{ "id": "dc70fd7d-b09b-4053-b70f-d4ce9e8fe9f2", "created_at": "2026-04-06T00:15:26.238323Z", "updated_at": "2026-04-10T13:12:43.151021Z", "deleted_at": null, "sha1_hash": "cc96a2d3bcd049bd15566a0ed75d8d962817f847", "title": "Mythic Leopard APT Group - Brandefense", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 152024, "plain_text": "Mythic Leopard APT Group - Brandefense\r\nPublished: 2022-08-12 · Archived: 2026-04-05 15:03:05 UTC\r\nThreat Actor ID\r\nKnown\r\nNames\r\nMythic Leopard (CrowdStrike)Transparent Tribe (Proofpoint)\r\nAPT 36 (Mandiant)\r\nProjectM (Palo Alto)\r\nTEMP.Lapis (FireEye)\r\nCopper Fieldstone (SecureWorks)\r\nEarth Karkaddan (Trend Micro)\r\nSuspected\r\nState Sponsor\r\n                          Pakistan\r\nFirst Seen 2013\r\nMotivation Information theft and espionage\r\nTools Used\r\nAmphibeon, beendoor, Bezigate, Bozok, BreachRAT, CapraRAT, Crimson RAT,\r\nDarkComet, Luminosity RAT, Mobzsar, MumbaiDown, njRAT, ObliqueRAT, Peppy\r\nRAT, QuasarRAT, SilentCMD, Stealth Mango, UPDATESEE, USBWorm, Waizsar\r\nRAT\r\nTarget\r\nIndustries\r\nAviation, Government, Healthcare,Defense, Hospitality Military,\r\nNGOs and Nonprofits, Oil and Gas\r\nIntroduction\r\nMythic Leopard is a suspected Pakistan-based threat group that has been active since at least 2013, primarily\r\ntargeting diplomatic, defense, and research organizations in India’s government and the Indian Army or related\r\nassets in India and Afghanistan. Mythic Leopard used several proprietary malware families for Windows and\r\nAndroid operating systems. The group is typically known for espionage activities.\r\nGroup’s Mission and Vision\r\nhttps://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/\r\nPage 1 of 6\n\nMythic Leopard, also known as PROJECTM and Transparent Tribe, is a highly prolific group whose activities\r\ncan be traced as far back as 2013, in a series of espionage operations against Indian diplomats and military\r\npersonnel in some embassies in Saudi Arabia and Kazakhstan.\r\nWhen the IP addresses thought to belong to Mythic Leopard were tracked, it was determined that they originated\r\nfrom Pakistan. The attacks were part of a broader multi-vector operation, such as phishing email campaigns and\r\nwatering hole websites, delivering specialized RATs called Crimson and Peppy. These RATs can leak information,\r\ntake screenshots, and record webcam streams.\r\nMythic Leopard also creates fake domains that mimic legitimate military and defense organizations as a core\r\ncomponent of their operations. It was found that the threat actor used several delivery methods in a campaign.\r\nThese are executables masquerading as installers of legitimate applications, archive files, and malicious docs to\r\ntarget Indian entities and individuals. These chains of infection were seen in the placement of different types of\r\nimplants not observed before.\r\nRussia sees European security organizations such as NATO and OSCE as a threat to them. For this reason, it\r\ntargets both the member states of such organizations and the individuals affiliated with these organizations.\r\nTargeted Countries and Industries\r\nIt has been determined that Mythic Leopard carries out Information theft and espionage activities and organizes\r\nmalware campaigns against many different countries, mainly India-targeted attacks.\r\nIn the attacks carried out, it was observed that the Mythic Leopard APT group targeted the critical systems of the\r\nfollowing countries;\r\n  • Afghanistan   • Germany   • Netherlands\r\n  • Australia   • India   • Oman\r\nhttps://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/\r\nPage 2 of 6\n\n• Austria   • Iran   • Pakistan\r\n  • Azerbaijan   • UK   • Romania\r\n  • Belgium   • USA   • Saudi Arabia\r\n  • Botswana,   • UAE   • Spain\r\n  • Bulgaria   • Japan   • Sweden\r\n  • Canada   • Kazakhstan   • Thailand\r\n  • China   • Kenya   • Turkey\r\n  • Czech   • Nepal    \r\n  • Mongolia   • Malaysia\r\nOperations by Year\r\nOperation “Transparent Tribe” \r\nIn 2012, there were two attacks within minutes of each other on officials at the Indian embassies in Saudi Arabia\r\nand Kazakhstan. Both emails contained a malware attachment and appeared to have been sent from the IP address\r\nof Contabo, a hosting provider.\r\nSmeshApp Attack\r\nIn 2016, the Indian television channel CNN-IBN discovered that Pakistani authorities were collecting data on\r\nIndian troop movements using an Android app called SmeshApp.\r\nOperation “C-Major”\r\nIn 2016, Researchers reported on a third phishing campaign, operation C-Major, organized by the Mythic\r\nLeopard. This campaign targeted Indian military officials through targeted phishing emails and distributed\r\nhttps://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/\r\nPage 3 of 6\n\nspyware to its victims through an Adobe Reader vulnerability.\r\nIn 2017, another hacking campaign was detected in which attackers impersonated the Indian think tank IDSA\r\n(Institute for Defense Studies and Analysis) and sent spear phishing emails to target Central Bureau of\r\nInvestigation (CBI) officials and possibly Indian Army officials.\r\nIn 2019, it was found that Mythic Leopard has undergone an evolution, accelerating its activities, launching major\r\ninfection campaigns, developing new tools, and strengthening its focus on Afghanistan.\r\nIn 2020, Mythic Leopard returned with a new campaign after a few years of (apparently) inactivity. It was found\r\nthat this campaign is entirely new, C2 server was active on January 29, 2020.\r\nMythic Leopard started using a new module named USBWorm at the beginning of 2020 and improved its custom\r\n.NET tool named CrimsonRAT.\r\nIn 2020, Mythic Leopard was found to be conducting cyberattack campaigns by spreading fake coronavirus health\r\nadvice.\r\nOperation “Honey Trap”\r\nIn 2020, Mythic Leopard was found to carry out targeted attacks on Defense organizations in India.\r\nIn 2021, ObliqueRAT appeared to be back with a new campaign using compromised websites.\r\nIn 2021, Mythic Leopard was using a new malware to target Indian government officials.\r\nCyber Attack Lifecycles and TTPs (MITRE ATT\u0026CK)\r\nMITRE ATT\u0026CK is an open knowledge base of threat actors’ techniques, tactics, and procedures. By observing\r\nthe attacks that occur in the real world, the behavior of threat actors is systematically categorized.\r\nMITRE ATT\u0026CK aims to determine the risks against the actions that the threat actors can take in line with their\r\ntargets and make the necessary improvements and plans.\r\nThe following MITRE ATT\u0026CK Threat Matrix has been created to provide information on the techniques, tactics,\r\nand procedures used by Mythic Leopard APT.\r\nTactic\r\nID\r\nTactic Technic ID Technic\r\nTA0042\r\nResource\r\nDevelopment\r\nT1189T1566.001\r\nT1566.002\r\nT1608.004\r\nDrive-by CompromiseSpearphishing Attachment\r\nSpearphishing Link\r\nDrive-by Target\r\nhttps://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/\r\nPage 4 of 6\n\nTA0001 Initial Access\r\nT1059.005T1203\r\nT1204.002\r\nT1204.001\r\nCommand and Scripting Interpreter: Visual\r\nBasicExploitation for Client Execution\r\nUser Execution: Malicious File\r\nUser Execution: Malicious Link\r\nTA0005 Defense Evasion\r\nT1564.001T1036.005\r\nT1027\r\nHide Artifacts: Hidden Files and\r\nDirectoriesMasquerading: Match Legitimate Name\r\nor Location\r\nObfuscated Files or Information\r\nTA0011\r\nCommand and\r\nControl\r\nT1568 Dynamic Resolution\r\nDowload IoCs and Yara Rules\r\nGroup’s Toolset and Related Malwares\r\nSoftware Descriptions\r\nCrimson Crimson is a remote access Trojan that has been used by Mythic Leopard since at least 2016\r\nDarkComet\r\nDarkComet is a Windows remote administration tool and backdoor that has been used by\r\nMythic Leopard.\r\nnjRAT\r\nnjRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by\r\nMythic Leopard threat actors.\r\nObliqueRAT\r\nObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Mythic\r\nLeopard since at least 2020.\r\nPeppy\r\nPeppy is a Python-based remote access Trojan, active since at least 2012, with similarities to\r\nCrimson.\r\nRecommendations/Mitigations\r\nWhen the encountered cases were examined, it was seen that the group mostly used phishing attacks to gain initial\r\naccess and took advantage of the vulnerabilities in the existing systems. In this context, precautions should be\r\ntaken by considering the attack vectors used to be protected from attacks that Mythic Leopard may carry out.\r\nImportant recommendations to be implemented to protect assets in the digital world and minimize the risk of\r\nexploitation arising from security vulnerabilities and device configuration are shared below.\r\nhttps://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/\r\nPage 5 of 6\n\nAn integrated cyber defense platform should be used that shares threat data from email, web, cloud\r\napplications, and infrastructure.\r\nMake sure that multi-factor authentication is enabled for all accounts using your network.\r\nInternet dependency should be minimized for all critical systems, and control system devices should not be\r\nconnected directly to the Internet.\r\nAll unused legacy applications should be removed from all machines on the network to avoid abuse.\r\nCritical networks, such as control system networks behind firewalls, must be isolated from the external\r\nnetwork.\r\nIf remote access is required, secure methods such as VPN should be used.\r\nUnused system accounts should be removed, disabled, or renamed.\r\nTo not be affected by known security vulnerabilities, updates that patch the vulnerabilities should be\r\napplied as soon as possible.\r\nPolicies that require the use of strong passwords should be implemented.\r\nOrganizations should keep backups of important data, systems, and configurations.\r\nThe restoring capacity should be tested. Ensure that the restore capabilities support the needs of the\r\nbusiness.\r\nInstitution/Organization personnel should be trained to understand cybersecurity principles and not engage\r\nin behavior that could compromise network security.\r\nConclusion\r\nAnalysis of Mythic Leopard group and explained findings that can be used by people who work in the information\r\ntechnology departments, who are part of the cyber security team, and who have gained competence in areas such\r\nas security researchers, and system administrators.\r\nImplementing cyberattack surface management for critical infrastructures targeted by the Mythic Leopard APT\r\ngroup will benefit the organization’s access to security maturity.\r\nSource: https://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/\r\nhttps://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/" ], "report_names": [ "mythic-leopard-apt-group" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc96a2d3bcd049bd15566a0ed75d8d962817f847.pdf", "text": "https://archive.orkl.eu/cc96a2d3bcd049bd15566a0ed75d8d962817f847.txt", "img": "https://archive.orkl.eu/cc96a2d3bcd049bd15566a0ed75d8d962817f847.jpg" } }