{ "id": "2eefd82c-c304-4f21-b40e-c7323ecfb41e", "created_at": "2026-04-06T00:12:41.898494Z", "updated_at": "2026-04-10T03:36:50.318516Z", "deleted_at": null, "sha1_hash": "289559edf6349d7bd672d860d76483825ecc7bee", "title": "Transparent Tribe: Evolution analysis, part 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 191805, "plain_text": "Transparent Tribe: Evolution analysis, part 2\r\nBy Giampaolo Dedola\r\nPublished: 2020-08-26 · Archived: 2026-04-05 18:48:14 UTC\r\nBackground + Key findings\r\nTransparent Tribe, also known as PROJECTM or MYTHIC LEOPARD, is a highly prolific group whose activities\r\ncan be traced as far back as 2013. In the last four years, this APT group has never taken time off. They continue to\r\nhit their targets, which typically are Indian military and government personnel.\r\nThis is the second of two articles written to share the results of our recent investigations into Transparent Tribe. In\r\nthe previous article, we described the various Crimson RAT components and provided an overview of impacted\r\nusers. Here are some of the key insights that will be described in this part:\r\nWe found a new Android implant used by Transparent Tribe for spying on mobile devices. It was\r\ndistributed in India disguised as a porn-related app and a fake national COVID-19 tracking app.\r\nNew evidence confirms a link between ObliqueRAT and Transparent Tribe.\r\nAndroid implant\r\nDuring our analysis, we found an interesting sample, which follows a variant of the previously described attack\r\nscheme. Specifically, the attack starts with a simple document, which is not malicious by itself, does not contain\r\nany macro and does not try to download other malicious components, but it uses social engineering tricks to lure\r\nthe victim into downloading other documents from the following external URLs:\r\nhxxp://sharingmymedia[.]com/files/Criteria-of-Army-Officers.doc\r\nhxxp://sharingmymedia[.]com/files/7All-Selected-list.xls\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 1 of 11\n\n15DA10765B7BECFCCA3325A91D90DB37 – Special Benefits.docx\r\nThe remote files are two Microsoft Office documents with an embedded malicious VBA, which behaves similarly\r\nto those described in the previous article and drops the Crimson “Thin Client”. The domain\r\nsharingmymedia[.]com was even more interesting: it was resolved with the IP 89.45.67[.]160 and was registered\r\non 2020-01-10 using Namesilo and the following information:\r\nRegistrant Name: bluff hunnter\r\nRegistrant Organization:\r\nRegistrant Street: India Dehli\r\nRegistrant City: Dehli\r\nRegistrant State/Province: Delhi\r\nRegistrant Postal Code: 110001\r\nRegistrant Country: IN\r\nRegistrant Phone: +91.4214521212\r\nRegistrant Phone Ext:\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 2 of 11\n\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: hunterbluff007@gmail.com\r\nThe same information was used to register another domain, sharemydrives[.]com, which was registered seven\r\ndays before, on 2020-01-03, using Namesilo. DNS resolution points to the same IP address: 89.45.67[.]160.\r\nUsing our Kaspersky Threat Intelligence Portal, we found the following related URL:\r\nInformation in Kaspersky Threat Intelligence Portal\r\nThe file is a modified version of MxVideoPlayer, a simple open-source video player for Android, downloadable\r\nfrom GitHub and used by Transparent Tribe to drop and execute their Android RAT.\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 3 of 11\n\nDesi-porn.apk screenshot\r\nThe dropper tries to find a list of legitimate packages on the system:\r\nimo.android.imoim\r\nsnapchat.android\r\nviber.voip\r\nfacebook.lite\r\nIf the device was produced by Xiaomi, it also checks if the com.truecaller package is present.\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 4 of 11\n\nThe code used to check if legitimate packages are installed\r\nThe first application on the list that is not installed on the system will be selected as the target application. The\r\nmalware embeds multiple APK files, which are stored in a directory named “assets”. The analyzed sample\r\nincludes the following packages:\r\napk a20fc273a49c3b882845ac8d6cc5beac\r\napk 53cd72147b0ef6bf6e64d266bf3ccafe\r\napk bae69f2ce9f002a11238dcf29101c14f\r\napk b8006e986453a6f25fd94db6b7114ac2\r\napk 4556ccecbf24b2e3e07d3856f42c7072\r\napk 6c3308cd8a060327d841626a677a0549\r\nThe selected APK is copied to /.System/APK/. By default, the application tries to save the file to external storage,\r\notherwise it saves it to the data directory.\r\nFinally, the application tries to install the copied APK. The final malware is a modified version of the AhMyth\r\nAndroid RAT, open-source malware downloadable from GitHub, which is built by binding the malicious payload\r\ninside other legitimate applications.\r\nThe original AhMyth RAT includes support for the following commands:\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 5 of 11\n\nCommands\r\nAdditional\r\nfields\r\nValue Description\r\nx0000ca extra camlist get a camera list\r\nextra 1 get a photo from the camera with the id 1\r\nextra 0 get a photo from the camera with the id 0\r\nx0000fm\r\nextra\r\npath\r\nls\r\n%dirpath%\r\nget a list of files in the directory specified in the “path”\r\nvariable.\r\nextra\r\npath\r\ndl\r\n%filepath%\r\nupload the specified file to the C2\r\nx0000sm extra ls get a list of text messages\r\nextra\r\nto\r\nsms\r\nsendSMS\r\n%number%\r\n%message%\r\nsend a new text to another number\r\nx0000cl get the call log\r\nx0000cn get contacts\r\nx0000mc sec %seconds%\r\nrecord audio from the microphone for the specified number\r\nof seconds and upload the resulting file to the C2.\r\nx0000lm get the device location\r\nBasically, it provides the following features:\r\ncamera manager (list devices and steal screenshots)\r\nfile manager (enumerate files and upload these to the C2)\r\nSMS manager (get a list of text messages or send a text)\r\nget the call log\r\nget the contact list\r\nmicrophone manager\r\nlocation manager (track the device location)\r\nThe RAT that we analyzed is slightly different from the original. It includes new features added by the attackers to\r\nimprove data exfiltration, whereas some of the core features, such as the ability to steal pictures from the camera,\r\nare missing.\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 6 of 11\n\nThe operators added the following commands:\r\nx000upd – download a new APK from the URL specified in the “path” field.\r\nx000adm – autodownloader: not implemented in the version we analyzed, but available in other samples.\r\nMoreover, the creators of the RAT also improved its audio surveillance capabilities and included a command to\r\ndelete text messages with specific contents.\r\nCommands\r\nAdditional\r\nfields\r\nValue Description\r\nx000upd path %url%\r\ndownload a new APK from the URL specified in the “path”\r\nfield\r\nx000adm\r\nnot implemented in the analyzed version. Other samples use\r\nthis to start a class named “autodownloader”.\r\nx0000mc\r\nextra\r\nsec\r\nau\r\n%seconds%\r\nrecord audio for x seconds and upload the resulting file to the\r\nC2. Duration is specified in the “sec” value.\r\nextra mu stop recording and upload the resulting file to the C2\r\nextra muS\r\nstart recording continuously. This generates MP3 files stored\r\nin the “/.System/Records/” directory.\r\nx0000fm\r\nextra\r\npath\r\nls\r\n%dirpath%\r\nget a list of files in the directory specified in the “path”\r\nvariable\r\nextra\r\npath\r\ndl\r\n%filepath%\r\nupload the specified file to\r\nhxxp://212.8.240[.]221:80/server/upload.php\r\nsms extra ls get a list of text messages\r\nextra\r\nto\r\nsms\r\nsendSMS\r\n%number%\r\n%message%\r\nSend a new text to another number.\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 7 of 11\n\nextra\r\nto\r\nsms\r\ndeleteSMS\r\n%message%\r\nDelete a text that contains the string specified in the “sms”\r\nvalue. The “to” value is ignored.\r\nx0000cl get the call log\r\nx0000cn get contacts\r\nx0000lm get the device location\r\nThe “autodownloader” is a method used for performing the following actions:\r\nupload a contact list\r\nupload a text message list\r\nupload files stored in the following directories:\r\n/.System/Records/\r\n/Download/\r\n/DCIM/Camera/\r\n/Documents/\r\n/WhatsApp/Media/WhatsApp Images/\r\n/WhatsApp/Media/WhatsApp Documents/\r\nThe attacker uses the method to collect contacts and text messages automatically. In addition, the method collects\r\nthe following: audio files created with the “x0000mc” command and stored in /.System/Records/, downloaded\r\nfiles, photos, images and documents shared via WhatsApp and other documents stored on the device.\r\nAnother interesting difference between the original AhMyth and the one modified by Transparent Tribe is the\r\ntechnique used for getting the C2 address. The original version stores the C2 server as a string directly embedded\r\nin the code, whereas the modified version uses a different approach. It embeds another URL encoded with Base64\r\nand used for getting a configuration file, which contains the real C2 address.\r\nIn our sample, the URL was as follows:\r\nhxxp://tryanotherhorse[.]com/config.txt\r\nIt provided the following content:\r\n212.8.240.221:5987\r\nhttp://www.tryanotherhorse.com\r\nThe first value is the real C2, which seems to be a server hosted in the Netherlands.\r\nThe modified version communicates via a different URL scheme, which includes more information:\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 8 of 11\n\nOriginal URL scheme: http://%server%:%port?\r\nmodel=%val%\u0026manf=%val%\u0026release=%val%\u0026id=%val%\r\nModified URL scheme http://%server%:%port?\r\nmac=%val%\u0026battery=%val%\u0026model=%val%\u0026manf=%val%\u0026release=%val%\u0026id=%val%\r\nCovid-19 tracking app\r\nWe found evidence of Transparent Tribe taking advantage of pandemic-tracking applications to distribute\r\ntrojanized code. Specifically, we found an APK file imitating Aarogya Setu, a COVID-19 tracking mobile\r\napplication developed by the National Informatics Centre under the Ministry of Electronics and Information\r\nTechnology, Government of India. It allows users to connect to essential health services in India.\r\nThe discovered application tries to connect to the same malicious URL to get the C2 IP address:\r\nhxxp://tryanotherhorse[.]com/config.txt\r\nIt uses the same URL scheme described earlier and it embeds the following APK packages:\r\napk CF71BA878434605A3506203829C63B9D\r\napk 627AA2F8A8FC2787B783E64C8C57B0ED\r\napk 62FAD3AC69DB0E8E541EFA2F479618CE\r\napk A912E5967261656457FD076986BB327C\r\napk 3EB36A9853C9C68524DBE8C44734EC35\r\napk 931435CB8A5B2542F8E5F29FD369E010\r\nInterestingly enough, at the end of April, the Indian Army issued a warning to its personnel against Pakistani\r\nagencies’ nefarious designs to hack the phones of Indian military personnel through a malicious application\r\nsimilar to Aarogya Setu.\r\nAccording to some Indian online news sites, these applications were found to be sent by Pakistani Intelligence\r\nOperatives to WhatsApp groups of Indian Army personnel. It also mentioned that these applications later deployed\r\nadditional packages:\r\nAccording to some Indian online news sites, these applications were found to be sent by Pakistani Intelligence\r\nOperatives to WhatsApp groups of Indian Army personnel. It also mentioned that these applications later deployed\r\nadditional packages:\r\nface.apk\r\nimo.apk\r\nnormal.apk\r\ntrueC.apk\r\nsnap.apk\r\nviber.apk\r\nBased on public information, the application may have been distributed by sending a malicious link via\r\nWhatsApp, SMS, phishing email or social media.\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 9 of 11\n\nObliqueRAT connection\r\nObliqueRAT is another malicious program, described by Cisco Talos in an interesting article published in\r\nFebruary. It was attributed to Transparent Tribe because some samples were distributed through malicious\r\ndocuments forged with macros that resembled those used for distributing Crimson RAT.\r\nThe report described two ObliqueRAT variants, one distributed via a malicious document as the infection vector\r\nand another one, named “Variant #0” and distributed with a dropper.\r\n4a25e48b8cf515f4cdd6711a69ccc875429dcc32007adb133fb25d63e53e2ac6\r\nUnfortunately, as reported by Talos, “The initial distribution vector of this dropper is currently unknown”.\r\nAt this time, we do not have the full infection chain, but we can add another piece to the puzzle, because\r\nsharemydrives[.]com also hosted another file:\r\nInformation in Kaspersky Threat Intelligence Portal\r\nThe wifeexchange.exe sample is another dropper, which disguises itself as a porn clip.\r\nSpecifically, the executable file uses the same icon used by Windows for multimedia files.\r\nDropper icon\r\nOnce executed, the process tries to find a specific marker (“*#@”) inside its file image, then drops and opens the\r\nfollowing files:\r\nframe.exe – 4a25e48b8cf515f4cdd6711a69ccc875429dcc32007adb133fb25d63e53e2ac6\r\nmovie.mp4\r\nFrame.exe is the dropper described by Talos, while movie.mp4 is a small porn clip.\r\nConclusions\r\nTransparent Tribe members are trying to add new tools to extend their operations and infect mobile devices. They\r\nare also developing new custom .NET tools like ObliqueRAT, and as observed in the first report, we do not expect\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 10 of 11\n\nthis group to slow down any time soon. We will keep monitoring their activities.\r\nIoC\r\nThe followings IoC list is not complete. If you want more information about the APT discussed here, a full IoC list\r\nand YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact:\r\nintelreports@kaspersky.com\r\n15DA10765B7BECFCCA3325A91D90DB37 – Special Benefits.docx\r\n48476DA4403243B342A166D8A6BE7A3F – 7All_Selected_list.xls\r\nB3F8EEE133AE385D9C7655AAE033CA3E – Criteria of Army Officers.doc\r\nD7D6889BFA96724F7B3F951BC06E8C02 – wifeexchange.exe\r\n0294F46D0E8CB5377F97B49EA3593C25 – Android Dropper – Desi-porn.apk\r\n5F563A38E3B98A7BC6C65555D0AD5CFD – Android Dropper – Aarogya Setu.apk\r\nA20FC273A49C3B882845AC8D6CC5BEAC – Android RAT – face.apk\r\n53CD72147B0EF6BF6E64D266BF3CCAFE – Android RAT – imo.apk\r\nBAE69F2CE9F002A11238DCF29101C14F – Android RAT – normal.apk\r\nB8006E986453A6F25FD94DB6B7114AC2 – Android RAT – snap.apk\r\n4556CCECBF24B2E3E07D3856F42C7072 – Android RAT – trueC.apk\r\n6C3308CD8A060327D841626A677A0549 – Android RAT – viber.apk\r\nCF71BA878434605A3506203829C63B9D – Android RAT – face.apk\r\n627AA2F8A8FC2787B783E64C8C57B0ED – Android RAT – imo.apk\r\n62FAD3AC69DB0E8E541EFA2F479618CE – Android RAT – normal.apk\r\nA912E5967261656457FD076986BB327C – Android RAT – snap.apk\r\n3EB36A9853C9C68524DBE8C44734EC35 – Android RAT – trueC.apk\r\n931435CB8A5B2542F8E5F29FD369E010 – Android RAT – viber.apk\r\nhxxp://sharingmymedia[.]com/files/Criteria-of-Army-Officers.doc\r\nhxxp://sharingmymedia[.]com/files/7All-Selected-list.xls\r\nhxxp://sharemydrives[.]com/files/Laptop/wifeexchange.exe\r\nhxxp://sharemydrives[.]com/files/Mobile/Desi-Porn.apk\r\nhxxp://tryanotherhorse[.]com/config.txt – APK URL\r\n212.8.240[.]221:5987 – Android RAT C2\r\nhxxp://212.8.240[.]221:80/server/upload.php – URL used by Android RAT to upload files\r\nSource: https://securelist.com/transparent-tribe-part-2/98233/\r\nhttps://securelist.com/transparent-tribe-part-2/98233/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/transparent-tribe-part-2/98233/" ], "report_names": [ "98233" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434361, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/289559edf6349d7bd672d860d76483825ecc7bee.pdf", "text": "https://archive.orkl.eu/289559edf6349d7bd672d860d76483825ecc7bee.txt", "img": "https://archive.orkl.eu/289559edf6349d7bd672d860d76483825ecc7bee.jpg" } }