{ "id": "7c419052-a30a-4a7a-909f-0c712be309a9", "created_at": "2026-04-06T00:09:52.982297Z", "updated_at": "2026-04-10T03:36:50.298586Z", "deleted_at": null, "sha1_hash": "a9c60f6c27d6588d723acf905660f2317c1248ad", "title": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 118953, "plain_text": "Transparent Tribe campaign uses new bespoke malware to target\r\nIndian government officials\r\nBy Asheer Malhotra\r\nPublished: 2022-03-29 · Archived: 2026-04-05 19:56:06 UTC\r\nBy Asheer Malhotra and Justin Thattil with contributions from Kendall McKay.\r\nCisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military\r\nentities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice,\r\nthey are also using new stagers and implants.\r\nThis campaign, which has been ongoing since at least June 2021, uses fake domains mimicking legitimate\r\ngovernment and related organizations to deliver malicious payloads, a common Transparent tribe tactic.\r\nBased on our analysis of Transparent Tribe operations over the last year, the group has continued to change\r\nits initial entry mechanisms and incorporate new bespoke malware, indicating the actors are actively\r\ndiversifying their portfolio to compromise even more victims.\r\nNotably, the adversary has moved towards deploying small, bespoke stagers and downloaders that can be\r\neasily modified, likely to enable quick and agile operations.\r\nTransparent Tribe deploys new implants\r\nTransparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking\r\nlegitimate military and defense organizations as a core component of their operations. In the latest campaign\r\nconducted by the threat actor, Cisco Talos observed multiple delivery methods, such as executables masquerading\r\nas installers of legitimate applications, archive files and maldocs to target Indian entities and individuals. These\r\ninfection chains led to the deployment of three different types of implants, two of which we had not previously\r\nobserved:\r\nCrimsonRAT: A remote access trojan (RAT) family that Transparent Tribe frequently uses to conduct\r\nespionage operations against their targets.\r\nA previously unknown Python-based stager that leads to the deployment of .NET-based reconnaissance\r\ntools and RATs.\r\nA lightweight .NET-based implant to run arbitrary code on the infected system.\r\nThis campaign also uses fake domains mimicking legitimate government and pseudo-government organizations to\r\ndeliver malicious payloads, a typical Transparent Tribe tactic.\r\nThreat actor profile\r\nTransparent Tribe is a suspected Pakistan-linked threat actor. This group targets individuals and entities associated\r\nwith governments and military personnel in the Indian subcontinent, specifically Afghanistan and India.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 1 of 21\n\nTransparent Tribe has also been known to use their CrimsonRAT implant against human rights activists in\r\nPakistan.\r\nThe group primarily uses three Windows-based malware families to carry out espionage activities against their\r\ntargets.\r\nCrimsonRAT is a .NET-based implant that has been the group’s malware of choice since at least 2020 .\r\nTransparent Tribe’s multiple campaigns leveraging CrimsonRAT over the years indicate a steady evolution\r\nin the implant’s capabilities.\r\nObliqueRAT is a C/C++-based implant discovered by Talos in early 2020. ObliqueRAT is primarily\r\nreserved for highly targeted attacks on government personnel and in operations where stealth is a prime\r\nfocus of the attackers’ infection chain. This implant has also seen a constant evolution in deployment\r\ntactics and malicious functionalities over time.\r\nCustom malware used by Transparent Tribe consists of easily and quickly deployable downloaders,\r\ndroppers and lightweight RATs containing limited capabilities as opposed to CrimsonRAT and\r\nObliqueRAT.\r\nTransparent Tribe also maintains a suite of mobile implants in their arsenal. Implants such as CapraRAT are\r\nconstantly modified to be deployed against targets. These implants contain a plethora of malicious capabilities\r\nmeant to steal data from mobile devices.\r\nDownloader executables\r\nTalos observed the use of downloader executables containing different lures related to the Indian government.\r\nThemes included topics related to COVID-19, resumes and installers for government applications, such as the\r\nKavach multi-factor authentication (MFA) application.\r\nLatest variant\r\nThe latest downloaders primarily masquerade as installers for Kavach and are distributed for delivering malicious\r\nartifacts to targets. Kavach is widely used by government personnel, as it allows employees (including military\r\npersonnel) to access the Indian government’s I.T. resources, such as email services.\r\nThe droppers are .NET-based executables. They begin execution by checking if the timezone on the infected\r\nendpoint contains keywords such as “India.” A splash screen is displayed to the victim notifying them that the\r\nKavach application is being installed:\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 2 of 21\n\nFake installation splash screen\r\nThe downloaders will then reach out to a malicious website, masquerading as a legitimate Indian government or\r\npseudo-government entity, to download a malicious payload that is then activated on the endpoint.\r\nNext, download a legitimate copy of the Kavach application’s MSI installer from yet another attacker-controlled\r\nwebsite and execute it to make the whole attack chain appear legitimate.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 3 of 21\n\nDownloader fetching and executing malicious payload and legitimate installer for Kavach.\r\nAdditional variant\r\nAnother variation of the initial infection vector used in the campaign is a notably large downloader binary\r\n(141MB) that contains the entire legitimate installer (MSI) for the Kavach application in its resources. The zipped\r\ncopy of the MSI is extracted from the downloader’s resources and executed on the system as a decoy to appear\r\nlegitimate to the targets. The actual implant is then downloaded from a remote location, AES-decrypted using a\r\nhardcoded key, written to disk and executed on the infected endpoint.\r\nThe second variant of the downloader downloads and decrypts the payload from a remote location.\r\nA timeline of older variants\r\nAs early as June 2021, the attackers primarily used malicious documents (maldocs) as an initial infection vector to\r\ndeliver the malicious downloaders. This vector consisted of a malicious macro that would download and activate\r\nthe downloader on the infected endpoint. This practice continued into July 2021.\r\nHowever, beginning with June 2021, there was also a steady evolution in the distribution tactics used in this\r\ncampaign. Around this time, we began observing the use of non-traditional initial entry mechanisms throughout\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 4 of 21\n\nthe course of this campaign, suggesting a clear intention of aggressively infecting targets for espionage.\r\nFor instance, in June 2021, the attackers used IMG files for distribution, containing multiple infection artifacts —\r\nall COVID-19 themed — to trick targets into getting infected. Wrapping malware in IMG files is a tactic gaining\r\ntraction with crimeware operators and APTs as a way to deliver malware to victims since newer versions of the\r\nWindows OS natively support IMG files.\r\nMalicious IMG distributed by Transparent Tribe.\r\nThe malicious image consists of four files:\r\nMalicious Python-based stager.\r\nDecoy PDF document containing a COVID-19-themed lure.\r\nVBS file for executing the stager and displaying the decoy.\r\nMalicious LNK file for activating the VBS on the endpoint.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 5 of 21\n\nIn September 2021, the actors switched up their initial infection artifact and used VHDX files delivering the\r\nmalicious droppers. VHDX files do not retain Mark Of the Web (MOTW) stamps and thus artifacts such as\r\nmaldocs, delivered through these wrappers aren’t identified as originating from the internet by Microsoft utilities\r\nsuch as Word, Excel etc. - allowing the attackers to run malicious code on the endpoint without any Microsoft\r\nwarnings.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 6 of 21\n\nThe variant of the downloaders used here, previously disclosed by Cyble, masqueraded as an app from the\r\nCanteen Stores Department (CSD) of the Government of India. On execution, this variant would open the\r\nlegitimate website for CSD on the target’s system. However, as seen previously with Transparent Tribe, the threat\r\nactors continued the development of similar infection chains consisting of various themes to distribute their\r\nmalware without regard for any previous public disclosures.\r\nThe threat actor then introduced the use of RAR archives to distribute malicious malware in November 2021. The\r\nRAR archive consisted of the downloader, this time downloading a highly specific decoy PDF containing the\r\nwork history of an Indian government official. The RAR archives are typically password-protected and hosted on\r\npublic media sharing websites. Therefore, it is highly likely that Transparent Tribe used spearphishing emails to\r\ndeliver download URLs for the archives to their targets via emails containing the passwords for the archives.\r\nTimeline of the evolution of entry vectors:\r\nImplant analyses\r\nCrimsonRAT\r\nCrimsonRAT is a popular malware RAT implant that consists of a wide variety of capabilities. It is the staple\r\nimplant of choice for Transparent Tribe to establish long-term access into victim networks. This RAT is actively\r\nworked upon and has seen considerable updates over the years in not just the development of new capabilities, but\r\nalso to obfuscate the implant by the APT group.\r\nThe latest version of CrimsonRAT seen in this campaign in January and February 2022 contains a number of\r\ncapabilities, including:\r\nList files and folders in a directory path specified by the C2.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 7 of 21\n\nRun specific processes on the endpoint — keylogger and USB modules.\r\nList process IDs and names running on the endpoint.\r\nGet information such as name, creation times and size of image files (pictures such as BMP, JPG etc.)\r\nspecified by the C2.\r\nTake screenshots of the current screen and send it to C2.\r\nUpload keylogger logs from a file on disk to the C2.\r\nSend system information to C2 including:\r\nComputername, username, Operating System name, filepath of implant, parent folder path.\r\nIndicator of whether the keylogger module is in the endpoint and running and its version.\r\nIndicator of whether the USB module is in the endpoint and running and its version.\r\nRun arbitrary commands on the system.\r\nWrite data sent by C2 to a file on disk.\r\nRead contents of a file on disk and exfiltrate to C2.\r\nList all drives on the system.\r\nList all files in a directory.\r\nDownload the USB worm and keylogger modules from the C2 and write them to disk.\r\nSend a file’s name, creation time and size to the C2- file path is specified by the C2.\r\nDelete files specified by the C2 from the endpoint.\r\nGet names, creation times and size of all files containing the file extension specified by the C2.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 8 of 21\n\nCode Snippet: CrimsonRAT command handler.\r\nSeen in:\r\nJan-Feb 2022: Deployed by Kavach-themed downloaders.\r\nLightweight implant\r\nA new lightweight, .NET-based implant was also seen in this campaign in several infection chains. This implant\r\nhas limited capabilities when compared to CrimsonRAT but contains enough functionality to control and monitor\r\nthe infected system. Capabilities include:\r\nList all running processes on the endpoint.\r\nDownload and execute a file from the C2.\r\nDownload and execute a file specified by the C2 from another remote location.\r\nClose connection with the C2 until the next run.\r\nGather system information from the endpoint such as Computer Name, username, public and local IPs,\r\nOperating system name, list of runnings AVs, device type (desktop or laptop).\r\nThe implant also persists via an InternetShortcut in the current user’s Startup directory.\r\nImplant downloading and executing a file from a remote location.\r\nSeen in:\r\nJan-Feb 2022: Deployed by Kavach-themed downloaders.\r\nNovember 2021: Seen in infection chains using RAR archives hosted on CMS.\r\nSeptember 2021: Deployed by CSD-themed downloaders.\r\nPython-based stagers\r\nWe’ve also observed the use of Python-based stagers throughout this campaign. These stagers are pyinstaller-based EXEs and consist of the following functionalities:\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 9 of 21\n\nCollect system information from the endpoint consisting of all running process names, computername and\r\nOS name and send it to a remote C2 URL.\r\nDrops one of two embedded files: A malicious DLL used to activate a recon tool in the current user’s\r\nStartup folder based on whether the endpoint is Windows 7 or not.\r\nParse responses from the C2 to obtain data that is then written to a file to disk.\r\nAll the relevant information used in the functioning of the stager is kept in a separate Python file.\r\nStager configuration information.\r\nSeen in:\r\nJune 2021: Maldocs.\r\nJune 2021: IMG files.\r\nEmbedded implant\r\nThe embedded implants deployed by the python based stager will simply activate a malicious DLL existing on\r\ndisk by loading and running it in the embedded implant’s process. The DLL loaded is the actual malicious\r\nreconnaissance tool used by the attackers.\r\nRecon tool\r\nThe  DLL implant will first send a beacon to the C2 server URL to indicate that it has been successfully deployed.\r\nThe C2 server must reply with a specific keyword such as “onlyparanoidsurvive” for the implant to start accepting\r\ncommands from another C2 URL. The implant will first send a list of all files in the current user’s Cookie\r\ndirectory to the C2. In response, the C2 may send the “senddevices” command to the implant. If this command is\r\nreceived, the implant will send the following data to a third C2 URL:\r\nOS Caption from CIM_OperatingSystem.\r\nAll local IP addresses of the infected endpoint.\r\nDevice type — desktop or laptop.\r\nProduct version of the executable in which the DLL has been loaded.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 10 of 21\n\nImplant gathering system information for exfiltration to the C2.\r\nThe implant will then proceed to get executables from the remote C2 server that are then executed on the infected\r\nendpoint.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 11 of 21\n\nHelper DLL used to execute binaries on the endpoint.\r\nTargeting and attribution\r\nThis campaign saw the use of multiple types of lures and decoys to target Indian government personnel. This is a\r\ntargeting tactic typical of groups operating under the Pakistani nexus of APT groups, such as Transparent Tribe\r\nand SideCopy.\r\nFor example, in July 2021, we saw the attackers use themes related to the 7th Indian Central Pay Commission (7th\r\nCPC) for government employees in maldocs to deliver the Python-based stager that deployed malware on the\r\ninfected endpoints. Transparent Tribe will frequently use the 7th CPC as a topic of interest to trick victims into\r\nopening maldocs and infecting themselves.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 12 of 21\n\nMaldoc with 7th CPC themes.\r\nWe also saw the use of COVID-themed lures and decoys containing advisories primarily targeting employees of\r\nthe government of India. This is another tactic that the Transparent Tribe has utilized in past operations.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 13 of 21\n\nCOVID-19-themed decoy used against government employees.\r\nOver the past year, we have observed this threat actor heavily utilize women’s resumes to target individuals of\r\ninterest. This is inline with their tactic of honey trapping targets by using such malicious resumes and executables\r\nthat display alluring pictures. This campaign, however, used a similar yet distinct theme. Instead of resumes, we\r\nobserved the use of a decoy document in November 2021 that detailed a male Indian Ministry of Defence (MoD)\r\nemployee’s work experience.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 14 of 21\n\nService history of an MoD official used as a lure/decoy.\r\nAnother TTP used by Transparent Tribe in their operations is the cloning of legitimate websites into fake ones\r\nowned and operated by the attackers. These fake websites are used along with typo-squatted or similarly spelled\r\ndomains to appear legitimate but serve malicious artifacts as part of the attackers’ infection chains. One such\r\nexample in this campaign is the malicious domain dsoi[.]info. This domain is a direct copy of the legitimate\r\nwebsite of the Defence Service Officers’ Institute (DSOI) of India, created by cloning content using HTTrack, a\r\nfree website copier program.\r\nWe’ve seen this tactic (cloning legitimate websites using HTTrack) used by Transparent Tribe in the past to\r\ndeliver ObliqueRAT malware payloads around mid-2021.\r\nTransparent Tribe commonly uses malicious artifacts against Indian targets, masquerading as legitimate\r\napplications maintained by the government of India. In September 2021, Talos disclosed Operation Armor Piercer,\r\nwhich consisted of the use of  themes pertaining to the Kavach MFA application to spread commodity RATs. The\r\nSideCopy APT group also uses trojans such as MargulasRAT pretending to be a VPN application for India’s\r\nNational Informatics Centre (NIC). This new campaign from Transparent Tribe also saw fake installers for the\r\nKavach application being used to deploy CrimsonRAT and other malware.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 15 of 21\n\nThe use of CrimsonRAT in operations such as these is expected of Transparent Tribe. It has been seen in the wild\r\nfor years and is the tool of choice for the threat actors in campaigns that cast a relatively wide net for targeting\r\ntheir victims. This is unlike ObliqueRAT, which is used in highly targeted operations by Transparent Tribe.\r\nThe use of new bespoke malware in addition to the RATs indicates the group is diversifying their malware\r\nportfolio to achieve an even greater degree of success. In another common trend, we have also observed\r\nTransparent Tribe quickly develop and deploy bespoke, small and lightweight stagers and downloaders that can be\r\nmodified with relative ease (and discarded if needed), leading to the deployment of their actual implants meant to\r\nprovide long term access into their targets’ networks and systems.\r\nConclusion\r\nTransparent Tribe has been a highly active APT group in the Indian subcontinent. Their primary targets have been\r\ngovernment and military personnel in Afghanistan and India. This campaign furthers this targeting and their\r\ncentral goal of establishing long term access for espionage. The use of multiple types of delivery vehicles and file\r\nformats indicates that the group is aggressively trying to infect their targets with their implants such as\r\nCrimsonRAT. They have continued the use of fake domains masquerading as government and quasi-government\r\nentities, as well as the use of generically themed content-hosting domains to host malware. Although not very\r\nsophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their\r\ntargets.\r\nOrganizations should remain vigilant against such threats, as they are likely to proliferate in the future. In-depth\r\ndefense strategies based on a risk analysis approach can deliver the best results in the prevention. However, this\r\nshould always be complemented by a good incident response plan which has been not only tested with tabletop\r\nexercises and reviewed and improved every time it's put to the test on real engagements.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 16 of 21\n\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 17 of 21\n\nSnort SIDs: 59222-59223\r\nThe following ClamAV signatures available for protection against this threat:\r\nVbs.Downloader.Agent-9940743-0\r\nWin.Downloader.TransparentTribe-9940744-0\r\nWin.Trojan.MargulasRAT-9940745-0\r\nWin.Downloader.Agent-9940746-0\r\nWin.Trojan.MSILAgent-9940762-1\r\nWin.Trojan.PythonAgent-9940791-0\r\nLnk.Trojan.Agent-9940793-0\r\nWin.Trojan.TransparentTribe-9940795-0\r\nWin.Trojan.TransparentTribe-9940801-0\r\nWin.Downloader.TransparentTribe-9940802-0\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click below:\r\nDownloader\r\nMaldoc\r\nPython stagers\r\nIOCs\r\nMaldocs\r\n15b90d869b4bcc3cc4b886abbf61134e408088fdfbf48e9ab5598a4c80f6f4d8\r\nd2113b820db894f08c47aa905b6f643b1e6f38cce7adf7bf7b14d8308c3eaf6e\r\nDownloaders\r\nb0ecab678b02fa93cf07cef6e2714698d38329931e5d6598b98ce6ee4468c7df\r\n2ca028a2d7ae7ea0c55a1eeccd08a9386f595c66b7a0c6099c0e0d7c0ad8b6b8\r\n9d4e6da67d1b54178343e6607aa459fd4d711ce372de00a00ae5d81d12aa44be\r\n2b32aa56da0f309a6cd5d8cd8b3e125cb1b445b6400c3b22cf42969748557228\r\n1ba7cf0050343faf845553556b5516d96c7c79f9f39899839c1ca9149cf2d838\r\n84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34\r\ndd23162785ed4e42fc1abed4addcab2219f45c802cccd35b2329606d81f2db71\r\n4d14df9d5fa637dae03b08dda8fe6de909326d2a1d57221d73ab3938dfe69498\r\n2bb2a640376a52b1dc9c2b7560a027f07829ae9c5398506dc506063a3e334c3a\r\naadaa8d23cc2e49f9f3624038566c3ebb38f5d955b031d47b79dcfc94864ce40\r\nb3bc8f9353558b7a07293e13dddb104ed6c3f9e5e9ce2d4b7fd8f47b0e3cc3a5\r\n5911f5bd310e943774a0ca7ceb308d4e03c33829bcc02a5e7bdedfeb8c18f515\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 18 of 21\n\nLightweight implant\r\nf66c2e249931b4dfab9b79beb69b84b5c7c4a4e885da458bc10759c11a97108f\r\n011bcca8feebaed8a2aa0297051dfd59595c4c4e1ee001b11d8fc3d97395cc5c\r\n5c341d34827c361ba2034cb03dea665a873016574f3b4ff9d208a9760f61b552\r\nd9037f637566d20416c37bad76416328920997f22ffec9340610f2ea871522d8\r\n124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce\r\nCrimsonRAT\r\n67ad0b41255eca1bba7b0dc6c7bd5bd1d5d74640f65d7a290a8d18fba1372918\r\na0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a\r\nPython based downloaders\r\nb9fea0edde271f3bf31135bdf1a36e58570b20ef4661f1ab19858a870f4119ba\r\ndc1a5e76f486268ca8b7f646505e73541e1dc8578a95593f198f93c9cd8a5c8d\r\n99e6e510722068031777c6470d06e31e020451aa86b3db995755d1af49cc5f9e\r\nIntermediate artifacts\r\n892a753f31dadf1c6e75f1b72ccef58d29454b9f4d28d73cf7e20d137ce6dd8d\r\nc828bccfc34f16983f624f00d45e54335804b77dd199139b80841ad63b42c1f3\r\n0d3f5ca81f62b8a68647a4bcc1c5777d3e865168ebb365cab4b452766efc5633\r\na0964a46212d50dbbbbd516a8a75c4764e33842e8764d420abe085d0552b5822\r\n4162eaeb5826f3f337859996fc7f22442dd9b47f8d4c7cf4f942f666b1016661\r\ne3e9bbdaa4be7ad758b0716ee11ec67bf20646bce620a86c1f223fd2c8d43744\r\n56f04a39103372acc0f5e9b01236059ab62ea3d5f8236280c112e473672332b1\r\nLNK\r\n08603759173157c2e563973890da60ab5dd758a02480477e5286fccef72ef1a2\r\nVBS\r\n2043e8b280ae016a983ecaea8e2d368f27a31fd90076cdca9cef163d685e1c83\r\nRAR\r\nadc8e40ecb2833fd39d856aa8d05669ac4815b02acd1861f2693de5400e34f72\r\nIMG\r\nadaf7b3a432438a04d09c718ffddc0a083a459686fd08f3955014e6cf3abeec1\r\nVHDX\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 19 of 21\n\n5e645eb1a828cef61f70ecbd651dba5433e250b4724e1408702ac13d2b6ab836\r\nIPs\r\n144[.]91.79.40\r\n194[.]163.129.89\r\n200[.]202.100.110\r\n206[.]215.155.105\r\n45[.]147.228.195\r\n5[.]189.170.84\r\nDomains\r\nzoneflare[.]com\r\nsecure256[.]net\r\ndirectfileshare[.]net\r\ndsoi[.]info\r\ndownload[.]kavach-app[.]in\r\nkavach-app[.]in\r\notbmail[.]com\r\nURLs\r\nhxxp://directfileshare[.]net/DA-Updated.xls\r\nhxxp://directfileshare[.]net/dd/m.exe\r\nhxxp://download[.]kavach-app[.]in/Kavach.msi\r\nhxxp://dsoi[.]info/downloads/chrmeziIIa.exe\r\nhxxp://iwestcloud[.]com/Pick@Whatsoever/Qu33nRocQCl!mbing.php\r\nhxxp://iwestcloud[.]com/Pick@Whatsoever/S3r\u0026eryvUed.php\r\nhxxp://iwestcloud[.]com/Pick@Whatsoever/S3r\u0026eryvUed.php\r\nhxxp://zoneflare[.]com/C2L!Dem0\u0026PeN/A@llPack3Ts/Cert.php\r\nhxxp://zoneflare[.]com/C2L!Dem0\u0026PeN/A@llPack3Ts/Cor2PoRJSet!On.php\r\nhxxp://zoneflare[.]com/C2L!Dem0\u0026PeN/A@llPack3Ts/Dev3l2Nmpo7nt.php\r\nhxxp://zoneflare[.]com/C2L!Dem0\u0026PeN/A@llPack3Ts/f3dlPr00f.php\r\nhxxp://zoneflare[.]com/C2L!Dem0\u0026PeN/A@llPack3Ts/xwunThedic@t6.php\"\r\nhxxp://zoneflare[.]com/R!bB0nBr3@k3r/FunBreaker.php\r\nhxxp://zoneflare[.]com/R!bB0nBr3@k3r/tallerthanhills.php\"\r\nhxxp://zoneflare[.]com/R!bB0nBr3@k3r/zoneblue/mscontainer.dll\r\nhxxps://drive[.]google[.]com/uc?export=download\u0026id=1kMeI1R-7sthlqWaPrp8xiNcQLjbKY9qf\r\nhxxps://kavach-app[.]in/auth/ver4.mp3\r\nhxxps://secure256[.]net/pdf/ServicedetailforDARevision.pdf\r\nhxxps://secure256[.]net/ver4.mp3\r\nhxxps://zoneflare[.]com/uipool.scr\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 20 of 21\n\nSource: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nhttps://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "report_names": [ "transparent-tribe-new-campaign.html" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b01b0683-5c7c-4070-ba0c-4fdede370995", "created_at": "2022-10-25T16:07:23.925692Z", "updated_at": "2026-04-10T02:00:04.79318Z", "deleted_at": null, "main_name": "Operation Armor Piercer", "aliases": [], "source_name": "ETDA:Operation Armor Piercer", "tools": [ "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Recam", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434192, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9c60f6c27d6588d723acf905660f2317c1248ad.pdf", "text": "https://archive.orkl.eu/a9c60f6c27d6588d723acf905660f2317c1248ad.txt", "img": "https://archive.orkl.eu/a9c60f6c27d6588d723acf905660f2317c1248ad.jpg" } }