{
	"id": "bd85fc0b-260d-465f-9d64-6bfc251bc155",
	"created_at": "2026-04-06T00:20:52.289297Z",
	"updated_at": "2026-04-10T13:12:06.457428Z",
	"deleted_at": null,
	"sha1_hash": "6676a82aace6b6d735f61be2255f05bf770e1b31",
	"title": "Hackers use modified MFA tool against Indian govt employees",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2517121,
	"plain_text": "Hackers use modified MFA tool against Indian govt employees\r\nBy Bill Toulas\r\nPublished: 2022-03-29 · Archived: 2026-04-05 23:10:28 UTC\r\nA new campaign from the hacking group tracked as APT36, aka 'Transparent Tribe' or' Mythic Leopard,' has been\r\ndiscovered using new custom malware and entry vectors in attacks against the Indian government.\r\nThe particular threat actor has been active since at least 2016, based in Pakistan, and its targets have historically been almost\r\nexclusively Indian defense and government entities.\r\nThe group's goal is to collect intelligence through cyber-espionage, so all in all, APT36 is considered to be a Pakistan-aligned and state-sponsored threat actor.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nResearchers at Cisco Talos have published a report today detailing their recent findings on the activity of APT36 and\r\nunderline some interesting new shifts in the threat actor's tactics.\r\nNew infection vector\r\nThe most interesting aspect of the new campaign is the use of laced Kavach authentication apps targeting employees of the\r\nIndian government.\r\nKavach Authentication is an OTP application authored by the Indian National Informatics Center for secure multi-factor\r\nauthentication on critical IT systems.\r\nReal Kavach app on the Google Play Store\r\nThe app is used extensively by military personnel or employees of the Indian government that need to access IT resources\r\nlike email services or databases.\r\nThe distribution of the fake Kavach installers is done via counterfeit websites that are clones of legitimate sites of Indian\r\ngovernments, like that of the Defense Service Officers' Institute.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/\r\nPage 3 of 6\n\nThe downloader of the Kavach app and the malicious payload (Cisco)\r\nThe victims receive a copy of a legitimate Kavach installer and also a malicious payload that automatically initiates the\r\ninfection process with the threat actor's malware of choice.\r\nBoth cloned websites and the use of malware masquerading as legitimate and known apps are common and previously\r\nobserved tactics of APT36.\r\nNew custom malware\r\nThe threat actor is still using CrimsonRAT, first spotted in 2020 campaigns, but the malware has evolved to offer more\r\ncapabilities to its operators.\r\nCrimsonRAT is the primary spearhead tool of APT36, able to steal credentials from the browser, list running processes,\r\nretrieve additional payloads from the C2, and capture screenshots.\r\nIn its 2022 version, CrimsonRAT also employs a keylogger, supports the execution of arbitrary commands on the\r\ncompromised system, can read the contents of files, delete files, and more.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/\r\nPage 4 of 6\n\nCrimsonRAT's new command handler (Cisco)\r\nAnother tool used in the recent campaigns is a lightweight .NET remote access trojan that is more basic compared to\r\nCrimsonRAT but still offers powerful functions such as:\r\nList all running processes on the endpoint.\r\nDownload and execute a file from the C2.\r\nDownload and execute a file specified by the C2 from another remote location.\r\nClose connection with the C2 until the next run.\r\nGather system information from the endpoint such as Computer Name, username, public and local IPs, Operating\r\nsystem name, list of runnings AVs, device type (desktop or laptop).\r\nAPT36 likely uses that second implant for redundancy, while it may be just the early development version of a new custom\r\nRAT that will be improved with more features in the future.\r\nIn 2021, APT36 also used ObliqueRAT in very narrow targeting attacks against government personnel, while the infection\r\nvector then was emails with VBS-laced documents.\r\n'Transparent Tribe' is still evolving and remains highly active, improving its implants and regularly refreshing its infection\r\nvectors to stay elusive and undetectable.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/"
	],
	"report_names": [
		"hackers-use-modified-mfa-tool-against-indian-govt-employees"
	],
	"threat_actors": [
		{
			"id": "414d7c65-5872-4e56-8a7d-49a2aeef1632",
			"created_at": "2025-08-07T02:03:24.7983Z",
			"updated_at": "2026-04-10T02:00:03.76109Z",
			"deleted_at": null,
			"main_name": "COPPER FIELDSTONE",
			"aliases": [
				"APT36 ",
				"Earth Karkaddan ",
				"Gorgon Group ",
				"Green Havildar ",
				"Mythic Leopard ",
				"Operation C-Major ",
				"Operation Transparent Tribe ",
				"Pasty Draco ",
				"ProjectM ",
				"Storm-0156 "
			],
			"source_name": "Secureworks:COPPER FIELDSTONE",
			"tools": [
				"CapraRAT",
				"Crimson RAT",
				"DarkComet",
				"ElizaRAT",
				"LuminosityLink",
				"ObliqueRAT",
				"Peppy",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434852,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6676a82aace6b6d735f61be2255f05bf770e1b31.pdf",
		"text": "https://archive.orkl.eu/6676a82aace6b6d735f61be2255f05bf770e1b31.txt",
		"img": "https://archive.orkl.eu/6676a82aace6b6d735f61be2255f05bf770e1b31.jpg"
	}
}