{
	"id": "aed9b06c-c59c-4e69-ad74-c6085571e048",
	"created_at": "2026-04-06T00:11:21.164235Z",
	"updated_at": "2026-04-10T03:36:50.155272Z",
	"deleted_at": null,
	"sha1_hash": "2023729dde1d3aae2fb063fff05144f9f6a5024e",
	"title": "Operation ‘Honey Trap’: APT36 Targets Defence Organizations in India",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 628626,
	"plain_text": "Operation ‘Honey Trap’: APT36 Targets Defence Organizations in\r\nIndia\r\nBy Kalpesh Mantri\r\nPublished: 2020-07-08 · Archived: 2026-04-05 19:25:53 UTC\r\nHome  /  Malware  /  Operation ‘Honey Trap’: APT36 Targets Defence Organizations in India\r\n08 July 2020\r\nSummary\r\nIn the last 3 months, we have noticed increased activity from APT36, a Pakistan-linked Cyber Threat actor. The\r\ntarget this time are personnel belonging to defence organizations \u0026 other Government organizations in India.\r\nIn the recent wave of attacks, APT36 is using honey trapping technique to lure their targets. The “honey trap”\r\noperations use fake profiles of attractive women to entice targets into opening their emails or chatting over\r\nmessaging platforms, ultimately leading them into downloading malware.\r\nSome of the attachment names that we found in the current themed attack:\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 1 of 8\n\nWhen target opens such attachment, it drops MSIL based Crimson RAT which has been used by APT36 in many\r\nof their past attacks. This RAT is used for data-stealing activities and sending them to a CnC server.\r\nOperation ‘Honey Trap’\r\nIndian Army has described ‘honey trap’ cases as a weapon of hybrid warfare being waged by the enemy across the\r\nborders. The same theme is now being used by APT36 to lure its targets.\r\nImage: News feeds showing the use of ‘honey trap’ cases\r\nCampaign Overview\r\nThis campaign continues to use two separate infection chains. These two infection techniques of APT36 have\r\nremained the same in the past couple of years.\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 2 of 8\n\nIn the first chain, a spear-phishing email has a macro loaded document as an attachment. This document is\r\nresponsible to execute a dropper module that starts the Crimson RAT tool to perform malicious activity.\r\nImage: Infection Chain – Scenario 1\r\nIn the second chain, a spear-phishing email attachment directly contains a dropper module within a zip file. This\r\ndropper component opens a decoy document for the victim and runs Crimson RAT tool in the background to\r\nperform malicious activity.\r\nImage: Infection Chain – Scenario 2\r\nThe second infection chain is not so successful in organizations as their firewalls usually block ‘EXE’ filetype\r\nwithin an email. This is the main reason, it is targeting personal accounts of individuals related to the  Indian\r\nDefence sector.\r\nCrimson RAT\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 3 of 8\n\nCrimson RAT remains a popular arsenal on APT36 group. We had published details of another APT36 attack last\r\nmonth; working of the malware remains the same.\r\nSummarized behaviour of this RAT-Process:\r\nList processes\r\nKill process\r\nExecute commands\r\nFile:\r\nDrives, files and directory traversal\r\nDelete files\r\nExecute files\r\nSearch for file extensions\r\nMetadata extraction\r\nCapture Screen:\r\nSingle and Continuous screenshots\r\nGet Thumbnails, Screen Size\r\nData Exfiltration:\r\nDownload from C2\r\nUpload to C2\r\nShown here are some functionality implementations in crimson RAT code:\r\nImage: Functionality to list all running process\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 4 of 8\n\nImage: Functionality to check and add startup entry in the registry\r\nImage: Functionality to search files of a given extension\r\nImage: Functionality to capture screenshot.\r\nConclusion\r\nIt is a well-established fact, that APT36 targets defence and other critical sector organizations. Usually, their\r\ntargets are individuals and organizations which are of strategic interest to India’s western neighbour. However, in\r\nthis campaign, interestingly, some of the targeted entities belong to organizations based in the eastern states in\r\nIndia! In last one year, this is the second instance where we saw APT36 targeting organizations of interest to\r\nIndia’s eastern neighbour\r\nIOCs associated to the honeytrap campaign:\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 5 of 8\n\n03E499D6E15817F5C7EF0F4F2FFD6D27\r\n0FD5FD92A6D8467A892C889B7DE49FC2\r\n11C594AF9B478A1EC688E874BCF61FE9\r\n2B22AC62E5843F22F4A51149ADE2D6D1\r\n3709CE3826A3AEBA20341ED2EF38259F\r\n3952EBEDF24716728B7355B8BE8E71B6\r\n467B10934E97D66E738E56501C22D1C4\r\n46B9FA19A52D0E83B63280547630BB33\r\n485F08EE7F741219BC1F2438319A33E4\r\n4B7D87FFA7D243A32D6D516583B04B8A\r\n4C0E752600746B6D67CF1D49C103D64A\r\n4DC350105A7879E14780B0A353816BC5\r\n5111974611588AFFE86C99EB9897FE02\r\n589729BC673FE05A2F3B4C85797E2CE6\r\n60BC356B4C88431353756B9496CF8F55\r\n6368B4E339D04B30DA20AF70C67EC743\r\n6801133F37481D8D865E984766E49D34\r\n6B2931A1E68E8C9B02B815DC8065B4F8\r\n6C11F92F6646E696724DE47D41ADC9F0\r\n6DAA8DB3ED3661F9BC708E9B3E5F5C3C\r\n8B22B21F258207F6B2C71483EAFF8CA6\r\n8D34A25D139F836FD36BBEB869A6BD3F\r\n92A16E790F69E68C393B3BEEA15E14AA\r\n94C00B72C37D5EB00E6B200AA71295C7\r\n9C9A6005C14D4EDFF392EE174E3A6964\r\nA15602E81A2E9860463F83ED66E7FFFD\r\nA22DBB859B380E375DF17D0751E407F5\r\nA7C8DD395CD707794A8BFFE9C06A6344\r\nA93F9E7325567A01357C565F2875C02F\r\nB6E5D3B7F74B99CB039B8226AAFE6E08\r\nC0C2BCA1B2668D10D0B26E0F6DB34A64\r\nC32E6BC20F46CF0EB6E3608F35651195\r\nC9895D76ACE01B7A1DB407B18059B785\r\nCBFAE579A25DF1E2FE0E02934EFD65DC\r\nD504CAB93AB055267BDD7693BFCFED5B\r\nD9CE6D2F89AFADD13D42CAC313C91582\r\nE670F157F988FA13317CD878DEB55697\r\nE89E1D0CDB0C0653744E5D12B6262F07\r\nE8AA25A0D8A95E43712765FEFAC3C068\r\nEA371D9282AB9C2A7274C5C8ACA9A64A\r\nF0C1AEA58025973D254FF9FD08599E65\r\nF70B3DA6C795B544FAC4F90AE4B45BA2\r\nFE74761CE3EEDB20FF50FEFE9C2D49EF\r\nFF2F32C78688AEC15C1283B1E625E72A\r\nSubject matter experts:\r\nPavankumar Chaudhari\r\nKalpesh Mantri\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 6 of 8\n\nPrevious PostAdvance Campaign Targeting Manufacturing and Export Sectors in In...\r\nNext Post  Snake Ransomware brings impending doom to enterprise networks\r\nKalpesh Mantri is currently working as a Principal Security Researcher with Quick Heal Labs. He is currently\r\nworking on hunting APTs and telemetry...\r\nArticles by Kalpesh Mantri »\r\nRelated Posts\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 7 of 8\n\nSource: https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nhttps://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/"
	],
	"report_names": [
		"operation-honey-trap-apt36-targets-defense-organizations-in-india"
	],
	"threat_actors": [
		{
			"id": "414d7c65-5872-4e56-8a7d-49a2aeef1632",
			"created_at": "2025-08-07T02:03:24.7983Z",
			"updated_at": "2026-04-10T02:00:03.76109Z",
			"deleted_at": null,
			"main_name": "COPPER FIELDSTONE",
			"aliases": [
				"APT36 ",
				"Earth Karkaddan ",
				"Gorgon Group ",
				"Green Havildar ",
				"Mythic Leopard ",
				"Operation C-Major ",
				"Operation Transparent Tribe ",
				"Pasty Draco ",
				"ProjectM ",
				"Storm-0156 "
			],
			"source_name": "Secureworks:COPPER FIELDSTONE",
			"tools": [
				"CapraRAT",
				"Crimson RAT",
				"DarkComet",
				"ElizaRAT",
				"LuminosityLink",
				"ObliqueRAT",
				"Peppy",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434281,
	"ts_updated_at": 1775792210,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2023729dde1d3aae2fb063fff05144f9f6a5024e.pdf",
		"text": "https://archive.orkl.eu/2023729dde1d3aae2fb063fff05144f9f6a5024e.txt",
		"img": "https://archive.orkl.eu/2023729dde1d3aae2fb063fff05144f9f6a5024e.jpg"
	}
}