{ "id": "bb6db56c-f28d-48d9-807d-98d06acf8edc", "created_at": "2026-04-06T00:12:48.38389Z", "updated_at": "2026-04-10T03:36:50.256234Z", "deleted_at": null, "sha1_hash": "b3003cf32b1a05b5a9994d3d088dd05c50d7d85b", "title": "CapraRAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40557, "plain_text": "CapraRAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:56:44 UTC\r\napk.capra_rat (Back to overview)\r\nCapraRAT\r\nActor(s): Operation C-Major\r\nAccording to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified\r\nversion of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced\r\npersistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to\r\nperform certain actions on the infected Android device.\r\nReferences\r\n2023-09-18 ⋅ SentinelOne ⋅ Alex Delamotte\r\nCapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones\r\nCapraRAT Operation C-Major\r\n2023-03-07 ⋅ ESET Research ⋅ Lukáš Štefanko\r\nLove scam or espionage? Transparent Tribe lures Indian and Pakistani officials\r\nCapraRAT\r\n2022-01-24 ⋅ Trend Micro ⋅ Trend Micro\r\nInvestigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal\r\nCapraRAT Crimson RAT Oblique RAT Operation C-Major\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat" ], "report_names": [ "apk.capra_rat" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434368, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3003cf32b1a05b5a9994d3d088dd05c50d7d85b.pdf", "text": "https://archive.orkl.eu/b3003cf32b1a05b5a9994d3d088dd05c50d7d85b.txt", "img": "https://archive.orkl.eu/b3003cf32b1a05b5a9994d3d088dd05c50d7d85b.jpg" } }