{ "id": "65076cc1-7470-4d06-a9c8-0a0ba68ced64", "created_at": "2026-04-06T00:07:15.957313Z", "updated_at": "2026-04-10T13:12:08.546846Z", "deleted_at": null, "sha1_hash": "3d7e9a4645e36354dc2291546e219c4364de8552", "title": "Transparent Tribe APT actively lures Indian Army amidst increased targeting of Educational Institutions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 764296, "plain_text": "Transparent Tribe APT actively lures Indian Army amidst\r\nincreased targeting of Educational Institutions\r\nBy Sathwik Ram Prakki\r\nPublished: 2023-05-02 · Archived: 2026-04-05 18:20:02 UTC\r\nHome  /  Malware  /  Transparent Tribe APT actively lures Indian Army amidst increased targeting of Educational\r\nInstitutions\r\n02 May 2023\r\nOverview\r\nAPT Transparent Tribe (APT36) is luring the Indian Army into opening the malicious file themed ‘Revision of\r\nOfficers posting policy.’ Quick Heal’s APT Team has been constantly tracking this persistent threat group and has\r\nencountered a new attack campaign targeting India.\r\nAt the same time, we have also observed increased targeting of the education sector by the same threat actor. This\r\nis in continuation of targeting IITs since last year.\r\nFurthermore, the sub-division of this group, SideCopy, has been observed recently targeting an Indian Defense\r\nOrganization where the domain hosting malicious files was probably being tested to act as a phishing page.\r\nhttps://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions\r\nPage 1 of 3\n\nKey Findings\r\nAPT36 is targeting Indian Army with malicious PPAM files with ‘Officers posting policy reviseed final’ as\r\nthe theme.\r\nThese macro-enabled PowerPoint add-on files (PPAM) are utilized to wrap malicious payloads by\r\nembedding archive files as OLE objects.\r\nThe infection chain leads to the execution of a .NET-based Crimson RAT payload that can receive and\r\nexecute 22 commands along with the persistence mechanism.\r\nOverview of Attack Chain\r\nC2 used by APT36 uses the same Common Name, which is usually found in this threat group’s C2\r\ninfrastructure.\r\nFrom targeting IITs to NITs and Business schools now, we have observed an increased targeting in the first\r\nquarter of 2023, peaking in February.\r\nSummary\r\nTransparent Tribe is a Pakistani threat group, active since 2013. It is a persistent threat actor targeting the Indian\r\ngovernment and military entities. The group continuously uses payloads such as Crimson RAT and Capra RAT in\r\nits campaigns, constantly upgrading them.\r\nSince May 2022 last year, Transparent Tribe has begun targeting the education sector, which surged in 2023. An\r\nin-depth analysis of the latest infection chain targeting the Indian Army and details of the education sector\r\ntargeting can be found in our whitepaper.\r\n Previous PostUnseen Threats Lurking: Protect Your Small Business from Cyberatt...\r\nNext Post  Supercharge your security operations with end-to-end visibility, ...\r\nhttps://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions\r\nPage 2 of 3\n\nSathwik Ram Prakki is working as a Security Researcher in Security Labs at Quick Heal. His focus areas are\r\nThreat Intelligence, Threat Hunting, and writing about...\r\nArticles by Sathwik Ram Prakki »\r\nRelated Posts\r\nSource: https://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions\r\nhttps://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions" ], "report_names": [ "transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434035, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d7e9a4645e36354dc2291546e219c4364de8552.pdf", "text": "https://archive.orkl.eu/3d7e9a4645e36354dc2291546e219c4364de8552.txt", "img": "https://archive.orkl.eu/3d7e9a4645e36354dc2291546e219c4364de8552.jpg" } }