{ "id": "fd172b64-9e83-4023-8c5b-56bfe271e848", "created_at": "2026-04-06T00:14:35.261488Z", "updated_at": "2026-04-10T13:11:24.978884Z", "deleted_at": null, "sha1_hash": "88fa999c41569776d8dc0de5061f696ad60d83ad", "title": "Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1875394, "plain_text": "Love scam or espionage? Transparent Tribe lures Indian and Pakistani\r\nofficials\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 19:36:18 UTC\r\nESET researchers have identified an active Transparent Tribe campaign, targeting mostly Indian and Pakistani Android\r\nusers – presumably with a military or political orientation. Victims were probably targeted through a honey-trap romance\r\nscam, where they were initially contacted on another platform and then convinced to use supposedly “more secure” apps,\r\nwhich they were then lured into installing. Most likely active since July 2022, the campaign has distributed CapraRAT\r\nbackdoors through at least two similar websites, while representing them as untainted versions of those secure messaging\r\napps.\r\nKey points of the blogpost:\r\nThis Transparent Tribe campaign mainly targets Indian and Pakistani citizens, possibly those with a military or\r\npolitical background.\r\nIt distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as\r\nMeetsApp and MeetUp; the backdoor can exfiltrate any sensitive information from its victims’ devices.\r\nThese trojanized apps were available to download from websites posing as official distribution centers. We believe\r\na romance scam was used to lure targets to these websites.\r\nPoor operational security around these apps exposed user PII, allowing us to geolocate 150 victims.\r\nCapraRAT was hosted on a domain that resolved to an IP address previously used by Transparent Tribe.\r\nCampaign overview\r\nBesides the inherent working chat functionality of the original legitimate app, the trojanized versions include malicious\r\ncode that we have identified as that of the CapraRAT backdoor. Transparent Tribe, also known as APT36, is a\r\ncyberespionage group known to use CapraRAT; we have also seen similar baits deployed against its targets in the past. The\r\nbackdoor is capable of taking screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any\r\nother sensitive information. The backdoor can also receive commands to download files, make calls, and send SMS\r\nmessages. The campaign is narrowly targeted, and nothing suggests these apps were ever available on Google Play.\r\nWe identified this campaign when analyzing a sample posted on Twitter that was of interest due to matching Snort rules\r\nfor both CrimsonRAT and AndroRAT. Snort rules identify and alert on malicious network traffic and can be written to\r\ndetect a specific type of attack or malware.\r\nCrimsonRAT is Windows malware, known to be used only by Transparent Tribe. In 2021, the group started to target the\r\nAndroid platform, using a modified version of an open-source RAT named AndroRAT. It bears similarities to\r\nCrimsonRAT, and has been named CapraRAT by Trend Micro in its research.\r\nMeetsApp\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 1 of 11\n\nBased on the Android Package Kit (APK) name, the first malicious application is branded MeetsApp and claims to provide\r\nsecure chat communications. We were able to find a website from which this sample could have been downloaded\r\n(meetsapp[.]org); see Figure 1.\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 2 of 11\n\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 3 of 11\n\nFigure 1. Distribution website of CapraRAT posing as MeetsApp\r\nThat page’s download button leads to an Android app with the same name; unfortunately, the download link is not alive\r\nanymore (https://phone-drive[.]online/download.php?file=MeetsApp.apk). At the time of this research, phone-drive[.]online resolved to 198.37.123[.]126, which is the same IP address as phone-drive.online.geo-news[.]tv, which was\r\nused in the past by Transparent Tribe to host its spyware.\r\nMeetUp\r\nAnalysis of the MeetsApp distribution website showed that some of its resources were hosted on another server with a\r\nsimilar domain name – meetup-chat[.]com – using a similar service name. That site also provided an Android messaging\r\napp, MeetUp, to download with the same package name (com.meetup.app) as for MeetsApp, and having the same website\r\nlogo, as can be seen in Figure 2.\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 4 of 11\n\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 5 of 11\n\nFigure 2. Distribution website of CapraRAT posing as MeetUp\r\nAttribution to Transparent Tribe\r\nBoth apps – from the tweet and from the sample downloaded from meetup-chat[.]com – include the same CapraRAT code,\r\ncommunicate with the same C\u0026C server (66.235.175[.]91:4098), and their APK files are signed using the same developer\r\ncertificate.\r\nHence, we strongly believe that both websites were created by the same threat actor; both domains were registered around\r\nthe same time – July 9th and July 25th, 2022.\r\nBoth apps are based on the same legitimate code trojanized with CapraRAT backdoor code. Messaging functionality seems\r\neither to be developed by the threat actor or found (maybe purchased) online, since we couldn’t identify its origin. Before\r\nusing the app, victims need to create accounts that are linked to their phone numbers and require SMS verification. Once\r\nthis account is created, the app requests further permissions that allow the backdoor’s full functionality to work, such as\r\naccessing contacts, call logs, SMS messages, external storage, and recording audio.\r\nThe domain phone-drive[.]online on which the malicious MeetsApp APK was placed started to resolve to the same IP\r\naddress around the same time as the domain phone-drive.online.geo-news[.]tv that was used in the past campaign\r\ncontrolled by Transparent Tribe, as reported by Cisco. Besides that, the malicious code of the analyzed samples was seen\r\nin the previous campaign reported by Trend Micro where CapraRAT was used. In Figure 3 you can see a comparison of\r\nmalicious class names from CapraRAT available from 2022-01 on left side, and its more recent variant having the same\r\nclass names and functionality.\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 6 of 11\n\nFigure 3. Malicious class name comparison of older CapraRAT (left) and more recent version (right)\r\nVictimology\r\nDuring our investigation, weak operational security resulted in the exposure of some victim data. This information allowed\r\nus to geolocate over 150 victims in India, Pakistan, Russia, Oman, and Egypt, as seen in Figure 4.\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 7 of 11\n\nFigure 4. Victim distribution\r\nBased on our research, potential victims were lured to install the app by a honey-trap romance scam operation, where most\r\nlikely they were first contacted on a different platform and then persuaded to use the “more secure” MeetsApp or MeetUp\r\napp. We have previously seen such baits being used by Transparent Tribe operators against their targets. Finding a mobile\r\nnumber or an email address they can use to make first contact is usually not difficult.\r\nTechnical analysis\r\nInitial access\r\nAs described above, the malicious MeetUp app has been available at meetup-chat[.]com, and we believe with high\r\nconfidence that the malicious MeetsApp was available at meetsapp[.]org. Neither app would be automatically installed\r\nfrom these locations; the victims had to choose to download and install the apps manually. Considering that only a handful\r\nindividuals were compromised, we believe that potential victims were highly targeted and lured using romance schemes,\r\nwith Transparent Tribe operators most likely establishing first contact via another messaging platform. After gaining the\r\nvictims’ trust, they suggested moving to another – allegedly more secure – chat app that was available on one of the\r\nmalicious distribution websites.\r\nThere was no subterfuge suggesting the app was available in Google Play.\r\nToolset\r\nAfter the victim signs into the app, CapraRAT then starts to interact with its C\u0026C server by sending basic device info and\r\nwaits to receive commands to execute. Based on these commands, CapraRAT is capable of exfiltrating:\r\ncall logs,\r\nthe contacts list,\r\nSMS messages,\r\nrecorded phone calls,\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 8 of 11\n\nrecorded surrounding audio,\r\nCapraRAT-taken screenshots,\r\nCapraRAT-taken photos,\r\na list of files on the device,\r\nany particular file from the device,\r\ndevice location,\r\na list of running apps, and\r\ntext of all notifications from other apps.\r\nIt can also receive commands to download a file, launch any installed app, kill any running app, make a call, send SMS\r\nmessages, intercept received SMS messages, and download an update and request the victim to install it.\r\nConclusion\r\nThe mobile campaign operated by Transparent Tribe is still active, representing itself as two messaging applications, used\r\nas a cover to distribute its Android CapraRAT backdoor. Both apps are distributed through two similar websites that, based\r\non their descriptions, provide secure messaging and calling services.\r\nTransparent Tribe probably uses romance scam baits to lure victims into installing the app and continues to communicate\r\nwith them using the malicious app to keep them on the platform and make their devices accessible to the attacker.\r\nCapraRAT is remotely controlled and based on the commands from the C\u0026C server, it can exfiltrate any sensitive\r\ninformation from its victims’ devices.\r\nOperators of these apps had poor operational security, resulting in victim PII being exposed to our researchers, across the\r\nopen internet. Because of that, it was possible to obtain some information about the victims.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET\r\nThreat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Package name ESET detection name Description\r\n4C6741660AFED4A0E68EF622AA1598D903C10A01 com.meetup.chat Android/Spy.CapraRAT.A\r\nCapraRAT\r\nbackdoor.\r\n542A2BC469E617252F60925AE1F3D3AB0C1F53B6 com.meetup.chat Android/Spy.CapraRAT.A\r\nCapraRAT\r\nbackdoor.\r\nNetwork\r\nIP Provider First seen Details\r\n66.235.175[.]91 N/A 2022-09-23 C\u0026C.\r\n34.102.136[.]180 GoDaddy 2022-07-27 meetsapp[.]org – distribution website.\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 9 of 11\n\nIP Provider First seen Details\r\n194.233.70[.]54 123-Reg Limited 2022-07-19 meetup-chat[.]com – distribution website.\r\n198.37.123[.]126 Go Daddy 2022-01-20 phone-drive[.]online – APK file hosted website.\r\n194.233.70[.]54 Mesh Digital Limited 2022-09-23 share-lienk[.]info – APK file hosting website.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization Scripts\r\nCapraRAT receives the BOOT_COMPLETED broadcast\r\nintent to activate at device startup.\r\nT1624.001\r\nEvent Triggered\r\nExecution: Broadcast\r\nReceivers\r\nCapraRAT functionality is triggered if one of these events\r\noccurs: PHONE_STATE, NEW_OUTGOING_CALL,\r\nBATTERY_CHANGED, or CONNECTIVITY_CHANGE.\r\nDiscovery\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nCapraRAT can list available files on external storage.\r\nT1424 Process Discovery CapraRAT can obtain a list of running applications.\r\nT1422\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nCapraRAT can extract IMEI, IMSI, IP address, phone\r\nnumber, and country.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nCapraRAT can extract information about the device including\r\nSIM serial number, device ID, and common system\r\ninformation.\r\nCollection\r\nT1533\r\nData from Local\r\nSystem\r\nCapraRAT can exfiltrate files from a device.\r\nT1517 Access Notifications CapraRAT can collect notification messages from other apps.\r\nT1512 Video Capture CapraRAT can take photos and exfiltrate them.\r\nT1430 Location Tracking CapraRAT tracks device location.\r\nT1429 Audio Capture CapraRAT can record phone calls and surrounding audio.\r\nT1513 Screen Capture\r\nCapraRAT can record the device’s screen using the\r\nMediaProjectionManager API.\r\nT1636.002\r\nProtected User Data:\r\nCall Logs\r\nCapraRAT can extract call logs.\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 10 of 11\n\nTactic ID Name Description\r\nT1636.003\r\nProtected User Data:\r\nContact List\r\nCapraRAT can extract the device’s contact list.\r\nT1636.004\r\nProtected User Data:\r\nSMS Messages\r\nCapraRAT can extract SMS messages.\r\nCommand\r\nand Control\r\nT1616 Call Control CapraRAT can make phone calls.\r\nT1509 Non-Standard Port CapraRAT communicates with its C\u0026C over TCP port 4098.\r\nImpact T1582 SMS Control CapraRAT can send SMS messages.\r\nSource: https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nhttps://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/" ], "report_names": [ "love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434475, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88fa999c41569776d8dc0de5061f696ad60d83ad.pdf", "text": "https://archive.orkl.eu/88fa999c41569776d8dc0de5061f696ad60d83ad.txt", "img": "https://archive.orkl.eu/88fa999c41569776d8dc0de5061f696ad60d83ad.jpg" } }