{ "id": "97ed9595-0100-4f03-8365-402d3bedc034", "created_at": "2026-04-06T00:19:05.138961Z", "updated_at": "2026-04-10T03:36:50.32335Z", "deleted_at": null, "sha1_hash": "22815d252e7fc43c1ef914fcb6bb5d7d9bd2bd6e", "title": "CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3339502, "plain_text": "CapraTube Remix | Transparent Tribe’s Android Spyware\r\nTargeting Gamers, Weapons Enthusiasts\r\nBy Alex Delamotte\r\nPublished: 2024-07-01 · Archived: 2026-04-05 17:31:25 UTC\r\nExecutive Summary\r\nSentinelLABS has identified four new CapraRAT APKs associated with suspected Pakistan state-aligned\r\nactor Transparent Tribe.\r\nThese APKs continue the group’s trend of embedding spyware into curated video browsing applications,\r\nwith a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans.\r\nThe overall functionality remains the same, with the underlying code updated to better suit modern\r\nAndroid devices.\r\nOverview\r\nTransparent Tribe (aka APT 36, Operation C-Major) has been active since at least 2016 with attacks against Indian\r\ngovernment and military personnel. The group relies heavily on social engineering attacks to deliver a variety of\r\nWindows and Android spyware, including spear-phishing and watering hole attacks.\r\nIn September 2023, SentinelLABS outlined the CapraTube campaign, which used weaponized Android\r\napplications (APK) designed to mimic YouTube, often in a suspected dating context due to the nature of the\r\nvideos served. The activity highlighted in this report shows the continuation of this technique with updates to the\r\nsocial engineering pretexts as well as efforts to maximize the spyware’s compatibility with older versions of the\r\nAndroid operating system while expanding the attack surface to include modern versions of Android.\r\nNew CapraRAT APKs\r\nSHA-1 c307f523a1d1aa928fe3db2c6c3ede6902f1084b\r\nApp Name Crazy Game signed.apk\r\nPackage Name com.maeps.crygms.tktols\r\nSHA-1 dba9f88ba548cebfa389972cddf2bec55b71168b\r\nApp Name Sexy Videos signed.apk\r\nPackage Name com.nobra.crygms.tktols\r\nSHA-1 28bc3b3d8878be4267ee08f20b7816a6ba23623e\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 1 of 9\n\nApp Name TikTok signed.apk\r\nPackage Name com.maeps.vdosa.tktols\r\nSHA-1 fff24e9f11651e0bdbee7c5cd1034269f40fc424\r\nApp Name Weapons signed.apk\r\nPackage Name com.maeps.vdosa.tktols\r\nNew CapraRAT app logos\r\nThe new versions of CapraRAT each use WebView to launch a URL to either YouTube or a mobile gaming site,\r\nCrazyGames[.]com . There is no indication that an app with the same name, Crazy Games, is weaponized as it\r\ndoes not require several key CapraRAT permissions, such as sending SMS, making calls, accessing contacts, or\r\nrecording audio and video. The URL query in the CapraRAT code is obfuscated as\r\nh tUUtps://www.youUUtube.com/resulUUts?seUUarch_quUUery=TiUUk+ToUUks , which is cleaned to remove\r\noccurrences of UU, resulting in https[:]//www.youtube[.]com/results?search_query=Tik+Toks .\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 2 of 9\n\nURL deobfuscation and loading performed by CapraRAT’s load_web method\r\nDecompiled view of load_web method\r\nThe previous CapraTube campaign had one APK called Piya Sharma that was likely used in a romance-themed\r\nsocial engineering pretext. The new campaign continues that trend with the Sexy Videos app. While two of the\r\npreviously reported apps launched only YouTube with no query, the YouTube apps from this campaign are each\r\npreloaded with a query related to the application’s theme. The TikTok app launches YouTube with the query “Tik\r\nToks,” and the Weapons app launches the Forgotten Weapons YouTube channel, which reviews a variety of classic\r\narms and has 2.7 Million subscribers.\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 3 of 9\n\nTikTok and Weapons-themed CapraRAT YouTube WebView\r\nThe Crazy Games app launches WebView to load CrazyGames[.]com , a site containing in-browser mini games.\r\nThis particularly resource-intensive site did not work well on older versions of Android during our testing.\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 4 of 9\n\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 5 of 9\n\nCrazy Games CapraRAT WebView\r\nWhen the app first launches, the user is prompted to grant several risky permissions, including:\r\nAccess GPS location\r\nManage network state\r\nRead and send SMS\r\nRead contacts\r\nRecord audio and screen, take screenshots\r\nStorage read and write access\r\nUse camera\r\nView call history and make calls\r\nIn contrast with the previous CapraRAT campaign, the following Android permissions are no longer requested or\r\nused:\r\nREAD_INSTALL_SESSIONS\r\nGET_ACCOUNTS\r\nAUTHENTICATE_ACCOUNTS\r\nREQUEST_INSTALL_PACKAGES\r\nThe reduction in permissions suggests the app developers are focused on making CapraRAT a surveillance tool\r\nmore than a fully featured backdoor.\r\nApp Compatibility\r\nThe most significant changes between this campaign and the September 2023 campaign are to app compatibility.\r\nThe newest CapraRAT APKs we identified now contain references to Android’s Oreo version (Android 8.0),\r\nwhich was released in 2017. Previous versions relied on the device running Lollipop (Android 5.1), which was\r\nreleased in 2015 and less likely to be compatible with modern Android devices.\r\nWe tested the APKs from this campaign and the September 2023 campaign on an Android device running Android\r\nTiramisu aka Android 13 (2022) and Android 14 (2023). The new campaign’s apps ran smoothly on this modern\r\nversion of Android. The September 2023 campaign apps prompted a compatibility warning dialog, which could\r\nraise suspicion among victims that the app is abnormal. When running on the newest released version of Android\r\n14, the September 2023 campaign’s Piya Sharma app fails to install. Each of the newer versions ran successfully.\r\nIn all cases, the app still requests gratuitous permissions from the user that hint to the tool’s capabilities. Even if\r\nthe user declines permissions, the app still runs, meaning the group has not overcome this hurdle to successfully\r\nimplementing their spyware.\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 6 of 9\n\nPiya Sharma app install failure dialog on Android 14\r\nThe new CapraRAT packages also contain a very minimal new class called WebView , which is responsible for\r\nmaintaining compatibility with older versions of Android via the Android Support Library, which developers can\r\nchoose to include in a project to enhance compatibility.\r\nSpyware Activities and C2\r\nThe app’s MainActivity initiates requests for permissions. The app still runs even if permissions are not granted.\r\nMainActivity calls the TCHPClient class, which contains the malicious capabilities leveraged by CapraRAT.\r\nThis class drives several spyware classes and methods, including:\r\naudioStreamer ( aStreamer )\r\nCallLogLister\r\nCallReceiver\r\nContactsLister\r\nDirLister (file browsing)\r\ndownloadFile\r\nkillFile (file deletion)\r\nkillProcess\r\nPhotoTaker\r\nSMSLister\r\nSMSReceiver\r\nThese give the spyware fine-grained control over what the user does on the device.\r\nThe sendData method is responsible for constructing the data collected by other methods and classes and\r\nsending it to the C2. The mRun method constructs the socket and sends the data to the C2 server using the\r\nvariables specified in the Settings class. Each of the current campaign’s APKs use the same C2 server\r\nhostname, IP address and TCP port number 18582. The Settings class also shows the same CapraRAT version\r\nidentifier for each APK, A.D.0.2 .\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 7 of 9\n\nmRun performs a connectivity check to decide whether to connect to the C2 using the hostname\r\nshareboxs[.]net or the hardcoded IP address 173[.]249[.]50[.]243 . This IP address has been tied to\r\nTransparent Tribe’s CrimsonRAT and AhMyth Android RAT C2 activity since at least 2022. As of this writing,\r\nshareboxs[.]net resolves to 173[.]212[.]206[.]227 .\r\nConclusion\r\nThe updates to the CapraRAT code between the September 2023 campaign and the current campaign are minimal,\r\nbut suggest the developers are focused on making the tool more reliable and stable. The decision to move to newer\r\nversions of the Android OS are logical, and likely align with the group’s sustained targeting of individuals in the\r\nIndian government or military space, who are unlikely to use devices running older versions of Android, such as\r\nLollipop which was released 8 years ago.\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 8 of 9\n\nThe APK theme updates show the group continues to lean into its social engineering prowess to gain a wider\r\naudience of targets who would be interested in the new app lures, such as mobile gamers or weapons enthusiasts.\r\nTo help prevent compromise by CapraRAT and similar malware, users should always evaluate the permissions\r\nrequested by an app to determine if they are necessary. For example, an app that only displays TikTok videos does\r\nnot need the ability to send SMS messages, make calls, or record the screen. In incident response scenarios, treat\r\nthe related network indicators of compromise as suspect, including the use of port 18582, and search suspect apps\r\nfor the presence of strings using the unique method names outlined in the Spyware Activities \u0026 C2 section of this\r\nreport.\r\nIndicators of Compromise\r\nFiles\r\nSHA1 Name\r\n28bc3b3d8878be4267ee08f20b7816a6ba23623e TikTok signed.apk\r\nc307f523a1d1aa928fe3db2c6c3ede6902f1084b Crazy Game signed.apk\r\ndba9f88ba548cebfa389972cddf2bec55b71168b Sexy Videos signed.apk\r\nfff24e9f11651e0bdbee7c5cd1034269f40fc424 Weapons signed.apk\r\nNetwork Indicators\r\nDomain/IP Description\r\nshareboxs[.]net C2 domain\r\n173[.]212[.]206[.]227 Resolved C2 IP address, hosts shareboxs.net\r\n173[.]249[.]50[.]243 Hardcoded failover C2 IP address\r\nSource: https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nhttps://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/" ], "report_names": [ "capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434745, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22815d252e7fc43c1ef914fcb6bb5d7d9bd2bd6e.pdf", "text": "https://archive.orkl.eu/22815d252e7fc43c1ef914fcb6bb5d7d9bd2bd6e.txt", "img": "https://archive.orkl.eu/22815d252e7fc43c1ef914fcb6bb5d7d9bd2bd6e.jpg" } }