{ "id": "76039d30-32f1-40b9-97b9-94074a001a2b", "created_at": "2026-04-06T00:07:59.304112Z", "updated_at": "2026-04-10T13:11:54.828861Z", "deleted_at": null, "sha1_hash": "169c3986071a937e80d538bde94bd661f7acd45a", "title": "Trouble in Asia and the Middle East. Tracking the TransparentTribe threat actor.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3149436, "plain_text": "Trouble in Asia and the Middle East. Tracking the\r\nTransparentTribe threat actor.\r\nBy RJM\r\nPublished: 2022-02-12 · Archived: 2026-04-05 23:40:32 UTC\r\nCover: Chabahar Port Iran, photo credit:www.tehrantimes.com\r\nDisclaimer: The views, methods, and opinions expressed at Anchored Narratives are the author’s and do not\r\nnecessarily reflect my employer’s official policy or position.\r\nWelcome to the new subscribers of the Anchored Narratives mailing list. For those new to the list, I regularly pick\r\nan exciting tweet that matched my intelligence requirements and generated anchored stories on geopolitical\r\n(cyber) threats, digital forensics, and crime from that. Usually, I pick a story that I have no real in-depth or prior\r\nknowledge about. The goal is to understand a particular topic better, improve my investigation or writing skills,\r\nand generate a reliable story anchored with evidence that can be verified or challenged.\r\nI have not been writing any stories lately as I started a great new job in September. I’m also working in incident\r\nresponse (IR) again with a lot of memory forensics! Awesome how Volexity has taken that field to the next level\r\nwith a robust memory acquisition capability called Surge and a Volcano’s memory analysis platform. I\r\nparticipated with the great George Garner Jr1., who unfortunately passed away in 2017, in a memory forensics\r\nchallenge in 2005 where no software existed to analyze memory dumps.\r\nBut unbelievable how Volexity improved the acquisition and analysis piece with their products. However, they are\r\ncommercial tools. I can only recommend them as they will provide you valuable insights into the State of a\r\nmachine (integrity) in a certain period and decrease your root cause analysis time for breaches. The amount of\r\nforensic reconstruction from a collected memory sample the software can do is just something I have not\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 1 of 13\n\nexperienced before. We are even able to recover the entire exploit chains and backdoors executed by threat actors\r\nfrom memory. Just awesome.\r\nBut now, back to a new anchored narrative about a threat actor covered in the earlier monthly threat actor\r\noverviews of June and September, namely TransparentTribe.\r\nWith the revival of the Taliban in Afghanistan also geopolitical tensions in the neighboring countries changed\r\ndrastically. What does this revival mean for China, India, and Pakistan? In this article, the nation-state actor,\r\nTransparentTribe matched my Twitter threat intelligence requirements 71 times since the beginning of this year.\r\nThe threat-actor is likely originating from Pakistan and also linked to attacks on the critical infrastructure of India.\r\nHere we go!\r\nIn 2016 Proofpoint released a report “Operation TransparentTribe’ of a nation-state threat actor targeting India’s\r\nembassy staff in Saudi Arabia and Kazakstan via phishing attacks. Their research also unraveled attacks against\r\nIndian diplomatic and military resources via so-called watering holes attacks. A watering hole attack is a technique\r\nthat hackers employ to compromise a popular website and infect its visitors with malware once they visit that\r\ninfected website. Proofpoint then dubbed their malware as “MSIL/Crimson”, which later became known as\r\nCrimsonRat.\r\nBy 2017 CysInfo, shared an in-depth story about a threat actor who was impersonating the identity of an Indian\r\nThink Tank to Target the Central Bureau of Investigation (CBI) and Possibly Indian Army Officials. The\r\nregistration information of the domains was traced back to a Pakistani telephone number and an IP address from\r\nPakistan. The story’s author, known malware researcher, Monnappa K A, did not attribute it to TransparentTribe.\r\nHowever, his analysis was referenced in the Threat Actor Encyclopedia and attributed to the same group there.\r\nIn 2020 Kaspersky shared interesting research about the CrimsonRat Server component they detected and that the\r\nactor group targeted victims in Afghanistan and India.\r\nFigure 1: .Net Server component of CrimsonRat, reported by Kaspersky\r\nCrimsonRat provides the espionage group with the following capabilities on the infected systems:\r\nmanage remote filesystems\r\nupload or download files\r\ncapture screenshots\r\nperform audio surveillance using microphones\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 2 of 13\n\nrecord video streams from webcam devices\r\ncapture screenshots\r\nsteal files from removable media\r\nexecute arbitrary commands\r\nrecord keystrokes\r\nsteal passwords saved in browsers\r\nspread across systems by infecting removable media\r\nFigure 2: Collection of relevant files on infected systems via USB worm\r\nKaspersky detected hundreds of victims, but infection also occurred through a USB-Worm component of\r\nCrimsonRat. Kaspersky found an Android piece of malware to spy on mobile phones and a link between\r\nObliqueRAT and Transparent Tribe in their second part. The group mimicked a known COVID tracking app.\r\nIn April 2021 and July 2021, Team Cymru released part 1 and part 2 of their analysis that focused on the\r\ninfrastructure leveraged by the TransparentTribe group. It highlighted the following findings:\r\n1. C2s are hosted with several VPS providers – most commonly Contabo, ColoCrossing, Pi Net, and\r\nQuadraNet.\r\n2. Port 3389 was observed open on 83% of the CrimsonRAT C2 servers.\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 3 of 13\n\n3. An RDP certificate serves as a key indicator for CrimsonRAT and has been observed on 17 C2 servers in\r\ntotal.\r\n4. Analysis of C2 servers showed beaconing from victims who were primarily located in the Kashmir region.\r\nFigure 3: Clustering victims from a known TransparentTribe C2 server\r\nIn July 2021, the Hindu media outlet reported that TransparentTribe was targeting critical Indian infrastructure of\r\npublic enterprises, according to a report by Seqrite. In their report, Seqrite mentions the group was “targeting\r\ncritical Indian organizations”. The report explains that TransparentTribe mimicked the behavior of an Indian\r\nnation-state actor group named Sidewinder. Their analysis demonstrates that VPS provider Contabo in Germany\r\nhosts the CrimsonRat infrastructure. In addition, some of the domains used for their operations were registered to\r\nsomeone in Pakistan with the e-mail address “kingsmanfisher@gmail.com”.\r\nIn September 2021, Cyble shared research finding TransparentTribe malware that targeted the Indian Armed\r\nforces staff. Additionally, they found an icon loaded by the malicious app, which is the logo of the Canteen Store\r\nDepartment (CSD).\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 4 of 13\n\nFigure 4: Icon of the CSD of the Indian Armed Forces\r\nLastly, in September 2021, Weibu online shared their insights in a threat intelligence report with relevant\r\nindicators of compromise (translated) called “Trilateral operations: years of cyber espionage against many\r\ncountries in South Asia and the Middle East”. They captured several APT attacks against Iran, Afghanistan, and\r\nIndia, all parties that signed the “Chabahar Port Agreement”. In the report, Weibu lists a malicious document\r\ncalled “Chabahar Port Agreement (Trilateral) in Iran.doc”, which they observed in the attack uploaded to\r\nVirusTotal March 2021. The victims were targeted via phishing, watering holes or backdoored software, or\r\nmalicious Android packages.\r\nWeibu further explains the geopolitical significance of the Chabahar port. “Chabahar Port is the global oil and\r\ngas center on the coast of the Persian Gulf to the west, and leads to the oil-rich Central Asian countries to the\r\nnorth. It is right at the intersection of West Asia, South Asia, Central Asia and the Indian Ocean. Geographical\r\ntransportation is extremely important. “\r\nThe agreement is crucial to India as this will provide them strategic access to Iran, and it can bypass Pakistan in\r\ntransporting goods to Afghanistan. Still, it is also vital to counter the Chinese (naval) presence in the Arabian Sea,\r\nwhere China supports Pakistan to develop the Gwadar Port, which is nearby, namely 100 kilometers by sea.\r\nThe city of Chabahar is also an important military site for Iran’s navy and air force. In addition, Iran has many\r\nlarge iron mines, giant copper mines, and rich oil and gas resources. The threat actor responsible for the attack\r\noverlaps to a certain degree with the TransparentTribe group, and they are likely to have a Pakistani background,\r\nclaimed by Weibu.\r\nOn the 24th of September 2021 malware researcher, at Malwarebytes Jazi (@h2jazi) shared the following\r\nTransparentTribe intelligence. Interestingly, the actors mimicked the original Iranian website\r\n“https://www.tasnimnews.com” website as their C2 server.\r\nJazi@h2jazi\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 5 of 13\n\n#TransparentTribe #APT maldoc: 59ed41388826fed419cc3b18d28707491a4fa51309935c4fa016e53c6f2f94bc\r\nNakul Kumar.doc #Crimson Rat: afd21ef5712ffcbe4e338a5eb347f742d3c786f985ba003434568146adedb290 C2:\r\ntasnimnewstehran[.]club\r\n1:35 PM · Sep 24, 2021\r\n11 Reposts · 31 Likes\r\nI will briefly assess the malicious document and CrimsonRat backdoor to determine if new developments can be\r\nspotted. Let’s start with the malicious document.\r\nNakul Kumar.doc 59ed41388826fed419cc3b18d28707491a4fa51309935c4fa016e53c6f2f94bc\r\nFirst, the file type was determined with the file command. This revealed the following information:\r\n59ed41388826fed419cc3b18d28707491a4fa51309935c4fa016e53c6f2f94bc: Composite Document File V2 Document, Little E\r\nThe file command revealed some interesting metadata. The next step was to inspect the documents for the\r\npresence of malicious macros. With the famous oletools, it was possible to retrieve all the Visual Basic for\r\nApplication (VBA) macro’s in the document.\r\naskfjlskdjflkjsdrkljskd = Split(UserForm1.TextBox1.Text \u0026 UserForm1.TextBox2.Text \u0026 UserForm1.TextBox3.Text \u0026 U\r\nDim lskjfjiogjnvdfgljwlfjfsf As Double\r\nlskjfjiogjnvdfgljwlfjfsf = 0\r\nFor Each tiogjvelrrkjf In askfjlskdjflkjsdrkljskd\r\n ReDim Preserve alksdjweoijgskljsl_____(lskjfjiogjnvdfgljwlfjfsf)\r\n alksdjweoijgskljsl_____(lskjfjiogjnvdfgljwlfjfsf) = CByte(tiogjvelrrkjf)\r\n lskjfjiogjnvdfgljwlfjfsf = lskjfjiogjnvdfgljwlfjfsf + 1\r\nVBA FORM STRING IN '59ed41388826fed419cc3b18d28707491a4fa51309935c4fa016e53c6f2f94bc' - OLE stream: 'Macros/Use\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n20!163!163!232!71!161!103!90!143!154!72!231!144!84!104!72!25!253!146!69!107!219!79!95!58!0\r\nBeing familiar with their malicious documents, it appears that the actor is starting to use random names for\r\nvariables and functions, but take note that the actor is still using the Split(UserForm1.Textbox1) where the decimal\r\ncontent is separated by “!”. The same technique has been observed in the analysis of Monnappa K A in 2017 and\r\ndisplayed in the screenshot below.\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 6 of 13\n\nFigure 5: Similar methods observed in research from 2017\r\nBy extracting the decimal content from the malicious document and storing it in a text file, the CrimsonRat\r\nbackdoor named “winword.exe” could be extracted by the following Python program. I could not enter the\r\nprogram in the code section of Substack as this produced an error, hence the screenshot.\r\nFigure 6: Sample program to convert the decimal content into binary\r\nTo determine if the data has been converted correctly, the executable is calculated with sha256sum.\r\n$ sha256sum winword.exe\r\nafd21ef5712ffcbe4e338a5eb347f742d3c786f985ba003434568146adedb290\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 7 of 13\n\nThe value corresponds with the data that Jazi, the malware researcher, shared. The file command was used again\r\nto determine if the executable is indeed a .Net piece of malware.\r\n$ file winword.exe\r\nwinword.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nThe file command provides insights that the malware is a .Net executable with loads in DnSpy, but first, the\r\nexecutable was investigated with ClamAV, the open-source anti-virus scanner. I’m a massive fan of that project as\r\nit is fast, and you can build your custom signatures with it. I have used it in the past to detect malicious backdoors\r\non forensic images of multiple servers that were part of a significant forensic investigation.\r\n$ clamscan winword.exe\r\nwinword.exe: Win.Trojan.CrimsonRAT-7591455-0 FOUND\r\n----------- SCAN SUMMARY -----------\r\nKnown viruses: 17106785\r\nEngine version: 0.103.2\r\nScanned directories: 0\r\nScanned files: 1\r\nInfected files: 1\r\nData scanned: 1.66 MB\r\nData read: 1.56 MB (ratio 1.07:1)\r\nTime: 559.328 sec (9 m 19 s)\r\nStart Date: 2021:10:10 11:15:17\r\nEnd Date: 2021:10:10 11:24:37\r\nClamAV still detects this latest CrimsonRat. If you want to understand which patterns the malware got detected,\r\nyou could leverage the power of sigtool. With the sigtool, you can display the signatures and decode the decimal\r\nand compressed values stored in the ClamAV databases. This method can also get a better insight into how actors\r\ndevelop their malware and obtain better intelligence on them.\r\n$ sigtool --find-sigs Win.Trojan.CrimsonRAT-7591455-0\r\n[daily.ldb] Win.Trojan.CrimsonRAT-7591455-0;Engine:51-255,Target:1;(0|((1|2|3|4|5|6)\u003e3,3));74686e61766977615c746\r\nThe -decode-sigs argument can decode the signatures of ClamAV.\r\n$ sigtool --find-sigs Win.Trojan.CrimsonRAT-7591455-0 |sigtool --decode-sigs\r\nVIRUS NAME: Win.Trojan.CrimsonRAT-7591455-0\r\n\u003ccut for brevity\u003e\r\nthnaviwa\\thnaviwa\\obj\\Debug\\thnaviwa.pdb\r\npull_data\r\ndo_process\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 8 of 13\n\nIPSConfig\r\n_responce\u003eb__\r\nsee_responce\r\nfunStarter\r\n\u003ccut for brevity\u003e\r\nI have removed other information for readability, but ClamAV detected the CrimsonRat sample as it encountered\r\nmore than 3 of the strings like “pull_data” or “do_process” in the sample. This can be verified by executing the\r\nstrings and grep on the “winword.exe” sample.\r\n$ strings -a winword.exe |grep -iE \"(pull_data|do_process|_responce\u003eb__|see_responce|funStarter|thnaviwa.pdb)\"\r\ngitfunStarter\r\ngitsee_responce\r\ngitpull_data\r\ngitdo_process\r\nThe sample contained four matches with the signatures stored in the ClamAV database’ daily.ldb’. By loading the\r\nCrimsonRat (winword.exe) in dnSpy, you can view the code of the CrimsonRat, but also see some of the matching\r\nstrings on the left. From this sample is also appears that the author of the CrimsonRat is obfuscating the code\r\nbetter than observed in earlier samples.\r\nFigure 6: dnSpy displays randomized functions and routines in the latest CrimsonRat\r\nThe TransparentTribe actor seems very busy, is not stealthy, and anti-virus solutions have proper detections. The\r\nactor is observed in different regions in Asia and attacking multiple countries in the area, but primarily India and\r\nAfghanistan. The main attack vectors that the group employs are still phishing, watering hole attacks, or\r\nbackdoored downloads. There appears to be a broad consensus among malware security researchers that the\r\nnation-state actor originates from Pakistan. The latest samples demonstrate that the actor is trying to obfuscate the\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 9 of 13\n\nmalware by applying random names to functions and variables in the malicious documents and the CrimsonRat,\r\nthus far not with a lot of success. The actor also has capabilities the target victims on the Android platform.\r\nAlthough mentioned in some research, I could not observe that TransperentTribe was attacking critical\r\ninfrastructure in India. Still, from a nation-state perspective, you likely want to gain a strategic foothold in the\r\ncrucial infrastructure networks of your enemy.\r\nMany security companies have shared research on TransparentTribe. Still, Weibo shared the fascinating\r\ngeopolitical angle that I was unfamiliar with, namely one of significant strategic importance towards countering\r\nChina’s Belt and Road Initiative in the Middle East and Asia by India. They reported an attack on Iran, India, and\r\nAfghanistan with a theme of the trilateral agreement of the port of Chahabar in Iran. Until next time, where the\r\nindicators will direct me in writing the subsequent anchored narrative. Likely on another nation-state operating in\r\nthe South Asia region.\r\nThe following IOC’s were shared on Twitter by many malware researchers since the beginning of January 2021.\r\nSharing is caring. Keep doing that! The list below matched my intelligence requirements multiple times but is not\r\ncomplete. The format of sharing that is the most used by security researchers is the following:\r\n#APT #APTGroupname\r\nMD5 Maldoc:MD5 Value\r\nFilename:Filename\r\nBackdoor Name:MD5 value\r\nITW:MD5 value\r\nFilename:Filename\r\nDownload from:Second stage payload location\r\nC2: IP-address\r\nDomain name: DNS name\r\nAny other interesting artifacts: DBG path\r\nBased upon the above information, the data listed below matched the search criteria. Of course, I have not\r\nreviewed all samples or confirmed them to belong to that the TransparentTribe group definitely, but it is very\r\nlikely.\r\nMD5: c7a3276763a5c1b13f93028aab5a6e73\r\nFilename:Nisha Doc.doc\r\nCrimsonRat:938770e6e69e6feadb1b9f63af9969f4\r\nFilename:ravidhtirad.exe\r\nC2:151.106.14.125\r\nMD5:1F1082F170381D1CBA07EAE5F750FE7B\r\nFilename:National Conference 2021.xlam\r\nCrimsonRat:050EC7C999666E94840D559B4EBE2BE\r\nC2:23.254.119.118\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 10 of 13\n\nMD5:7f1f7c5c4b6b486e5ba9340944036285\r\nMD5:77c29d464efcae961424ae050453ef11\r\nMD5:3c2b45a6d878cc9f30a5dc10abf400a1\r\nMD5:66558073be686a57514dbc72e56fd41c\r\nFilename:RAKESH JAYKRISHNA.xls\r\nC2:167.86.105.43:6588\r\nMD5:039c162d7fcd8640b337173e323f94d8\r\nFilename:CSD_AppLaunch.exe\r\nDownload from:hxxps://secure256.net/ver4.mp3 = IntelWifi.exe\r\nFilename:IntelWifi.exe\r\nC2: 45.147.228.195:5434\r\nITW:54a86a284932a893a80fb760f9231283\r\nFilename:Weekly trg prog.doc\r\nC2:64.188.25.143:4586\r\nFake Wechat.exe\r\nMD5:1DEFE1EAC1D87D6A7808E4471080388B\r\nMD5:571E6B675E7E9AA3E5A1EF3A19C25909\r\n#Netwire RAT suspected to be dropped by #APT-C-56 #TransparentTribe\r\nMD5:c2a38018cf336685e3c760c614bbf4c3\r\nMD5:f0b43a3f4821a4cf4b514144b496e4d7\r\n\"Today our researchers have found new #Tahorse sample which belongs to #TransparentTribe #APT group\r\nITW/MD5:cf937b817a81db6521a64229625fbc1b\r\nC2:178.132.3.230\r\nC2: 5.189.134.216\r\nMD5/ITW:e98510e1252e7dd99012b23a400bb00b\r\nFilename: program.exe\r\nC2:185.117.73.222:3344\r\nMD5/ITW:4a7ff92e0ea13b41a5e3410c3becfb2e\r\nFilename:i.docm\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 11 of 13\n\nC2:198.23.210.211:4898(8786)\r\nMD5:54d5743efcc5511368c6c04bf6840a59\r\nFilename:Defence and security Agenda Point.ppt\r\n#Crimson Rat:\r\nMD5:6d88dcb578cef59d3d0244d1e93b0f57\r\nFilename: trbgertrnion.exe\r\nDebug path:e:\\\\core-projects\\\\adii\\\\trbgertrnion\\\\trbgertrnion\\\\obj\\\\Debug\\\\trbgertrnion.pdb\r\nC2:167.160.166.80\r\n\"Today our researchers have found new #Tahorse sample which belongs to #TransparentTribe #APT group\r\nITW/MD5:7d5eea5905af0b091f3ed37b20b7d847\r\nC2:178.132.3.230\r\nMD5:8057dacaf42319cde2b979b5cdfff034\r\nFilename:Criteria_of_Armed_forces_Offrs_docm\r\n#Crimson Rat:\r\nFilename:railthnsrqn.exe\r\nMD5:3a64279863fa16be74abdc8c20ceecb0\r\nC2:167.160.166.177\r\n\"Today our researchers have found #Tahorse APK Implant which belongs to #TransparentTribe #APT group\r\nITW:0fd1530fa9d78a579af960d57151a431\r\nfilename:whatsapplite.apk\r\nC2:109.236.85.16:5987\r\nmyabcxyz1[.]ddns[.]net:5987\r\nMD5:5cbcc3485f4286098b3a111ceec8ce54 #\"This might be #TransparentTribe #APT maldoc:\r\nMD5 c08e1509f379755df710d5a8fd4ff175 #Dropped payload\r\nC2:5.189.170.84\r\nMD5:66870a4045126c2744d86d92d564e1a4\r\nC2: 167.86.118.69\r\nPort: 443,7834\r\nDomain: speedytech[.]work\r\nJA3(ssl fingerprint): 54328bd36c14bd82ddaa0c04b25ed9ad\r\nITW/MD5:2f71caebb2842f4afd6c262f742d3b2b\r\nFilename: Sunita Singh.exe\r\nC2:151.106.14.125:6818\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 12 of 13\n\nMD5:6917d9ca4f9604ee09d08d5c33e93955\r\nC2: 64.188.13.46\r\nhxxp://64.188.13.46/deliveryyyyyyyyy/adwc.exe\r\n59ed41388826fed419cc3b18d28707491a4fa51309935c4fa016e53c6f2f94bc\r\nNakul Kumar.doc\r\nCrimson Rat:\r\nafd21ef5712ffcbe4e338a5eb347f742d3c786f985ba003434568146adedb290\r\nC2:tasnimnewstehran[.]club\r\nITW:643b11c3f6a6ccc41cfd37544b71c0dc 467e17b8d44626b7456716680e3d043d 0061d17ff54d214c5ea6867cb815caea\r\nC2:66.154.103[.]106 Port :13374\r\nITW:cb27d0bd9a97e053f3fbfcf4bba8b8fc\r\nFilename:Ultimate-File.docm\r\nC2:134.119.181.142:6672\r\nMD5:28dc287cc78e195386dc33564dfe449a\r\nGeorge M. Garner Jr. was the author of kntdd and kntlist. Kntdd was used to acquire memory on Windows\r\nsystems, and kntlist was used to interpret structures in memory to detect rootkits. George, unfortunately, passed\r\naway in 2017.\r\nSource: https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nhttps://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east" ], "report_names": [ "trouble-in-asia-and-the-middle-east" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434079, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/169c3986071a937e80d538bde94bd661f7acd45a.pdf", "text": "https://archive.orkl.eu/169c3986071a937e80d538bde94bd661f7acd45a.txt", "img": "https://archive.orkl.eu/169c3986071a937e80d538bde94bd661f7acd45a.jpg" } }