{
	"id": "c6f796e1-f024-408c-95a8-0ba68da840c3",
	"created_at": "2026-04-25T02:18:17.53833Z",
	"updated_at": "2026-04-25T02:19:49.906111Z",
	"deleted_at": null,
	"sha1_hash": "19535fa81c6a3ca586195a43d832a537476347e7",
	"title": "The Evolution of Transparent Tribe’s New Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45422,
	"plain_text": "The Evolution of Transparent Tribe’s New Malware\r\nBy gmcdouga\r\nPublished: 2024-11-04 · Archived: 2026-04-25 02:13:02 UTC\r\nExecutive Summary:\r\nIn recent cyber attacks, Transparent Tribe, or APT36, has utilized an increasingly sophisticated malware\r\ncalled ElizaRAT.\r\nCheck Point Research tracked ElizaRAT’s evolution, uncovering its improved execution methods,\r\ndetection evasion, and Command and Control communication since its public disclosure in September\r\n2023.\r\nThe ElizaRAT campaigns first executed the same function to verify that the system was set to India\r\nStandard Time, indicating that the campaigns targeted Indian systems.\r\nTransparent Tribe, otherwise known as APT36, is a Pakistan-affiliated threat actor that notoriously targets Indian-associated entities. The threat group’s main objective is cyber espionage, which has previously targeted\r\ngovernmental organizations, diplomatic personnel, and military facilities. Most recently, Transparent Tribe\r\ntargeted Indian entities with a new malware called ElizaRAT in several successful campaigns. Since it was first\r\ndetected, Check Point Research has tracked the malware, identifying increased sophistication throughout its\r\ntenure. Specifically, ElizaRAT enhanced its evasive methods and command and control capabilities.\r\nHere, we will unravel the evolution of ElizaRAT and explain how Transparent Tribe used the increasingly\r\nadvanced malware to target victims.\r\nBackground and Evolution of ElizaRAT\r\nElizaRAT, a Windows Remote Access Tool disclosed in September 2023, is employed by Transparent Tribe in\r\ntargeted attacks. Infections typically start via executable files shared through Google Storage links, likely due to\r\nphishing efforts. Earlier variants relied on Telegram for Command and Control (C2) communication. Since its\r\ninitial detection, ElizaRAT has evolved in execution methods, detection evasion, and C2 communication, as\r\ndemonstrated in three distinct campaigns from late 2023 to early 2024. Each campaign utilized a different variant\r\nof ElizaRAT to deploy specific payloads for automated information gathering.\r\nhttps://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/\r\nPage 1 of 3\n\nCampaign timeline, according to the malware compilation timestamps\r\nElizaRAT’s defining characteristics include using cloud services like Google, Telegram, and Slack for distribution\r\nand C2 communication, often executed through CPL files. It employs tactics such as dropping decoy documents,\r\ncreating shortcuts to the malware, and using SQLite to store victim data locally before exfiltration.\r\nElizaRAT Uses Slack for C2 Communication\r\nIn the first of three campaigns, a variant of ElizaRAT called Slack API used Slack channels for its C2\r\nCommunication. Created at the end of 2023, the malware is delivered as a CPL file, making it easy to run through\r\nphishing attacks. It collects user information, logs actions, checks the local time zone, and drops a fake mp4 file.\r\nThe malware sends victim details to the C2 server and checks for new commands every minute. The C2\r\ncommunications in the malware use Slack’s API to interact with the attacker.\r\nApoloStealer: The New Payload\r\nIn the same campaign, transparent Tribe deployed a new payload for specific targets, which Check Point dubbed\r\nApoloStealer. The malware was compiled one month after the ElizaRAT Slack API variant. ApoloStealer first\r\ncreates a database file and then a table to store data on each file. The malware then collects its victims’ desktop\r\nfiles. Once all relevant files are stored, ApoloStealer sends them to the C2 server.\r\nThe Circle Campaign\r\nIn January 2024, the second variant of the ElizaRAT malware called Circle was released. This version features an\r\nenhanced dropper component, significantly lowering detection rates. The Circle campaign employs a payload like\r\nSlack API’s payload, though, unlike other ElizaRAT variants such as the Slack API variant, Circle avoids using\r\ncloud services for command and control (C2) and relies on a primary virtual private server (VPS) for its C2\r\ncommunications.\r\nThe dropper’s primary function is to prepare for ElizaRAT’s execution. It extracts a zip file containing the\r\nmalware and creates a working directory that places a decoy PDF and an MP4 file. The malware, just like all\r\nElizaRAT malware, created an LNK file for the malware despite none of the malware using the file. The\r\ndescription of the LNK is “Slack API,” which suggests a connection to the Slack campaign.\r\nThe Google Drive Campaign\r\nLike previous versions of ElizaRAT, the third detected campaign drops the malware files, including the decoy\r\nPDF and the main ElizaRAT variant. This variant leverages Google Cloud for its C2 communication and sends\r\ncommands to download the next stage payload from different virtual private servers (VPS). Check Point Research\r\nidentified two payloads used in this campaign, both of which function as info stealers, each designed for a specific\r\npurpose.\r\nInterest in India- related Targets\r\nhttps://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/\r\nPage 2 of 3\n\nAll ElizaRAT variants deployed the same initial function of verifying that the system’s time zone was set to India\r\nStandard Time, suggesting that the campaigns targeted Indian systems.\r\nAn example of the time zone check is in the SlackFiles.dll payload. This function occurs in all samples.\r\nAs Malware Evolves, so Does Detection\r\nThe evolution of ElizaRAT demonstrates APT36’s strategic efforts to refine its malware for better detection\r\nevasion and more effective targeting of Indian entities. By incorporating cloud services like Google Drive,\r\nTelegram, and Slack into its command-and-control systems, it uses widely used platforms to conceal its activities\r\nwithin everyday network traffic. Adding new payloads like ApolloStealer represents a significant growth in\r\nAPT36’s malware capabilities, indicating a shift towards a more flexible, modular approach to payload\r\ndeployment. These techniques primarily focus on data collection and exfiltration, reinforcing their ongoing focus\r\non intelligence gathering and espionage.\r\nElizaRAT’s evolution represents threat actors’ increasingly advanced tactics. Attackers become more specific and\r\ntargeted, improving their campaigns’ success rates and effectiveness, while enhanced evasion techniques allow for\r\npersistent activities.\r\nTo combat evolving threats, Check Point’s Threat Emulation inspects all files to identify any malicious behavior\r\nbefore they can enter an end user’s network. It recognizes unknown threats and zero-day vulnerabilities by\r\nexecuting files in various virtual, controlled environments, where they are monitored for harmful activity, such as\r\nunauthorized changes to the system. When integrated with Check Point Harmony Endpoint  which works in real\r\ntime to analyze all files, Threat Emulation evaluates each file. This process allows users to access a safe file\r\nversion almost immediately while the original undergoes a more thorough inspection. This proactive approach not\r\nonly enhances security by providing quick access to safe content but also ensures that potential threats are\r\nsystematically identified and mitigated, thereby safeguarding the integrity of the network.\r\nTo learn more about ElizaRAT’s revolution, read Check Point Research’s full report.\r\nSource: https://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/\r\nhttps://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/"
	],
	"report_names": [
		"the-evolution-of-transparent-tribes-new-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1777083497,
	"ts_updated_at": 1777083589,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19535fa81c6a3ca586195a43d832a537476347e7.pdf",
		"text": "https://archive.orkl.eu/19535fa81c6a3ca586195a43d832a537476347e7.txt",
		"img": "https://archive.orkl.eu/19535fa81c6a3ca586195a43d832a537476347e7.jpg"
	}
}