{ "id": "f72c7a32-f62f-461b-a04d-81754208fa04", "created_at": "2026-04-06T01:30:42.366377Z", "updated_at": "2026-04-10T13:11:19.46345Z", "deleted_at": null, "sha1_hash": "b92aa2470100876c89fc951c7d9be6232724a9ad", "title": "Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1289670, "plain_text": "Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor\r\nExpands Interest in Indian Education Sector\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-04-13 · Archived: 2026-04-06 00:39:02 UTC\r\nExecutive Summary\r\nSentinelLABS has been tracking a cluster of malicious documents that stage Crimson RAT, distributed by\r\nAPT36 (Transparent Tribe).\r\nWe assess that this activity is part of the group’s previously reported targeting of the education sector in the\r\nIndian subcontinent.\r\nWe observed APT36 introducing OLE embedding to its typically used techniques for staging malware from\r\nlure documents and versioned changes to the implementation of Crimson RAT, indicating the ongoing\r\nevolution of APT36’s tactics and malware arsenal.\r\nOverview\r\nSentinelLABS has been tracking a recently disclosed cluster of malicious Office documents that distribute\r\nCrimson RAT, used by the APT36 group (also known as Transparent Tribe) targeting the education sector. This\r\npost summarizes our observations highlighting the group’s continuous change in used malware staging techniques\r\nand Crimson RAT implementations.\r\nTransparent Tribe is a suspected Pakistan-based threat group active since at least 2013. The group is not very\r\nsophisticated; however, it is a highly persistent threat actor that continuously adapts its operational strategy.\r\nTransparent Tribe has previously focused mainly on Indian military and government personnel, but it has recently\r\nexpanded its scope to include educational institutions and students in the Indian subcontinent. Crimson RAT is a\r\nconsistent staple in the group’s malware arsenal the adversary uses in its campaigns.\r\nThe names and content of the lure documents, the associated domains, and the use of Crimson RAT suggest that\r\nthe activities discussed in this post are part of a previously reported broader targeting of the education sector by\r\nTransparent Tribe.\r\nFurther, the PDB paths of some Crimson RAT samples we analyzed contain the word Wibemax , which is also\r\ncontained in the PDB paths of Crimson RAT payloads observed in a previous Transparent Tribe campaign.\r\nWibemax matches the name of a Pakistani software development company, but at this time we have not identified\r\na clear relationship to the adversary.\r\nIt is worth noting that there are high confidence assessments of Transparent Tribe leveraging third parties to\r\nsupport their operation, such as the Pakistani web hosting provider Zain Hosting.\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nPage 1 of 7\n\nOur analysis reinforces the assessment that closely monitoring the research endeavors of adversary nations has\r\nbecome an important objective for the adversary, underscoring the crucial role this activity plays in fulfilling the\r\ngoals and aspirations of the authorities whose interests Transparent Tribe represents.\r\nMalicious Documents\r\nThe documents that Transparent Tribe distributes have education-themed content and names such as assignment or\r\nAssignment-no-10 , and indicate creation dates of July and August 2022. Based on known behavior of this group,\r\nwe suspect that the documents have been distributed to targets as attachments to phishing emails. Consistent with\r\nknown Transparent Tribe tactics, we observed that some of the documents have been hosted on file hosting\r\nservices and attacker-created domains, such as s1.fileditch[.]ch , cloud-drive[.]store , and drive-phone[.]online .\r\nIt is important to note that cloud-drive[.]store and drive-phone[.]online have been previously linked to\r\nTransparent Tribe activities targeting the education sector and assessed as domains prepared for future use.\r\nFurther, drive-phone[.]online closely resembles the phone-drive[.]online domain recently observed\r\nhosting Transparent Tribe malware targeting Indian and Pakistani Android users.\r\nThe malicious documents we analyzed stage Crimson RAT using Microsoft Office macros or OLE embedding.\r\nThe macro code executes when the documents are opened, and its functionality is consistent with known\r\nTransparent Tribe macro variants. The macros create and decompress an embedded archive file in the\r\n%ALLUSERSPROFILE% directory ( C:\\ProgramData ) and execute the Crimson RAT payload within. Some macros\r\ninsert text in the document, which is typically education-themed content relating to India.\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nPage 2 of 7\n\nMacro implementation\r\nMacro-inserted document text\r\nIn addition to macros, we observed that Transparent Tribe have adopted OLE embedding as a technique to stage\r\nCrimson RAT. Malicious documents that implement this technique require users to double-click a document\r\nelement. The documents distributed by Transparent Tribe typically display an image (a “View Document”\r\ngraphic) indicating that the document content is locked. This lures users to double-click the graphic to view the\r\ncontent, which activates an OLE package that stores and executes Crimson RAT masquerading as an update\r\nprocess ( MicrosoftUpdate.exe ).\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nPage 3 of 7\n\nThe “View Document” graphic\r\nOLE stream that stores Crimson RAT\r\nTransparent Tribe is known to experiment with different malware staging techniques, which include distributing\r\nexecutables with embedded documents or documents that execute designated Crimson RAT loaders. The adoption\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nPage 4 of 7\n\nof OLE embedding further highlights the group’s continuous experimentation with malware staging techniques.\r\nCrimson RAT Implementations\r\nWe observed a variety of Crimson RAT .NET implementations, with compilation timestamps between July and\r\nSeptember 2022. The Crimson RAT payloads we analyzed use the richa-sharma.ddns[.]net domain for C2\r\npurposes and support either 40 or 65 commands, most of which have been documented in previous research.\r\nFeatures of Crimson RAT include exfiltrating system information, capturing screenshots, starting and stopping\r\nprocesses, and enumerating files and drives.\r\nA Crimson RAT command dispatch routine\r\nSome Crimson RAT variants are stripped of debug information, whereas others have PDB paths that contain a date\r\nstamp, the word Richa , which relates to the configured C2 domain, and the word Wibemax . Portions of these\r\nPDB paths overlap those of Crimson RAT payloads observed in a previous Transparent Tribe campaign, such as\r\nD:\\Projects\\Wibemax\\WinP\\WinP\\obj\\Debug\\WinP.pdb and D:\\Projects\\Wibemax\\Windows RAT\\1 Windows 10\r\nClient\\Win8P-Sunny\\2022-04-15-Win8P Sunny\\obj\\Debug\\FUJIKBattery.pdb .\r\nCrimson RAT PDB paths\r\nWe observed different Crimson RAT version identifiers: R.S.8.8 ., R.S.8.9 , R.S.8.1 , and R.S.8.6 . We\r\nspeculate that the R.S. components of the identifiers may relate to the configured C2 domain ( richa-sharma.ddns[.]net ) and the numerical components may specify a version (build) number. This aligns with a\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nPage 5 of 7\n\ndocumented Crimson RAT variant with the identifier S.L.2.2. , which has used the sunnyleone.hopto[.]org\r\ndomain for C2 purposes.\r\nAs an anti-analysis measure, Crimson RAT variants delay their execution for a given time period, for example, 61,\r\n180, or 241 seconds. Most of the Crimson RAT variants we analyzed evaluate whether they execute at a machine\r\nnamed G551JW or DESKTOP-B83U7C5 and establish persistence by creating a registry key under\r\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run only if the victim’s machine name differs. G551JW or\r\nDESKTOP-B83U7C5 may be the names of the machines where Crimson RAT developers have been running test\r\nexecutions.\r\nCrimson RAT variants implement different obfuscation techniques of varying intensities, for example, simple\r\nfunction name malformation and dynamic string resolution. We observed the use of the Eazfuscator obfuscator in\r\na Crimson RAT sample named NewOrleans . Evidence suggests that the Crimson RAT developers have patched\r\nthe routine that evaluates the trial period of Eazfuscator to enable the execution of the malware after the trial\r\nperiod expires.\r\nEazfuscator trial period evaluation in NewOrleans\r\nEazfuscator trial expiry message\r\nWith previous variants of Crimson RAT obfuscated using Crypto Obfuscator, the addition of Eazfuscator to the\r\nobfuscation techniques used by Transparent Tribe highlights the continuous maintenance and development of the\r\nRAT.\r\nConclusion\r\nTransparent Tribe is a highly motivated and persistent threat actor that regularly updates its malware arsenal,\r\noperational playbook, and targets. Our analysis further demonstrates this characteristic of the group by\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nPage 6 of 7\n\nspotlighting the adoption of OLE embedding as a technique for staging malware from lure documents and the\r\nEazfuscator obfuscator to protect Crimson RAT implementations. Transparent Tribe’s constantly changing\r\noperational and targeting strategies require constant vigilance to mitigate the threat posed by the group.\r\nIndicators of Compromise\r\nSHA1 Description\r\n738d31ceca78ffd053403d3b2bc15847682899a0 Malicious document\r\n9ed39c6a3faab057e6c962f0b2aaab07728c5555 Malicious document\r\naf6608755e2708335dc80961a9e634f870aecf3c Malicious document\r\ne000596ad65b2427d7af3313e5748c2e7f37fba7 Malicious document\r\nfd46411b315beb36926877e4b021721fcd111d7a Malicious document\r\n516db7998e3bf46858352697c1f103ef456f2e8e Crimson RAT\r\n842f55579db786e46b20f7a7053861170e1c0c5e Crimson RAT\r\n87e0ea08713a746d53bef7fb04632bfcd6717fa9 Crimson RAT\r\n911226d78918b303df5110704a8c8bb599bcd403 Crimson RAT\r\n973cb3afc7eb47801ff5d2487d2734ada6b4056f Crimson RAT\r\nDomain Description\r\nricha-sharma.ddns[.]net C2 server\r\ncloud-drive[.]store Malware hosting location\r\ndrive-phone[.]online Malware hosting location\r\ns1.fileditch[.]ch Malware hosting location\r\nSource: https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/" ], "report_names": [ "transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439042, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b92aa2470100876c89fc951c7d9be6232724a9ad.pdf", "text": "https://archive.orkl.eu/b92aa2470100876c89fc951c7d9be6232724a9ad.txt", "img": "https://archive.orkl.eu/b92aa2470100876c89fc951c7d9be6232724a9ad.jpg" } }