{
	"id": "019d9d42-20ba-474e-ba8b-7623c1f19a51",
	"created_at": "2026-04-06T00:13:58.111345Z",
	"updated_at": "2026-04-10T03:36:50.232337Z",
	"deleted_at": null,
	"sha1_hash": "6134dbab7bff5c38600f9e5d7a1fc4cf50a02dcc",
	"title": "A look into APT36's (Transparent Tribe) tradecraft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 789614,
	"plain_text": "A look into APT36's (Transparent Tribe) tradecraft\r\nBy admin\r\nPublished: 2020-11-01 · Archived: 2026-04-05 18:34:26 UTC\r\nAPT36 ( a.k.a Transparent Tribe / Mythic Leopard / PROJECTM/ TEMP ) is a prominent group believed to be\r\noperating on behalf of Pakistan state and conducting espionage with great interests in a very specific set of\r\ncountries specially India, widely since 2013.\r\nMost frequent target sectors include:\r\nMilitary organizations\r\nGovernment entities\r\nExample honey trap lure template\r\nCyberstanc's very own threat research team have been tracking APT36's activities and we would like to provide\r\nyou an insight into their tradecraft specially their main malware dubbed \"Crimson RAT\".\r\nAnalysis:\r\nWe won't be laying emphasis on individual samples rather we would be randomly covering samples and\r\nvariants to provide better insights\r\nPayload Delivery:\r\nTransparent Tribe employees multitude of tactics from the old books of espionage 101 for dummies for example\r\nhoney-trapping army personals however frequent payload delivery methods constitutes of usually the following:\r\nMalicious Documents / Excel sheets\r\nCompressed archived files\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 1 of 10\n\nWaterholing attack\r\nBasic static analysis consists of examining the sample without viewing the actual instructions. Basic\r\nstatic analysis can confirm whether a file is malicious, provide information about its functionality, and\r\nsometimes provide information that will allow you to produce simple network signatures.\r\nFilename : Kashmir_conflict_actions.docx\r\nFile Type :  MS Word Document\r\nFile size      300.00 KB (300000 bytes)\r\nStage 1 (Macro enabled document dropper) :\r\nKashmir_conflict_actions.docx\r\nKashmir_conflict_actions.docx contains a macro which in turn makes a remote SQL query to C2 server\r\n(Datroapp[.]mssql.somee.com) and writes the second stage payload to\r\n\"\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Trayicos.exe\" and launches the payload\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 2 of 10\n\n1st stage macro payload\r\nStage 2 (Dropper) :\r\nBasic static analysis consists of examining the sample without viewing the actual instructions. Basic\r\nstatic analysis can confirm whether a file is malicious, provide information about its functionality, and\r\nsometimes provide information that will allow you to produce simple network signatures.\r\nFilename : TrayIcos.exe\r\nFile Type :  PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nFile size   :  2.4 MB (2519552 bytes)\r\nMD5 : 18ACD5EBED316061F885F54F82F00017\r\nSignature : Microsoft Visual C++ 8\r\nInitial looks at the PE file straight up looks like a payload loader of some sorts specially looking at the resource\r\nsection of the file we can see a data blob with bigger size than usual and an exceptionally high entropy value.\r\nPestudio resource viewer\r\nFurther analysis indicates the same with a import chain of :\r\nFindResource -\u003e LoadResource -\u003e LockResource -\u003e SizeofResource -\u003e FreeResource\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 3 of 10\n\nGetting 3rd stage payload from resource\r\nWe can clearly conclude the encrypted data block located in the resource section is the 3rd stage payload.\r\nAfter some dynamic analysis we are able to decrypt the 3rd stage payload. However we are not finished yet !\r\nOnce the 3rd stage payload is decrypted which in turn is revealed as a .NET assembly its loaded in the memory\r\nspace of the same unmanaged process \"TrayIcos.exe\" .\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 4 of 10\n\nPayload decryption\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 5 of 10\n\nManaged payload method called from unmanaged parent dropper\r\nStage 3 (Third stage dropper):\r\nBasic static analysis consists of examining the sample without viewing the actual instructions. Basic\r\nstatic analysis can confirm whether a file is malicious, provide information about its functionality, and\r\nsometimes provide information that will allow you to produce simple network signatures.\r\nFilename : Random.dll\r\nFile Type : C# dynamic link library / .Net Assembly\r\nFile size   :  2.3 MB (2441216  bytes)\r\nMD5 : 4A22A43CCAB88B1CA50FA183E6FFB6FA\r\nSignature : Microsoft Visual C# v7.0 / Basic .NET\r\nWe get a unpacked / obfuscated C# assembly which we dumped during the dynamic analysis of the 2nd stage\r\ndropper.\r\nThe functionality of the dropper is pretty straight forward payload from resource and then execute entrypoint of\r\nthe payload.\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 6 of 10\n\n3rd stage dropper \r\nStage 4 (Crimson RAT):\r\nFinal stage includes execution of our crown king Crimson Remote Access Trojan.\r\nBasic static analysis consists of examining the sample without viewing the actual instructions. Basic\r\nstatic analysis can confirm whether a file is malicious, provide information about its functionality, and\r\nsometimes provide information that will allow you to produce simple network signatures.\r\nFilename : TrayIcos.exe\r\nFile Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly\r\nFile size   :  2.2 MB (2295808  bytes)\r\nMD5 : 5A27D092E4A87554206F677B4EADC6F5\r\nSignature : Microsoft Visual C# v7.0 / Basic .NET\r\nPacker : .Net Reactor\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 7 of 10\n\nCrimson RAT supports basic functionalities a remote access trojan should have like screen capture, screen size\r\nenumeration, commands execution, process list, process kill, etc.\r\nHowever the functionalities differ from variant to variant and are stripped in many samples however the complete\r\nlist of all functionalities supported by the framework are listed below :\r\nFunctionalities\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 8 of 10\n\nCommand parser and functionalities of crimson rat\r\nPersistence mechanism is the least notable and extremely basic in nature\r\nHKCU Run key persistence\r\nC2 communication is implemented using simple TCP protocol with no added encryption / encoding even which\r\nis highly disappointing.\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 9 of 10\n\nC2 connection using TCP\r\nVerdict:\r\nOverall Transparent Tribe's tradecraft might seem lackluster but since their inception in 2013 they have\r\nbeen quite successful according to statistics in executing their plans and conducting espionage\r\ncampaigns on daily basis. However our customers are protected against this threat. Additionally,\r\nScrutiny Anti Malware properly files used by Transparent Tribe as malicious.\r\nSource: https://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nhttps://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/"
	],
	"report_names": [
		"a-look-into-apt36-transparent-tribe"
	],
	"threat_actors": [
		{
			"id": "414d7c65-5872-4e56-8a7d-49a2aeef1632",
			"created_at": "2025-08-07T02:03:24.7983Z",
			"updated_at": "2026-04-10T02:00:03.76109Z",
			"deleted_at": null,
			"main_name": "COPPER FIELDSTONE",
			"aliases": [
				"APT36 ",
				"Earth Karkaddan ",
				"Gorgon Group ",
				"Green Havildar ",
				"Mythic Leopard ",
				"Operation C-Major ",
				"Operation Transparent Tribe ",
				"Pasty Draco ",
				"ProjectM ",
				"Storm-0156 "
			],
			"source_name": "Secureworks:COPPER FIELDSTONE",
			"tools": [
				"CapraRAT",
				"Crimson RAT",
				"DarkComet",
				"ElizaRAT",
				"LuminosityLink",
				"ObliqueRAT",
				"Peppy",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434438,
	"ts_updated_at": 1775792210,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6134dbab7bff5c38600f9e5d7a1fc4cf50a02dcc.pdf",
		"text": "https://archive.orkl.eu/6134dbab7bff5c38600f9e5d7a1fc4cf50a02dcc.txt",
		"img": "https://archive.orkl.eu/6134dbab7bff5c38600f9e5d7a1fc4cf50a02dcc.jpg"
	}
}