{ "id": "126705dd-3b58-4462-ad31-7eb74dd09d03", "created_at": "2026-04-06T00:17:27.45529Z", "updated_at": "2026-04-10T13:12:17.308398Z", "deleted_at": null, "sha1_hash": "1dd4848b12f4f81fcca92499c759589199c45247", "title": "Another Case of a Pakistani APT Spying on Indian Military Personnel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76137, "plain_text": "Another Case of a Pakistani APT Spying on Indian Military\r\nPersonnel\r\nBy Catalin Cimpanu\r\nPublished: 2016-03-23 · Archived: 2026-04-05 23:37:41 UTC\r\nPakistani-linked threat actors have once again targeted Indian military personnel in a cyber-espionage\r\ncampaign, for the third time this month alone.\r\nThe first time this happened was at the beginning of the month, when Proofpoint researchers blew the lid off a\r\ncyber-espionage campaign named Operation Transparent Tribe, which targeted the Indian embassies in Saudi\r\nArabia and Kazakhstan.\r\nThe second incident came to light last week and involved the SmeshApp Android app, which was logging details\r\nabout Indian army personnel and sending it to a server in Germany, bought by a person from Karachi, Pakistan.\r\nGoogle eventually removed the app.\r\nNow, Trend Micro is reporting on a third campaign, which they've named Operation C-Major. According to the\r\nsecurity firm, this campaign targeted Indian military officials via spear-phishing emails, distributing spyware to its\r\nvictims via an Adobe Reader vulnerability.\r\nOperation C-Major was the work of a novice\r\nSecurity experts who analyzed this campaign say that the spyware was sending all stolen data to a C\u0026C server in\r\nPakistan. They could not confirm that this server or the person managing it was under the control of the Pakistani\r\ngovernment or intelligence agency.\r\n\"This operation has the information theft capabilities that could be expected of the typical targeted attack - albeit\r\nnot one that was particularly well-executed,\" Trend Micro reveals. \"The attackers were unable to keep their\r\nserver’s whereabouts completely hidden, leading to the discovery of information concerning the targets involved.\"\r\nTrend Micro noticed that the threat actors behind this campaign had no experience in writing malware, mainly\r\nbecause they coded their malware in Visual Basic .NET and C#. Binaries written in these languages can be easily\r\ndecompiled, and the researchers had full access to the malware's source code.\r\nThis code revealed the C\u0026C server's IP address, where researchers discovered that the hackers left data storage\r\ndirectories open to public access.\r\nThe group targeted only military personnel\r\nResearchers were able to sift through all the stolen data and easily identify what the group stole and from what\r\ntargets. As initially suspected, researchers found only data related to Indian military targets.\r\nhttps://news.softpedia.com/news/another-case-of-a-pakistani-apt-spying-on-indian-military-personnel-502093.shtml\r\nPage 1 of 2\n\nInside the C\u0026C server's folders, Trend Micro found ID scans, passport scans, salary-related information, military\r\npersonnel taxation details, personal photos, military training materials, and documents with data about the Indian\r\narmy's strategies and tactical movements.\r\nOn the same server, researchers also discovered clues of another attack targeting Indian military officials via\r\nAndroid malware, with a possible connection to the SmeshApp campaign.\r\nAs the security firm concludes, it appears that even if the group lacked experience in running a cyber-espionage\r\ncampaign, they compensated for their poor coding skills by using highly efficient social engineering tricks.\r\nSome of the ID scans found on the C\u0026C server\r\nSource: https://news.softpedia.com/news/another-case-of-a-pakistani-apt-spying-on-indian-military-personnel-502093.shtml\r\nhttps://news.softpedia.com/news/another-case-of-a-pakistani-apt-spying-on-indian-military-personnel-502093.shtml\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://news.softpedia.com/news/another-case-of-a-pakistani-apt-spying-on-indian-military-personnel-502093.shtml" ], "report_names": [ "another-case-of-a-pakistani-apt-spying-on-indian-military-personnel-502093.shtml" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434647, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1dd4848b12f4f81fcca92499c759589199c45247.pdf", "text": "https://archive.orkl.eu/1dd4848b12f4f81fcca92499c759589199c45247.txt", "img": "https://archive.orkl.eu/1dd4848b12f4f81fcca92499c759589199c45247.jpg" } }