{ "id": "a5121a11-8e9b-4358-97f0-a3e006b80e5b", "created_at": "2026-04-06T00:07:24.716572Z", "updated_at": "2026-04-10T13:12:02.695539Z", "deleted_at": null, "sha1_hash": "cf21191d17675546af728fae2eb8a3a4a3c451cb", "title": "Investigating APT36 or Earth Karkaddans Attack Chain and Malware Arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7556714, "plain_text": "Investigating APT36 or Earth Karkaddans Attack Chain and\r\nMalware Arsenal\r\nBy By: Trend Micro Jan 24, 2022 Read time: 6 min (1687 words)\r\nPublished: 2022-01-24 · Archived: 2026-04-05 12:41:44 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated\r\nadvanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT with clear similarities\r\nin design to the group’s favored Windows malware, Crimson RAT.\r\nAPT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, has\r\nhistorically targeted Indian military and diplomatic resources. This APT group (also referred to as Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe) has been known to use social engineering and\r\nphishing lures as an entry point, after which, it deploys the Crimson RAT malware to steal information from its\r\nvictims.\r\nIn late 2021, we saw the group leverage CapraRAT, an Android RAT with clear similarities in design to the\r\ngroup’s favored Windows malware, Crimson RAT. It is interesting to see the degree of crossover in terms of\r\nfunction names, commands, and capabilities between the tools, which we cover in more detail in our technical\r\nbrief, “Earth Karkaddan APT.”\r\nOur investigation is based on Trend Micro Smart Protection Network (SPN) data gathered from January 2020 to\r\nSeptember 2021.\r\nLooking into one of Earth Karkaddan’s recent campaigns\r\nTypically, Earth Karkaddan’s arrival methods include the use of spear-phishing emails and a USB worm that\r\nwould then drop and execute a remote access trojan (RAT).\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 1 of 14\n\nFigure 1. Earth Karkaddan’s attack chain\r\nThe malicious emails feature a variety of lures to deceive victims into downloading malware, including fraudulent\r\ngovernment documents, honeytraps showing profiles of attractive women, and recently, coronavirus-themed\r\ninformation. \r\nFigure 2. An example of a fake government-related spear-phishing email\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 2 of 14\n\nFigure 3. An example of a coronavirus-related spear-phishing email attachment\r\nOnce the victim downloads the malicious macro, it will decrypt an embedded executable dropper that is hidden\r\ninside a text box, which will then be saved to a hardcoded path prior to it executing in the machine.\r\nFigure 4. Malicious macro that decrypts an executable hidden inside a text box\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 3 of 14\n\nFigure 5. Examples of encrypted Crimson RAT executables hidden inside text boxes\r\nOnce the executable file is executed, it will proceed to unzip a file named mdkhm.zip and then execute a Crimson\r\nRAT executable named dlrarhsiva.exe.\r\nFigure 6. The dlrarhsiva.exe Crimson RAT executable\r\nEarth Karkaddan actors are known to use the Crimson RAT malware in its campaigns to communicate with its\r\ncommand-and-control (C\u0026C) server to download other malware or exfiltrate data.\r\nOur analysis shows that the Crimson RAT malware is compiled as a .NET binary with minimal obfuscation. This\r\ncould indicate that the cybercriminal group behind this campaign is possibly not well-funded.\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 4 of 14\n\nFigure 7. A list of minimally obfuscated commands, function names, and variables from a Crimson\r\nRAT malware sample\r\nCrimson RAT can steal credentials from browsers, collect antivirus information, capture screenshots, and list\r\nvictim drives, processes, and directories. We have observed how an infected host communicates with a Crimson\r\nRAT C\u0026C server to send exfiltrated information including PC name, operating system (OS) information, and the\r\nlocation of the Crimson RAT malware inside the system.\r\nFigure 8. Network traffic from a Crimson RAT malware sample\r\nObliqueRat Malware Analysis\r\nAside from the Crimson RAT malware, the Earth Karkaddan APT group is also known to use the ObliqueRat\r\nmalware in its campaigns.\r\nThis malware is also commonly distributed in spear-phishing campaigns using social engineering tactics to lure\r\nvictims into downloading another malicious document. In one of its most recent campaigns, the lure used was that\r\nof the Centre for Land Warfare Studies (CLAWS) in New Delhi, India.\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 5 of 14\n\nFigure 9. Initial spear-phishing document with a link to another malicious document\r\nOnce the victim clicks the link, it will download a document laced with a malicious macro. Upon enabling the\r\nmacro, it will then download the ObliqueRat malware that is hidden inside an image file.\r\nFigure 10. The downloaded \"1More-details.doc\" contains malicious macros that will download and\r\nexecute the ObliqueRat malware in a victim’s machine\r\nThe macros inside the file will then download a bitmap image (BMP) file where the ObliqueRAT malware is\r\nhidden, decode the downloaded BMP file, then create a persistence mechanism by creating a Startup URL which\r\nwill automatically run the ObliqueRAT malware.\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 6 of 14\n\nFigure 11. Malicious macro codes will download, decode, and execute the ObliqueRat malware\r\nFigure 12 shows a summary of the ObliqueRat malware’s infection chain:\r\nFigure 12. ObliqueRat attack chain\r\nBelow is a list of backdoor commands that this particular ObliqueRAT malware variant can perform:\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 7 of 14\n\nCommand (v5.2) Info\r\n0 System information\r\n1 List drive and drive type\r\n3 Find certain files and file sizes\r\n4 Send back zip files (specified filename)\r\n4A/4E Send back zip files\r\n5 Find certain files and file sizes\r\n6 Zip certain folder, send back to C\u0026C, then delete it\r\n7 Execute commands\r\n8 Receive file from C\u0026C\r\nBACKED Back up the file lgb\r\nRNM Rename file\r\nTSK List running processes\r\nEXIT Stop execution\r\nRESTART Restart connection to C\u0026C\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 8 of 14\n\nKILL Kill certain processes\r\nAUTO Find certain files\r\nRHT Delete files\r\nNote that in this specific campaign, both the Crimson RAT malware downloader document and the ObliqueRat\r\nmalware downloader share the same download domain, which is sharingmymedia[.]com. This indicates that both\r\nmalware types were actively used in Earth Karkaddan APT campaigns.\r\nFigure 13. Crimson RAT and ObliqueRat spear-phishing email attachments that feature the same\r\ndownload domain\r\nCapraRAT, One of Earth Karkaddan’s custom Android RAT\r\nAside from using spear-phishing emails and a USB worm as arrival vectors, Earth Karkaddan also uses Android\r\nRATs that could be deployed by means of malicious phishing links. This is not particularly novel for the APT\r\ngroup — in 2018, it used StealthAgent (detected by Trend Micro as AndroidOS_SMongo.HRX), an Android\r\nspyware that can intercept phone calls and messages, track victims’ locations, and steal photos. In 2020, Earth\r\nKarkaddan used an updated version of the AhMyth Android RAT to target Indian military and government\r\npersonnel via a disguised porn app and a fraudulent national Covid-19 tracking app.\r\nWe observed this group using another Android RAT — TrendMicro has named this “CapraRat”— which is\r\npossibly a modified version of an open-source RAT called AndroRAT. While analyzing this android RAT, we saw\r\nseveral similar capabilities to the CrimsonRat malware that the group usually uses to infect Windows systems.\r\nWe have been observing CapraRAT samples since 2017,  and one of the first samples we analyzed (SHA-256:\r\nd9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42, detected by Trend Micro as as\r\nAndroidOS_Androrat.HRXD) revealed some interesting things in that year: they used\r\n\"com.example.appcode.appcode\" as the APK package name and used a possible public certificate\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 9 of 14\n\n“74bd7b456d9e651fc84446f65041bef1207c408d,” which possibly meant the sample was used for testing, and\r\nthey just started to use it for their campaigns during that year.\r\nThe C\u0026C domain android[.]viral91[.]xyz, where the malware was connecting to also shows that it is very likely\r\nthat the APT team uses subdomains to host or connect to Android malware. In previous years, some CrimsonRAT\r\nsamples were also found to be hosted on the viral91[.]xyz domain.\r\nFigure 14. CrimsonRAT malware hosted in viral91[.]xyz\r\nWe were also able to source a phishing document, “csd_car_price_list_2017,” that is related to this domain and\r\nhas been seen in the wild in 2017. This file name is interesting as “csd” is likely to be associated to \"Canteen\r\nStores Department\" in Pakistan, which is operated by the Pakistani Ministry of Defence. This is a possible lure for\r\nthe Indian targets to open the malicious attachment, also used in a similar attack in 2021.\r\nUpon downloading this malicious app that possibly arrived via a malicious link, the user will need to grant\r\npermissions upon installation to allow the RAT access to stored information. The malware can do the following on\r\na compromised device:\r\nAccess the phone number\r\nLaunch other apps’ installation packages\r\nOpen the camera\r\nAccess the microphone and record audio clips\r\nAccess the unique identification number\r\nAccess location information\r\nAccess phone call history\r\nAccess contact information\r\nOnce the Android RAT is executed, it will attempt to establish a connection to its C\u0026C server,\r\n209[.]127[.]19[.]241[:]10284. We have observed that the Remote Desktop Protocol (RDP) certificate associated in\r\nthis deployment, “WIN-P9NRMH5G6M8,” is a common string found in previously identified Earth Karkaddan\r\nC\u0026C servers.\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 10 of 14\n\nFigure 15. Decompiled code from CapraRAT connecting to its C\u0026C server\r\nFigure 16. CapraRAT config showing its C\u0026C server and port information\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 11 of 14\n\nFigure 17. Backdoor commands found in CapraRAT\r\nThis APK file also has the ability to drop mp4 or APK files from asset directory.\r\nFigure 18. CapraRAT APK file drops an mp4 file\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 12 of 14\n\nThe RAT also has a persistence mechanism that always keeps the app active. It checks whether the service is still\r\nrunning every minute, and if it is not, the service will be launched again.\r\nFigure 19. CapraRAT’s persistence mechanism\r\nReducing risks: How to defend against APT attacks\r\nEarth Karkaddan has been stealing information since 2016 by means of creative social engineering lures and file-stealing malware. Users can adopt the following security best practices to thwart Earth Karkaddan attacks:\r\nBe careful of opening unsolicited and unexpected emails, especially those that call for urgency\r\nWatch out for malicious email red flags, which include atypical sender domains and grammatical and\r\nspelling lapses\r\nAvoid clicking on links or downloading attachments in emails, especially from unknown sources\r\nBlock threats that arrive via email such as malicious links using hosted email security and antispam\r\nprotection\r\nDownload apps only from trusted sources\r\nBe wary of the scope of app permissions\r\nGet multilayered mobile security solutions that can protect devices against online threats, malicious\r\napplications, and even data loss\r\nThe following security solutions can also protect users from email-based attacks:\r\nTrend Micro™ Cloud App Securityproducts – Enhances the security of Microsoft Office 365 and other\r\ncloud services via computer vision and real-time scanning. It also protects organizations from email-based\r\nthreats.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts – Defends users through a combination of\r\nreal-time scanning and advanced analysis techniques for known and unknown attacks.\r\nTrend Micro™ Mobile Security for Enterprise suite – Provides device, compliance and application\r\nmanagement, data protection, and configuration provisioning, as well as protects devices from attacks that\r\nexploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and fraudulent\r\nwebsites.\r\nTrend Micro’s Mobile App Reputation Service (MARS) – Covers Android and iOS threats using leading\r\nsandbox and machine learning technologies to protect users against malware, zero-day and known exploits,\r\nprivacy leaks, and application vulnerability.\r\nA list of indicators can be found in this text file.\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 13 of 14\n\nSource: https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nPage 14 of 14\n\nhttps://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html \nFigure 15. Decompiled code from CapraRAT connecting to its C\u0026C server\nFigure 16. CapraRAT config showing its C\u0026C server and port information\n Page 11 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" ], "report_names": [ "investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434044, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf21191d17675546af728fae2eb8a3a4a3c451cb.pdf", "text": "https://archive.orkl.eu/cf21191d17675546af728fae2eb8a3a4a3c451cb.txt", "img": "https://archive.orkl.eu/cf21191d17675546af728fae2eb8a3a4a3c451cb.jpg" } }