{ "id": "c681dba3-7766-499d-b194-123aa15a2fa6", "created_at": "2026-04-06T00:11:54.440445Z", "updated_at": "2026-04-10T03:36:50.329675Z", "deleted_at": null, "sha1_hash": "400c9ef723aca4b409cac2182177990616332ed0", "title": "[Research Summary]: APT 36 Campaign - Poseidon Malware - Brandefense", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2491614, "plain_text": "[Research Summary]: APT 36 Campaign - Poseidon Malware -\r\nBrandefense\r\nBy Brandefense\r\nPublished: 2023-07-13 · Archived: 2026-04-05 21:38:00 UTC\r\nThis is the open version of APT 36 Campaign – Poseidon Malware Technical Analysis. If you want\r\nto download it as a PDF click here.\r\nIntroduction\r\nTransparent Tribe (a.k.a APT36, Earth Karkaddan, TEMP. Lapis, Mythic Leopard…) is an advanced threat actor\r\ngroup that is politically motivated and has suspected Pakistani origins. They mainly target government,\r\ndiplomatic, defense, military, education, energy, and research organizations in India, Afghanistan, and Iran since\r\n2012.\r\nNOTE: The same threat actor group has different names because of the different naming conventions of threat\r\nintelligence companies.\r\nThe main reason for suspected origins is based on the Unit42 analyst’s suggested direct linkage of individuals\r\nfrom Pakistan to the infrastructure. This linkage is based on an individual’s OPSEC failure based on real name and\r\nmail address usage during infrastructure domain registration.\r\nNOTE: Other than this link, no public resource or research supports this claim. Although a revealed individual\r\nhas Pakistan origins, the group cannot be attributed to the Pakistani government or even a homogenous group of\r\nPakistani individuals only with this finding. However, this interpretation does not mean Transparent Tribe has no\r\nPakistan-related affiliations. It only means there is not enough data and research to back this verdict at this point.\r\nThe group primarily focuses on Indian government institutions and employees. Phishing domain names squatted\r\nby the group are based on payment service authorities and India’s military and government personnel websites.\r\nTheir contents are also the same as mimicked via tools such as httrack. Aside from this, domain names similar to\r\nfile-sharing services are used to trick the general audience into downloading malicious XLS files with macros that\r\ndownload malware samples of CrimsonRAT, ObliqueRAT, and Poseidon families. Targeted malspam campaigns\r\nthat contained malicious XLS files with VBA macros, which later dropped CrimsonRAT and ObliqueRAT. For\r\ninstance, this report explains the usage of Poseidon malware which targets government employees who use UNIX-based systems for their jobs by mimicking Kavach service that is used for automation in train protection and\r\ncollision avoidance systems in India by locomotive pilots and rail-station workers.\r\nMalicious documents crafted for generic campaigns include resumes, CVs, or honeytraps (pictures of women).\r\nMalicious documents are disguised as conference agendas, invitations, and diplomatic reports if diplomatic\r\nentities are targeted. Malspam campaigns target government officials and military entities’ masquerades as\r\nguidelines, policies, and activity plans for defense organizations’ personnel, advisories, or top secret briefings.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 1 of 15\n\nFigure 1: APT36 infection chain\r\nPoseidon is one of many agents of the open-source Mythic C2 Framework. Since this framework is open-sourced,\r\nthe Poseidon agent can be used by any other actor with internet access. Therefore, it is impossible to say every\r\nPoseidon build seen in the wild can be attributed to Transparent Tribe. The same occasion is not valid for\r\nCrimsonRAT and ObliqueRAT. These two families are unavailable for everyone, not sold in forums with the\r\nMaaS model, and their previous activities are attributed to the activities of the Transparent Tribe group with high\r\nconfidence.\r\nHowever, this interpretation does not mean Transparent Tribe has no Pakistan-related affiliations. It only means\r\nthere is not enough data and research to back this verdict at this point.\r\nAPT 36 Poseidon Malware Technical Analysis\r\nYou will find technical analysis results of first-stage downloader malware detected by APT 36 to be used in a\r\ncyber espionage campaign against the Indian government and second-stage Poseidon malware used as all-in-one\r\nbackdoor software.\r\nFirst Stage Malware Analysis\r\nThe first ELF file detected in the attack campaign is the Python script file wrapped in ELF format, and the file’s\r\nheader information shows the presence of the .pydata section.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 2 of 15\n\nFigure 2: First-stage malware section headers\r\nBy extracting the compiled Python file (Kavach.pyc) from the pydata section of the ELF file and converting it to\r\nthe source code, it becomes clear to understand the purpose of the 1st stage file.\r\nFigure 3: Decompiled malicious Python code\r\nIn the Python code we extracted, we first see the URL of the official website of the Indian government. The threat\r\nactor uses the official website login panel to display in the browser to the user.\r\nFigure 4: Legitimate Kavach login page\r\nIt creates a two command line scheduled task in /dev/shm/mycron for the currently logged-in user. The threat actor\r\nhas set the scheduled task to run the specified files every time the system is rebooted.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 3 of 15\n\n@reboot ~/. local / share / bosshelp\r\n@reboot ~/. local / share / usbdriver\r\nAfter setting the crontab, it deletes the /dev/shm/mycron file containing the above commands from the system.\r\nAnother vital function of the 1st stage file is downloading additional files from the remote server. Notice that the\r\nfile to download (bosshelp) matches the filename in the scheduled task set earlier.\r\nSecond Stage Malware Analysis\r\nThe 2nd stage file is defined as a payload named Poseidon, written in Go programming language and included in\r\nthe MythicAgents project on GitHub. The first time the Poseidon malware is run on the target system, a new\r\nprofile is created for C2 communication. This operation is defined in the main.init function before main.main.\r\nFigure 5: Creation of new C2 profile per victim\r\nInformation about the new profile is in the image below, and as a result, it is kept as a structure containing this\r\ninformation. Important information such as C2 IP address (hard coded), port number, RSA key, and KillDate are\r\nfound in the C2 profile created in main.init. The RSA key in the profile is generated by the GenerateRSAKeyPair\r\nfunction in the C2 Check-in action, which we describe later.\r\nFigure 6: RSA key generation\r\nThe use of the functionality of the program is decided by using the switch-case structure in the\r\nmain_handleNewTask routine.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 4 of 15\n\nFigure 7: Poseidon main functions\r\nThe listed functions are used as Wrappers for routines that will provide functionality. For example, the wrapper\r\nfunction of the shell command execution functionality corresponding to task number 4 is labeled as\r\nmain_handleNewTask_dwrap_4. The code snippet of the function it calls internally is as follows: this structure is\r\nsimilar to other wrapper functions.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 5 of 15\n\nFigure 8: Internal call wrapper function example\r\nEach task can be associated with the number at the end of the function name, but remember that this number has\r\nno equivalent in the switch-case statement.\r\nFigure 9: Switch-case control flow\r\nWe will consider the numbers at the end of the function names as references for better understanding.\r\nfunc handleNewTask() {\r\n    for {\r\n        select {\r\n        case task := \u003c-newTaskChannel:\r\n            //fmt.Printf(“Handling new task: %v\\n”, task)\r\n            switch tasktypes[task.Command] {\r\n            case EXIT_CODE:\r\n                os.Exit(0)\r\n                break\r\n            case 1:\r\n                go shell.Run(task)\r\n                break\r\n            case 2:\r\n                go screencapture.Run(task)\r\n                break\r\n            case 3:\r\n                go keylog.Run(task)\r\n                break\r\n            case 4:\r\n                go download.Run(task)\r\n                break\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 6 of 15\n\ncase 5:\r\n                go upload.Run(task)\r\n                break\r\n            case 6:\r\n                go libinject.Run(task)\r\n                break\r\n            case 8:\r\n                go ps.Run(task)\r\n                break\r\n            case 9:\r\n                // Sleep\r\n                go sleep.Run(task)\r\n                break\r\n            case 10:\r\n                //Cat a file\r\n                go cat.Run(task)\r\n                break\r\n            case 11:\r\n                //Change cwd\r\n                go cd.Run(task)\r\n                break\r\n            case 12:\r\n                //List directory contents\r\n                go ls.Run(task)\r\n                break\r\n            case 14:\r\n                //Execute jxa code in memory\r\n                go jxa.Run(task)\r\n                break\r\n            case 15:\r\n                // Enumerate keyring data for linux or\r\n                //the keychain for macos\r\n                go keys.Run(task)\r\n                break\r\n            case 16:\r\n                // Triage a directory and organize files by type\r\n                go triagedirectory.Run(task)\r\n                break\r\n            case 17:\r\n                // Test credentials against remote hosts\r\n                go sshauth.Run(task)\r\n                break\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 7 of 15\n\ncase 18:\r\n                // Scan ports on remote hosts.\r\n                go portscan.Run(task)\r\n                break\r\n            case 21:\r\n                // Return the list of jobs.\r\n                go getJobListing(task)\r\n                break\r\n            case 22:\r\n                // Kill the job\r\n                go killJob(task)\r\n                break\r\n            case 23:\r\n                go cp.Run(task)\r\n                break\r\n            case 24:\r\n                // List drives on a machine\r\n                go drives.Run(task)\r\n                break\r\n            case 25:\r\n                // Retrieve information about the current user.\r\n                go getuser.Run(task)\r\n                break\r\n            case 26:\r\n                // Make a directory\r\n                go mkdir.Run(task)\r\n                break\r\n            case 27:\r\n                // Move files\r\n                go mv.Run(task)\r\n                break\r\n            case 28:\r\n                // Print working directory\r\n                go pwd.Run(task)\r\n                break\r\n            case 29:\r\n                go rm.Run(task)\r\n                break\r\n            case 30:\r\n                go getenv.Run(task)\r\n                break\r\n            case 31:\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 8 of 15\n\ngo setenv.Run(task)\r\n                break\r\n            case 32:\r\n                go unsetenv.Run(task)\r\n                break\r\n            case 33:\r\n                go kill.Run(task)\r\n                break\r\n            case 34:\r\n                go curl.Run(task)\r\n                break\r\n            case 35:\r\n                go xpc.Run(task)\r\n                break\r\n            case 36:\r\n                go socks.Run(task)\r\n                break\r\n            case 37:\r\n                go listtasks.Run(task)\r\n                break\r\n            case 38:\r\n                go list_entitlements.Run(task)\r\n                break\r\n            case 39:\r\n                go execute_memory.Run(task)\r\n                break\r\n            case 40:\r\n                go jsimport.Run(task)\r\n                break\r\n            case 41:\r\n                //Execute jxa code in memory from\r\n                //the script imported by jsimport\r\n                go jsimport_call.Run(task)\r\n                break\r\n            case 42:\r\n                //Execute persist_launch command to install launchd\r\n                //persistence\r\n                go persist_launchd.Run(task)\r\n                break\r\n            case 43:\r\n                // Execute persist_loginitem command to install\r\n                //login item persistence\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 9 of 15\n\ngo persist_loginitem.Run(task)\r\n                break\r\n            case 44:\r\n                // Execute spawn_libinject command to spawn a\r\n                //target application/binary with the\r\n                //DYLD_INSERT_LIBRARIES variable set to\r\n                //an arbitrary dylib\r\n                go dyldinject.Run(task)\r\n                break\r\n            case 45:\r\n                go link_tcp.Run(task)\r\n                break\r\n            case 46:\r\n                go unlink_tcp.Run(task)\r\n                break\r\n            case 47:\r\n                go run.Run(task)\r\n                break\r\n            case 48:\r\n                go clipboard_monitor.Run(task)\r\n                break\r\n            case 49:\r\n                go execute_macho.Run(task)\r\n                break\r\n            case 50:\r\n                go rpfwd.Run(task)\r\n                break\r\n            case NONE_CODE:\r\n                // No tasks, do nothing\r\n                break\r\n            }\r\n            break\r\n        }\r\n    }\r\n} \r\nPoseidon Malware Capabilities\r\nThe Poseidon malware agent installed on the target system can receive commands from the threat actor, as\r\nindicated in the table below.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 10 of 15\n\nTable 1: Poseidon capabilities – 1\r\nTable 2: Poseidon capabilities – 2\r\nNetwork Activities\r\nTo initiate communication with C2, Poseidon first executes an action in the Poseidon project called Check-in. The\r\ninformation collected by the CreateCheckinMessage function indicates that the malware intended to gather\r\ninformation before communicating with C2 on the system it is running. Below we have listed the types of\r\ninformation included in the Check-in message.\r\n“checkin” string \r\nHostname \r\nIP Address \r\nPID\r\nOS \r\nProcess Name \r\n“amd64aring” string \r\nURI to send data to \r\n3b54bd24-92a5-4b91-ad15-de771a497372\r\nThis value is used as the UUID (HTTP, WEBSOCKET, or TCP) value found in the configuration\r\ndata while the threat actor prepares a new Poseidon instance and is specific to the detected file.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 11 of 15\n\nFigure 10: C2 start check-in message\r\nThe image below shows the configuration data used by Poseidon.\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 12 of 15\n\nFigure 11: Poseidon configuration data\r\nThe malware used in the campaign is trying to send data to the remote server with a POST request by establishing\r\na TCP connection with the IP address 70.34.214[.]252, but we cannot obtain details because the server is inactive\r\nwhen the file is analyzed.\r\nIndicator of Compromises\r\nPoseidon Payload SHA-256 Hashes\r\n78480e7c9273a66498d0514ca4e959a2c002f8f5578c8ec9153bb83cbcc2b206\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 13 of 15\n\n3285032b8e1cd080ce5df8839db03a1eb9e4d16db252fd64d4c0c5a66d8b0ff8\r\n3164c7d572bd3f59f31a3bb6ac8a7f0769f2cbdddea7cadf843b99076a952b81\r\n8affdfea794bc04340a453160237e7b6ae77bd909146321daf2ed50401928827\r\n4fac5b0618348de1e6e4843bb4560320eea175ecc4ba807beadd56e2e6a66e32\r\n58eedd3277014bb45a294f4c299bbfcdfc38a212fa0cda7a781dda132e8928a5\r\n3d180606a60e0a25b78fde6b3cb52afc8443105e672cdcc420be781e9ec32488\r\n9bb990a54460437c14be4cdd25ab5f8027a49c4e8e8b83445bd57f06ad1e1512\r\ncc53c74a8be261fab1f231e20d127cb815787ff3437daff8162855130f8ff271\r\ndcfb42328840a3524ceda176f5fe5041e1dd5c86e126dc6e4fc47826a1bbcc96\r\n40a42f392fc58c047cfbbda566d70ebd2654f2919f8ee8e6b5d76e5bc11ec5cc\r\n51ff7043b2bc87f52e71a265080acd0a1b3d5d2a07ef541ebf3af5c6d44b3761\r\nfe843154f38202f17379dd2bed25306e8357e9e1bf56bd89565e81a67a286d6e\r\n95ed0e02c6bbfe065ad79d595b7a607de64156c368cf1e85323ce829bffb3d0b\r\n67a0d54e73ab0f76634e80b2723c3ac7d4df73b55aea5323856a42bbc19859a6\r\ndc1ec8aa04a71f595454dba88473fba2a970533eceee2d155a3956d8dc9ecda0\r\n91e08c6ee0d6b6f472a5df371318d56d2442c3487caad0a093754f57142ece6f\r\nec93724a82f487f960acd51f427e660793f6e868a25f666e4cf5babb3bdcfe54\r\naa53cfadd21956ea50e1a504ac6b4287076c64056e4b57a877b2f564ea315eb9\r\n8f19a4b6a3fe19d577e71c458c3c0565599b57863f0efbdf4e109b4e92c0bbeb\r\n7328240b03a5992537f7b3371bab7fd4e3b631d31b3919596daa8265886a07ae\r\ne45909e6a7c50b34deba248c7e1b419706c3d6e9c638980099d6860db9e5c53b\r\nf688280c7cc7523989809472594c36f97d7e2cc5e3ef5721ca67ab1f8b458104\r\n185254efe497aed539fe0d95ca40451985b8fa60a54a707760bfe5c53cce56d9\r\n489703daffea94c11319c74f2a43d4ca3198baa9081a42f047f029a39c335981\r\n0416006b9043b8f45f343fedcef9bfdb8e1c8cafc30951755c0d7eb60e409c78\r\n3b8b06eb6e30296e74fc7c6a039c1a05d6785bce9745b85851fe686306abbf35\r\n34059561b4adc524128c61e886177f8e87674ebe90f227acc8828b9d566f3e5c\r\n293e51eecb94da90d4237b219584efd6afc805b0da2792ffa53fc132cf1d32b3\r\n7f6b1ed3549fc58ade807898bd458fff0bbfd7aaddbc75a2710ddfc580f5248a\r\n897bd48be8fc5b10603e10d262035282024d0c092ef8dbde796568d627aa1c60\r\n8626a35ce2b1211fad630909165b67ae1391da02529da20e0c1fa05ba989bcf4\r\n5b41f55410f835a0fc2702dffe74b32ab1eebdd22437585ca5349729329a89d8\r\nca3f34dfd9540e59bc0cdb36bbe6fe77cbb9eb44d682add9e38123281a3f4e55\r\n37ffaccba0469d9125dd072241ec7d99652e2e46897f7c6d3db98a19d92b20e6\r\n70[.]34[.]214[.]252\r\nsharing1[.]filesharetalk[.]com/bosshelp\r\nYARA Rule\r\nrule poseidon_elf{\r\n    strings:\r\n        $main_func = {E8 ?? 2? D4 FF 31 C0 48 8D 1D ?? 0B 00}\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 14 of 15\n\n$command_call = {48 8B 42 08 48 8B 5A 10 48 8B 4A 18 48 8B 7A 20 F2\r\n        0F 10 42 28  48 8B 72 30 4C 8B 42 38 4C 8B 4A 40 66 90  E8 ?B ?? F?\r\n        FF 48 8B 6C 24 40  48 83 C4 48 C3}\r\n        $s1 = “poseidon_tcp”\r\n    condition:\r\n        $main_func or $command_call or $s1\r\n} \r\nReferences:\r\nhttps://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/\r\nYou can fin also these indicator of compromises on our GitHub repo.\r\nSource: https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nhttps://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/\r\nPage 15 of 15\n\n https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/ \nFigure 10: C2 start check-in message \nThe image below shows the configuration data used by Poseidon.\n Page 12 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/" ], "report_names": [ "apt-36-campaign-poseidon-malware-technical-analysis" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434314, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/400c9ef723aca4b409cac2182177990616332ed0.pdf", "text": "https://archive.orkl.eu/400c9ef723aca4b409cac2182177990616332ed0.txt", "img": "https://archive.orkl.eu/400c9ef723aca4b409cac2182177990616332ed0.jpg" } }