{ "id": "95dd36c5-005a-4e15-a562-d3f002a03ad8", "created_at": "2026-04-06T00:06:51.100296Z", "updated_at": "2026-04-10T03:36:50.387367Z", "deleted_at": null, "sha1_hash": "9679af1dfce4e2caf682cb71ef79835b604ef14c", "title": "CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2260550, "plain_text": "CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to\r\nHijack Android Phones\r\nBy Alex Delamotte\r\nPublished: 2023-09-18 · Archived: 2026-04-05 14:45:03 UTC\r\nExecutive Summary\r\nSentinelLABS identified three Android application packages (APK) linked to Transparent Tribe’s\r\nCapraRAT mobile remote access trojan (RAT).\r\nThese apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native\r\nAndroid YouTube application.\r\nCapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android\r\ndevices that it infects.\r\nBackground\r\nTransparent Tribe is a suspected Pakistani actor known for targeting military and diplomatic personnel in both\r\nIndia and Pakistan, with a more recent expansion to the Indian Education sector. Since 2018, reports have detailed\r\nthe group’s use of what is now called CapraRAT, an Android framework that hides RAT features inside of another\r\napplication. The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the\r\ndisputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.\r\nTransparent Tribe distributes Android apps outside of the Google Play Store, relying on self-run websites and\r\nsocial engineering to entice users to install a weaponized application. Earlier in 2023, the group distributed\r\nCapraRAT Android apps disguised as a dating service that conducted spyware activity.\r\nOne of the newly identified APKs reaches out to a YouTube channel belonging to Piya Sharma, which has several\r\nshort clips of a woman in various locales. This APK also borrows the individual’s name and likeness. This theme\r\nsuggests that the actor continues to use romance-based social engineering techniques to convince targets to install\r\nthe applications, and that Piya Sharma is a related persona.\r\nCapraRAT is a comprehensive RAT that provides the actors with the ability to harvest data on demand and\r\nexfiltrate it. Notable features include:\r\nRecording with the microphone, front \u0026 rear cameras\r\nCollecting SMS and multimedia message contents, call logs\r\nSending SMS messages, blocking incoming SMS\r\nInitiating phone calls\r\nTaking screen captures\r\nOverriding system settings such as GPS \u0026 Network\r\nModifying files on the phone’s filesystem\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 1 of 10\n\nApp Analysis\r\nCapraRAT is distributed as an Android APK. When the tool was initially named by Trend Micro, their research\r\nteam noted that CapraRAT may be loosely based on the AndroRAT source code.\r\nWe performed static analysis on two YouTube-themed CapraRAT APKs:\r\n8beab9e454b5283e892aeca6bca9afb608fa8718 – yt.apk, uploaded to VirusTotal in July 2023.\r\n83412f9d757937f2719ebd7e5f509956ab43c3ce – YouTube_052647.apk, uploaded to VirusTotal in August 2023.\r\nWe also identified a third APK called Piya Sharma, the YouTube channel persona described earlier:\r\n14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma.apk, uploaded to VirusTotal in April 2023\r\nThe yt and YouTube APKs apps are disguised as YouTube, borrowing the YouTube icon.\r\nApplications icons on an Android device, including YouTube_052647.apk\r\nApplication icons, including the Piya Sharma app\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 2 of 10\n\nYouTube_052647.apk displays the YouTube website when launched\r\nThe app requests several permissions. YouTube is an interesting choice for masquerading the app: some\r\npermissions, like microphone access, make sense for recording or search features. Other permissions–like the\r\nability to send and view SMS–are less relevant to the expected app behaviors.\r\nPermissions prompts during install of the weaponized YouTube app\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 3 of 10\n\nInstallation permissions requested by the Piya Sharma APK\r\nWhen the app is launched, MainActivity ’s load_web method launches a WebView object to load YouTube’s\r\nwebsite. Because this loads within the trojanized CapraRAT app’s window, the user experience is different from\r\nthe native YouTube app for Android and akin to viewing the YouTube page in a mobile web browser.\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 4 of 10\n\nSmali snippet of the load_web method in MainActivity\r\nKey Components\r\nBecause CapraRAT is a framework inserted into a variety of Android applications, the files housing malicious\r\nactivity are often named and arranged differently depending on the app. The CapraRAT APKs we analyzed\r\ncontain the following files:\r\nName yt.apk\r\nConfiguration com/media/gallery/service/settings\r\nVersion MSK-2023\r\nMain com/media/gallery/service/MainActivity\r\nMalicious Activity com/media/gallery/service/TPSClient\r\nName YouTube_052647.apk\r\nConfiguration com/Base/media/service/setting\r\nVersion A.F.U.3\r\nMain com/Base/media/service/MainActivity\r\nMalicious Activity com/Base/media/service/TCHPClient\r\nName Piya Sharma.apk\r\nConfiguration com/videos/watchs/share/setting\r\nVersion V.U.H.3\r\nMain com/videos/watchs/share/MainActivity\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 5 of 10\n\nMalicious Activity com/videos/watchs/share/TCPClient\r\nCapraRAT’s configuration file, which is named interchangeably setting or settings , holds the default\r\nconfiguration information, as well as metadata like versioning. The CapraRAT version syntax seen in\r\nYouTube_052647.apk and Piya Sharma.apk– A.F.U.3 and V.U.H.3 , respectively–matches the convention used\r\nto track Transparent Tribe’s Windows tool, CrimsonRAT. However, there is no tangible relationship between these\r\nversion numbers and the C2 domains as we saw in CrimsonRAT.\r\nThanks to creative spelling and naming conventions, the RAT’s configuration provides consistent static detection\r\nopportunities, with each of the following present in the samples from earlier in 2023 as well:\r\n is_phical\r\n isCancl\r\n isRealNotif\r\n SERVERIP\r\n smsMoniter\r\n smsWhere\r\n verion\r\nMainActivity is responsible for driving the application’s key features. This activity sets persistence through the\r\nonCreate method which uses Autostarter, an open-source project with code that lets developers automatically\r\nlaunch an Android application. The TPSClient class is initialized as an object called mTCPService ; then, this\r\nmethod calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s\r\ntimeForAlarm variable. In this example, the value 0xea60 is equal to 60,000 milliseconds, meaning the alarm\r\nand persistence launcher run once per minute.\r\nThe RAT’s core functionality is in an activity similar to the Extra_Class activity from the March 2023 samples\r\nreported by ESET. Henceforth, we call this activity TPSClient for simplicity. These files are rather large,\r\ndecompiling to over 10,000 lines of Smali code. By comparison, the March versions’ equivalents have only about\r\n8,000 lines.\r\nTPSClient contains CapraRAT’s commands, which are invoked through the run method via a series of switch\r\nstatements that map the string command to a related method.\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 6 of 10\n\nThe smsmons command logic inside the run method of TPSClient\r\nMany of these commands have been documented in previous research, though there are several changes in these\r\nnew versions. The hideApp method now checks if the system is running Android version 9 or earlier and if the\r\nmehiden variable in the setting ( s ) config file was set to False; if applicable, the app will be hidden from the\r\nuser’s view. While similarities between CapraRAT and AndroRAT are seemingly minimal at this point in\r\nCapraRAT’s development, the AndroRAT source code documentation notes that the tool becomes unstable after\r\nAndroid version 9, so there are likely underlying changes to the OS that make this method behave differently\r\ndepending on the OS version.\r\nTPSClient has a method check_permissions() that is not in Extra_Class . This method checks the following\r\nseries of Android permissions and generates a string with a True or False result for each:\r\nREAD_EXTERNAL_STORAGE\r\nREAD_CALL_LOG\r\nCAMERA\r\nREAD_CONTACTS\r\nACCESS_FINE_LOCATION\r\nRECORD_AUDIO\r\nREAD_PHONE_STATE\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 7 of 10\n\nInterestingly, some other older versions contain this method, suggesting that the samples may be tailored for\r\ntargets or are potentially developed from different branches.\r\nC2 \u0026 Infrastructure\r\nIn CapraRAT’s configuration file, the SERVERIP variable contains the command-and-control (C2) server address,\r\nwhich can be a domain, IP address, or both. The C2 port is in hexadecimal Big Endian format; the human readable\r\nport can be obtained by converting into decimal, resulting in port 14862 for yt.apk, port 18892 for\r\nYouTube_052647.apk, and port 10284 for Piya Sharma.apk.\r\nC2 configuration from yt.apk (left) and YouTube_052647.apk (right)\r\nThe shareboxs[.]net domain used by YouTube_052647.apk has been associated with Transparent Tribe since at\r\nleast 2019. Interestingly, the ptzbubble[.]shop domain was registered the same week of ESET’s report outlining\r\nthe group’s Android apps that leveraged other C2 domains.\r\nThe IP addresses associated with C2 from the two YouTube samples have Remote Desktop Protocol port 3389\r\nopen with the service identified as Windows Remote Desktop, indicating the group uses Windows Server\r\ninfrastructure to host the CapraRAT C2 application. The Piya Sharma app’s C2 IP, 209[.]127.19.241 , has a\r\ncertificate with common name value WIN-P9NRMH5G6M8 , a longstanding indicator associated with Transparent\r\nTribe’s CrimsonRAT C2 servers.\r\n84[.]46.251.145 –the IP address hosting ptzbubble[.]shop domain–shows historical resolutions associated\r\nwith Decoy Dog Pupy RAT DNS tunneling lookups. Any connection between these campaigns is unclear; it is\r\nplausible that a service hosted on this IP was infected by that campaign. Based on the query dates, the\r\nclaudfront[.]net lookup was during the time the CapraRAT actor was using this IP address to host\r\nptzbubble[.]shop , while a lookup to allowlisted[.]net was in December 2022, which was potentially before\r\nthis actor started using the IP.\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 8 of 10\n\nResolution history for IP hosting ptzbubble[.]shop, 84[.]46.251.145\r\nConclusion\r\nTransparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift\r\nidentification of their tools.\r\nThe group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing\r\nAndroid applications with spyware and distributing them to targets through social media.\r\nIndividuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan\r\nregions should evaluate defense against this actor and threat.\r\nDefensive and preventative measures should include:\r\nDo not install Android applications outside of the Google Play store.\r\nBe wary of new social media applications advertised within social media communities.\r\nEvaluate the permissions requested by an application, particularly an application you are not particularly\r\nfamiliar with. Do these permissions expose you to more risk than the potential benefit of the app?\r\nDo not install a third-party version of an application already on your device.\r\nCapraRAT malware is fully detected by SentinelOne’s Singularity Mobile solution.\r\nIndicators of Compromise (IOC)\r\nFiles Hashes – SHA1\r\n14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma APK\r\n83412f9d757937f2719ebd7e5f509956ab43c3ce – CapraRAT, YouTube_052647.apk\r\n8beab9e454b5283e892aeca6bca9afb608fa8718 – CapraRAT, yt.apk\r\nC2 Network Communications\r\nnewsbizshow.net\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 9 of 10\n\nptzbubble.shop\r\nshareboxs.net\r\n95[.]111.247.73\r\n209[.]127.19.241\r\nSource: https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nhttps://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/" ], "report_names": [ "capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9679af1dfce4e2caf682cb71ef79835b604ef14c.pdf", "text": "https://archive.orkl.eu/9679af1dfce4e2caf682cb71ef79835b604ef14c.txt", "img": "https://archive.orkl.eu/9679af1dfce4e2caf682cb71ef79835b604ef14c.jpg" } }