{ "id": "2f96c05c-8206-4be2-b8be-0a2e5df1e325", "created_at": "2026-04-06T00:11:28.766575Z", "updated_at": "2026-04-10T03:36:50.375444Z", "deleted_at": null, "sha1_hash": "2b7c8f22e72c25f66f5e98c7c6c5b192bd8ae35a", "title": "Transparent Tribe Targets Educational Institution", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 377218, "plain_text": "Transparent Tribe Targets Educational Institution\r\nPublished: 2022-05-11 · Archived: 2026-04-05 18:34:41 UTC\r\nRecently we came across a Twitter feed that described a Transparent Tribe malware sample targeting Indian\r\nInstitute of Technology (IIT), Hyderabad and the sample was fairly new and did not have many detections (at the\r\ntime of writing this blog) which attracted our interest in diving deeper into the sample. \r\nTransparent Tribe aka APT36 or Mythic Leopard is suspected to be of Pakistani origin and primarily targets\r\nIndian government and military entities, as per public reports . Transparent Tribe has been active since 2013\r\nand has targeted government organizations in around 30 countries. Their usual attack sequence is to create fake\r\ndomains mimicking the government organization and then deliver the payload. It frequently uses Crimson RAT, a\r\nWindows based Remote Admin Tool which provides unauthorized access to a victim’s device over a network.\r\nIn 2019, we in K7 Labs published an article about Transparent Tribe targeting the CLAWS, a security think tank\r\nteam affiliated with the Indian Army. Recently similar kinds of attacks have been happening more frequently,\r\ntargeting state governments and other government institutions. Transparent Tribe recently targeted the West\r\nBengal government employees by sending a spoofed document (of a legitimate government document) which\r\ndelivers a Crimson RAT payload. Our sample of interest now, also delivers a document pretending to be a\r\nlegitimate survey form by IIT Hyderabad. Once the document is opened, it asks the user to enable a macro\r\nthrough which it can run the VBA script.\r\nhttps://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/\r\nPage 1 of 6\n\nFigure 1: Survey form with macro\r\nWe used oletools to extract the VBA script from the macro. We then gleaned that this was the same method which\r\nhad been used before. The malicious macro contained one Form Object for which the first two values are “80”\r\n“75” which when converted to ASCII will be “PK” indicating Pakistan that adds suspicion that this attack could\r\nbe of Pakistan origin. \r\nhttps://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/\r\nPage 2 of 6\n\nFigure 2: VBA script\r\nWhile executing the document it runs the VBA script. Like the other  Transparent Tribe variants, in this VBA\r\nscript it creates a new directory E0d1 under C:\\ProgramData\\ and writes the array of values from the VBA into a\r\nfile Chairtabkjh.zip in that directory. The zip file contains the executable file named Chairtabkjh8.exe which is\r\nextracted in the same path. The extracted file adds a startup entry to run in the background as a child process of\r\nthe word document. \r\nFigure 3: Dropped zip\r\nAnalysis \r\nWe identified that the binary Chairtabkjh8.exe is .NET compiled and protected by Crypto-Obfuscator. We used\r\nCrypto-Deobfuscator to de-obfuscate the binary for analysis. \r\nhttps://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/\r\nPage 3 of 6\n\nFigure 4: Compiler details\r\nIt uses AMSI (Anti Malware Scan Interface) bypass technique to escape from scanning of AMSI API.\r\nFigure 5: AMSI bypass\r\nIt also uses Base64 encoding technique to encode the strings and the most common persistent technique of adding\r\na run entry for the Chairtabkjh8.exe. The registry path is encoded in Base64 and while executing it decodes and\r\nadds the run entry.\r\nFigure 6: Base64 encoding\r\nAfter adding the run entry, the next function executed is for delayed execution technique. It performed a delayed\r\nexecution technique by holding the execution. It gets the current system time and holds for 3 minutes before\r\ncontinuing execution. \r\nFigure 7: Delayed execution technique\r\nSince we already know Transparent Tribe uses RAT, this sample that is being analyzed may also use some of\r\nthese common malicious behaviors of RAT like\r\nhttps://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/\r\nPage 4 of 6\n\n1. List victim’s all files and folders in a C2 specified directory path\r\n2. Run specific processes at the endpoint keylogger \r\n3. Gets the information about the image files like image name, size of image and its creation time as specified\r\nby C2\r\n4. Take screenshots of the present day display screen and send it to C2.\r\n5. Forward keylogger logs to the C2.\r\n6. Send system information including computer name, username etc., to C2\r\nIn this scenario, we found only two such behaviors related to Crimson RAT, first one being  Chairtabkjh8.exe\r\nsends system information to C2 including computer name and username. Second activity being it gets the\r\ninformation about the image files like image name, size of image and its creation time as specified by C2.\r\nFigure 8: Gets system information\r\nFigure 9: Gets image information\r\nAfter collecting the data from the victim’s system, it tries to make a TCP connection to send the data to the C2\r\nserver sunnyleone[.]hopto[.]org by using different customized ports each time to connect to the C2. Since the C2\r\nwas down at the time of analysis of this sample, it was not able to make a successful connection.\r\nhttps://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/\r\nPage 5 of 6\n\nPorts used\r\n10101\r\n4401\r\n3203\r\n4866\r\n8832\r\nFigure 10: TCP connection to C2\r\nIt is always advisable to verify if the files or documents are from reputable sources and exercise caution while\r\nusing them. Also protect your system by using a reputable security product such as “K7 Total Security” and keep\r\nit updated to stay safe from threats.\r\nIndicators of Compromise (IOCs)\r\nFile Name Hash Detection Name\r\nAssignment-88.docm 64C20687676B7A96987D0F9C4F8777B9 Trojan ( 0001140e1 )\r\nChairtabkjh8.exe E3A45FFFAB35F9E0331963A1F1D793DD Trojan ( 005393351 )\r\nC2\r\nhxxps://sunnyleone[.]hopto[.]org\r\nReferences\r\nhttps://twitter.com/h2jazi/status/1518382259228844033\r\nSource: https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/\r\nhttps://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/" ], "report_names": [ "transparent-tribe-targets-educational-institution" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434288, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b7c8f22e72c25f66f5e98c7c6c5b192bd8ae35a.pdf", "text": "https://archive.orkl.eu/2b7c8f22e72c25f66f5e98c7c6c5b192bd8ae35a.txt", "img": "https://archive.orkl.eu/2b7c8f22e72c25f66f5e98c7c6c5b192bd8ae35a.jpg" } }