google Drive Campaign\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 7 of 11\n\nThe ElizaRAT malware uses the Google Cloud C2 (Command and Control) channel to send commands to the\r\nhacker. The hacker sends commands to the malware to download the next stage payload from three different\r\nvirtual private servers (VPS).\r\nThe Check Point research team has analyzed two payloads used in this campaign called 'extensionhelper_64.dll'\r\nand 'ConnectX.dll'. These payloads are categorized as Infostelaers and specifically crafted for the purpose.\r\nThe extensionhelper_64.dll file changes its name to SpotifyAB.dll or Spotify-news.dll when downloaded to the\r\nvictim's machine. The file is executed by the scheduled task, which runs the Mean function via rundll32.exe.\r\nIOC Analysis - Network\r\nNow, we will analyze the IP addresses that are part of the IOCa. Below are the curated lists of the IPs and their\r\ndescription.\r\nIOC-IP Graph\r\n84.247.135[.]235\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 8 of 11\n\nWe scanned the IP address 84.247.135.235 using VirusTotal, and the initial results show that it has been\r\nflagged as malicious by four different security vendors. This indicates that the IP is associated with\r\npotentially harmful activity, underscoring its likely involvement in malicious campaigns.\r\nDuring our analysis of the IP address 84.247.135.235, we identified 10 active ports running various\r\nservices. Notably, port 22, which is commonly used for SSH, is vulnerable to multiple known CVEs, with\r\ntwo of them having a rating of 9.8.\r\n84.247.135.235 (SSH - CVE details)\r\nWhile examining activity from IP 84.247.135.235, we observed heightened aggression on October 24th,\r\n26th, and 28th. During these dates, the IP displayed significantly increased activity, suggesting targeted or\r\nescalated attack attempts. This pattern indicates that these days may have been pivotal points for the\r\ncampaign, possibly correlating with specific attack phases or objectives.\r\n84.247.135.235 (IP activity report)\r\n143.110.179[.]176\r\nOur analysis of IP 143.110.179.176 via VirusTotal reveals that it has been flagged as malicious by four security\r\nvendors, with two additional vendors marking it as suspicious. This mixed designation suggests a high likelihood\r\nof the IP being involved in potentially harmful or suspicious activities.\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 9 of 11\n\n143.110.179.176 VT detection\r\n64.227.134[.]248\r\nOur analysis of IP 64.227.134.248 on VirusTotal shows it has been flagged as malicious by seven security\r\nvendors, indicating a high risk of involvement in malicious activities.\r\nFurther investigation reveals that this IP is associated with a file named WordDocumentIndexer.dll, which is\r\na malicious DLL. This file’s true identity is extensionhelper_64.dll, but within this campaign, it has been\r\nrenamed as spotifyAB and spotify-news.dll to evade detection.\r\n64.227.134.248 (File referring)\r\n38.54.84.83\r\nOur analysis of IP 38.54.84.83 through VirusTotal reveals that it has been flagged as malicious by nine\r\nsecurity vendors, with an additional two vendors marking it as suspicious. A deeper examination shows\r\nthat this IP is associated with a file named Circle.dll\r\n38.54.84.83 (Circle.dll)\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 10 of 11\n\nThe IP address 38.54.84.83 has also been reported on IP Abuse DB a total of 55 times, with reports coming\r\nfrom 42 different sources. Most of these reports indicate instances of brute-forcing attempts, further\r\ncorroborating its role in malicious activities.\r\n83.171.248.67\r\nOur analysis of IP 83.171.248.67 via VirusTotal shows it has been flagged as malicious by five security vendors,\r\nwith an additional two vendors marking it as suspicious. Further examination on Netlas reveals that the services\r\nrunning on this IP are vulnerable to multiple known CVEs.\r\n83.171.248.67 (Netlas)\r\nConclusion\r\nAPT36, a highly adaptable threat actor, has been refining its ElizaRAT malware to improve detection evasion and\r\nenhance its effectiveness against Indian targets. By integrating widely used cloud platforms such as Google Drive,\r\nTelegram, and Slack within their command-and-control (C2) structure, APT36 seamlessly blends malicious traffic\r\nwith normal network activity, making detection significantly more challenging.\r\nThe introduction of new payloads, such as ApolloStealer, indicates a shift towards a more flexible and modular\r\napproach to malware deployment, with a primary focus on collecting and stealing sensitive data.\r\nSource: https://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nhttps://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.reco.ai/blog/how-apt36-elizarat-redefines-cyber-espionage" ], "report_names": [ "how-apt36-elizarat-redefines-cyber-espionage" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434145, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b98986989abf8c6c1b1e83f40f545a6d92e9f14.pdf", "text": "https://archive.orkl.eu/0b98986989abf8c6c1b1e83f40f545a6d92e9f14.txt", "img": "https://archive.orkl.eu/0b98986989abf8c6c1b1e83f40f545a6d92e9f14.jpg" } }