{ "id": "f6bed8eb-26d6-42a0-92a7-19420c29921d", "created_at": "2026-04-06T00:08:35.000975Z", "updated_at": "2026-04-10T03:36:50.40627Z", "deleted_at": null, "sha1_hash": "a65c72b739b261f350e7a22d499b7f19eada5744", "title": "Transparent Tribe begins targeting education sector in latest campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1534160, "plain_text": "Transparent Tribe begins targeting education sector in latest\r\ncampaign\r\nBy Asheer Malhotra\r\nPublished: 2022-07-13 ยท Archived: 2026-04-05 19:12:29 UTC\r\nCisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe APT group.\r\nThis campaign involves the targeting of educational institutions and students in the Indian subcontinent, a\r\ndeviation from the adversary's typical focus on government entities.\r\nThe attacks result in the deployment of CrimsonRAT, Transparent Tribe's malware of choice for\r\nestablishing long-term access into victim networks.\r\nWe assess with high confidence that a Pakistani web hosting services provider \"Zain Hosting\" was used for\r\ndeploying and operating components of Transparent Tribe's infrastructure. This is likely one of many third\r\nparties Transparent Tribe employs to prepare, stage and/or deploy components of their operation.\r\nOverview\r\nCisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against\r\nstudents at various educational institutions in India. This campaign was partially covered by another security firm,\r\nbut our findings reveal more details regarding the adversary's operations.\r\nTypically, this APT group focuses on targeting government (government employees, military personnel) and\r\npseudo-government entities (think tanks, conferences, etc.) using remote access trojans (RATs) such as\r\nCrimsonRAT and ObliqueRAT. However, in this new campaign dating back to December 2021, the adversary is\r\ntargeting students of universities and colleges in India. This new campaign also suggests that the APT is actively\r\nexpanding its network of victims to include civilian users.\r\nWe also assess with high confidence that a Pakistani web hosting services provider, \"ZainHosting\" was employed\r\nby the APT for deploying and operating parts of Transparent Tribe's infrastructure used in this campaign.\r\nThreat actor profile\r\nTransparent Tribe is a suspected Pakistan-linked threat actor. This group typically targets individuals and entities\r\nassociated with governments and military personnel in the Indian subcontinent, specifically Afghanistan and India.\r\nTransparent Tribe has also been known to use their CrimsonRAT implant against human rights activists in\r\nPakistan.\r\nThe group primarily uses three Windows-based malware families to carry out espionage activities against their\r\ntargets.\r\nCrimsonRAT is a .NET-based implant that is the group's malware of choice since at least 2020. Transparent\r\nTribe's multiple campaigns leveraging CrimsonRAT over the years indicate a steady evolution in the\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 1 of 10\n\nimplant's capabilities.\r\nObliqueRAT is a C/C++-based implant discovered by Talos in early 2020. ObliqueRAT is primarily\r\nreserved for hyper-targeted attacks on government personnel and in operations where stealth is a prime\r\nfocus of the attackers' infection chain. This implant has also seen a constant evolution in deployment tactics\r\nand malicious functionalities over time.\r\nCustom malware used by Transparent Tribe consists of easily and quickly deployable downloaders,\r\ndroppers and lightweight RATs containing limited capabilities as opposed to CrimsonRAT and\r\nObliqueRAT.\r\nTransparent Tribe also maintains a suite of mobile implants in their arsenal. Implants such as CapraRAT are\r\nconstantly modified to be deployed against targets. These implants contain a plethora of malicious capabilities\r\nmeant to steal data from mobile devices.\r\nAttack details: Infection chain\r\nThe attack consists of a maldoc delivered to the target as an attachment or a link to a remote location via a spear-phishing email. The maldocs consist of malicious VBA macros commonly observed in previous Transparent Tribe\r\ncampaigns. The macros extract an embedded archive file from the maldoc and unzip it to execute a copy of the\r\nmalware in the archive file. The malware in the archive files is CrimsonRAT.\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 2 of 10\n\nMalicious macro dropping embedded zip to disk.\r\nCrimsonRAT\r\nThe CrimsonRAT payloads deployed in this campaign are very similar to those from past Transparent Tribe\r\ncampaigns. It is the staple implant of choice for Transparent Tribe to establish long-term access into victim\r\nnetworks. This RAT is actively updated, adding new capabilities and obfuscating the implant.\r\nThe latest version of CrimsonRAT seen in this campaign contains a number of capabilities, including:\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 3 of 10\n\nList files and folders in a directory path specified by the command and control (C2).\r\nRun specific processes on the endpoint, such as keylogger and USB modules.\r\nList process IDs and names running on the endpoint.\r\nGet information, such as name, creation times and size of image files (pictures such as BMP, JPG, etc.)\r\nspecified by the C2.\r\nTake screenshots of the current screen and send them to the C2.\r\nUpload keylogger logs from a file on disk to the C2.\r\nSend system information to the C2, including:\r\nComputer name, username, operating system name, the file path of implant and parent folder path.\r\nIndicator of whether the keylogger module is in the endpoint and running and its version.\r\nIndicator of whether the USB module is in the endpoint and running and its version.\r\nRun arbitrary commands on the system.\r\nWrite data sent by the C2 to a file on disk.\r\nRead contents of a file on disk and exfiltrate to the C2.\r\nList all drives on the system.\r\nList all files in a directory.\r\nDownload the USB worm and keylogger modules from the C2 and write them to disk.\r\nSend a file's name, creation time and size to the C2- file path as specified by the C2.\r\nDelete files specified by the C2 from the endpoint.\r\nGet names, creation times and size of all files containing the file extension specified by the C2.\r\nInfrastructure and attribution\r\nCampaign Infrastructure\r\nA number of these maldocs and archives containing these maldocs were hosted on the domains registered by the\r\nattackers, with the earliest domain registered in June 2021. These domains were named so that they would appear\r\nrelevant to students and educational entities in India. Some examples of domains registered by the threat actor are:\r\nstudentsportal[.]live\r\nstudentsportal[.]website\r\nstudentsportal[.]co\r\nHowever, we've also discovered the use of additional media-themed domains that the attackers are preparing to\r\nuse in parallel campaigns against their targets. These domains are in line with Transparent Tribe's tactic of using\r\nmalicious file-sharing domains we've observed in previous attacks and campaigns.\r\ncloud-drive[.]store\r\nuser-onedrive[.]live\r\ndrive-phone[.]online\r\nDuring the course of our research, we discovered SSL certificate overlaps with another domain registered by the\r\nattackers in June 2021, geo-news[.]tv, using the email address immikhan034[@]gmail[.]com. This domain is a\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 4 of 10\n\ntypo-squatted version of geo[.]tv, a legitimate Pakistani news website. Subdomains on the malicious typo-squatted\r\ndomains include those that hosted SSL certificates for the student and media-themed malicious domains:\r\ncloud-drive.geo-news.tv\r\ndrive-phone.geo-news.tv\r\nstudentsportal.geo-news.tv\r\nuser-onedrive.geo-news.tv\r\nAll the malicious domains have recently resolved to the same IP address: 198[.]37[.]123[.]126. This strongly\r\nsuggests shared infrastructure among all the malicious domains.\r\nSSL certificate for geo-news[.]tv.\r\nHoneytraps\r\nMany of the domains registered by the attackers for this campaign consisted of rudimentary websites with front\r\npages containing embedded Google Drive folders. All of these folders contained pictures of women. It is highly\r\nlikely that these front pages will be used as stagers for honeytrap-based attacks in the future, another tactic typical\r\nof the Transparent Tribe APT.\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 5 of 10\n\nGoogle Drive folder embedded in the fake website operated by Transparent Tribe.\r\nInfrastructure attribution\r\nThe DNS SOA records for all the malicious domains utilized in this APT campaign contain a common\r\nadministrator email address: rupees001[at]gmail[.]com. This email address has been used to register and\r\nadminister approximately 2,000 legitimate and malicious domains. However, there are a couple of domains in this\r\nlist that stand out:\r\nzainhosting[.]net\r\nvebhost[.]com\r\nOf the two domains, vebhost[.]com hosts a dummy website that advertises website-building services. The\r\nmalicious domains used in this campaign, such as studentsportal[.]live and others, use vebhost[.]com name\r\nservers, specifically:\r\nns1[.]vebhost[.]com\r\nns2[.]vebhost[.]com\r\nTherefore, it is highly likely that the operators registering and maintaining the malicious domains also operate\r\nweb-hosting services through vebhost[.]com.\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 6 of 10\n\nThe second domain, zainhosting[.]net belongs to a seemingly legitimate web services and hosting provider called\r\n\"Zain Hosting\" based out of Lahore, Pakistan.\r\nApart from zainhosting[.]net, the hosting provider also operates zainhosting[.]com, which is this business' primary\r\nfront for their legitimate operations. Interestingly, vebhost[.]com uses zainhosting[.]com's name servers:\r\nns5.zainhosting.com\r\nns6.zainhosting.com\r\nZainHosting advertises their services heavily on Facebook and has been active since at least 2010. Their webpage\r\nfrom 2010 listed rupees001[at]gmail[.]com as a contact address for the business. This email has since been used to\r\nregister, renew and administer several malicious web pages over time, including the malicious domains used by\r\nthe Transparent Tribe APT in their most recent campaign.\r\nZainHosting webpage from 2010 listing rupees001[at]gmail[.]com as a contact address.\r\nAll three sets of domains -- the malicious Transparent Tribe infrastructure, vebhost[.]com and\r\nzainhosting[.]net/com -- are clearly related, with \"ZainHosting\"' owning and operating the malicious\r\ninfrastructure. However, the entire scope of ZainHosting's role in the Transparent Tribe organization is still\r\nunknown. We believe with high confidence that ZainHosting is just one of the many infrastructure contractors\r\nhired by Transparent Tribe. Such contractors might be hired to simply prepare and stage the APT's infrastructure\r\nand possibly be given packages (archives, etc.) containing malicious artifacts to deploy, that are then distributed\r\nby the APT operators themselves to targets of interest.\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 7 of 10\n\nConclusion\r\nTransparent Tribe has been aggressively trying to widen its net of victims in the Indian subcontinent. Their\r\noperations started as early as at least 2016 and have largely focussed on infecting government and military\r\nofficials in Afghanistan and India. Over the past few years, we saw the APT begin targeting pseudo-government\r\nentities and individuals belonging to think tanks and defense contractors.\r\nHowever, their new campaign indicates that the threat actors' strategy is evolving to target civilian personnel,\r\nspecifically those connected to educational institutions. This might be in accordance with their nation-state's goal\r\nto establish long-term access and steal valuable and restricted research from premier research institutions\r\nassociated with the Indian government. Keeping tabs on an adversary nation's research endeavors is a strategic\r\ngoal adopted by many APT groups observed across the world.\r\nOrganizations must be diligent against such highly motivated adversaries that are rapidly evolving their strategies\r\nand expanding their network of targets. In-depth defense strategies based on a risk analysis approach can deliver\r\nthe best results in the prevention. However, this should always be complemented by a good incident response plan\r\nwhich has been not only tested with tabletop exercises and reviewed and improved every time it's put to the test on\r\nreal engagements.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint(formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 8 of 10\n\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nIOCs\r\nIOCs for this research can also be found at our Github repository here.\r\nMaldocs\r\nbdeb9d019a02eb49c21f7c04169406ac586d630032a059f63c497951303b8d00\r\n388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622\r\n0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2\r\n14ee2e3a9263bab359bc19050567d0dbd6371c8c0a7c6aeba71adbf5df2fc35b\r\nArchives\r\n8c1a5052bf3c1b33aff9e249ae860ea1435ce716d5b5be2ec3407520507c6d37\r\n79aee357ea68d8f66b929ba2e57465eaee4d965b0da5001fe589afe1588874e3\r\nCrimsonRAT\r\n8b786784c172c6f8b241b1286a2054294e8dc2c167d9b4daae0e310a1d923ba0\r\nb4819738a277090405f0b5bbcb31d5dd3115f7026401e5231df727da0443332a\r\ne2cf71c78d198fdc0017b7bfd6ce8115301174302b3eaaf50cfc384db96bc573\r\n8c9b0fd259e7f016f53be8edc53fe5f908b48ae691e21f0f820da11429e595d8\r\nf3a1ac021941b481ac7e2335b74ebf1e44728e8917381728f1f5b390c6f34706\r\nfc34f9087ab199d0bac22aa97de48e5592dbf0784342b9ecd01b4a429272ab5b\r\nb3f8e026f39056ec5e66700e03eeaf57454ee9c0bc1c719d74e10f5702957305\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 9 of 10\n\n9159d4e354218870461c96bedcc7b5b026f872d30235bb4536cc4a5ce4154725\r\nb614436bf9461b80384bae937d699f8c3886bcc65b907e0c8126b4df59ea8cdb\r\n28390e3ea8a547f05ca08551f484292d46398a2b38fd4aae001ac7d056c5abc0\r\nIPs\r\n192[.]3[.]99[.]68\r\n198[.]37[.]123[.]126\r\nDomains\r\nstudentsportal[.]live\r\ngeo-news[.]tv\r\ncloud-drive[.]store\r\nuser-onedrive[.]live\r\ndrive-phone[.]online\r\nstudentsportal[.]co\r\nstudentsportal[.]website\r\nnsdrive-phone[.]online\r\nstatefinancebank[.]com\r\nin[.]statefinancebank[.]com\r\ncentralink[.]online\r\ncloud-drive[.]geo-news[.]tv\r\ndrive-phone[.]geo-news[.]tv\r\nstudentsportal[.]geo-news[.]tv\r\nuser-onedrive[.]geo-news[.]tv\r\nstudentsportal[.]live[.]geo-news[.]tv\r\nphone-drive[.]online[.]geo-news[.]tv\r\nsunnyleone[.]hopto[.]org\r\nswissaccount[.]ddns[.]net\r\nURLs\r\nhxxps[://]studentsportal[.]live/download[.]php?file=Mental_Health_Survey[.]docm\r\nhxxps[://]studentsportal[.]website/download[.]php?file=5-mar[.]zip\r\nSource: https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nhttps://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" ], "report_names": [ "transparent-tribe-targets-education.html" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434115, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a65c72b739b261f350e7a22d499b7f19eada5744.pdf", "text": "https://archive.orkl.eu/a65c72b739b261f350e7a22d499b7f19eada5744.txt", "img": "https://archive.orkl.eu/a65c72b739b261f350e7a22d499b7f19eada5744.jpg" } }