{ "id": "138f8d84-ad5a-4901-98dd-83d363601502", "created_at": "2026-04-06T00:17:26.177415Z", "updated_at": "2026-04-10T03:36:50.278676Z", "deleted_at": null, "sha1_hash": "d80a1880b3e2cf9e12b9af8f0ec1377fe39576ba", "title": "APT Group Targets Indian Defense Officials with TTPs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2354210, "plain_text": "APT Group Targets Indian Defense Officials with TTPs\r\nBy cybleinc\r\nPublished: 2021-09-14 · Archived: 2026-04-05 22:48:56 UTC\r\nAdvanced Persistent Threat Group highly likely is targeting Indian Defense Officials via Enhanced TTPs.\r\nDuring our routine threat hunting exercise, Cyble Research Labs came across a malware sample posted on Twitter by a\r\nresearcher who believes that the malware belongs to Transparent Tribe, an Advanced Persistent Threat (APT) Group. Given\r\nthe nature of the victim and the way they are targeted, we can draw some similarities to the Side Copy APT group.\r\nBoth APT groups are known to have mainly targeted India’s Defense and Government sectors in the past. Additionally, both\r\ngroups have used various other RAT and malware to launch campaigns via multiple modes such as phishing, delivering\r\npayload via mail, etc. The malware posted by the researcher on Twitter has used a technique to hide the actual malware in\r\nthe .vhdx file to avoid any antivirus detection. As per Wikipedia, .vhdx is the successor of VHD (Virtual Hard Disk).\r\nThe figure below shows the high-level execution flow of the malware. Upon execution, the malware checks for the current\r\ntime zone. If it is able to verify that the victim system’s time zone is in IST, it connects to the attacker’s URL for\r\ndownloading the second stager. Once downloaded, it executes the second stager payload and deletes itself.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThe second stager payload checks that only one instance of the malware is running, and then it connects with the attacker’s\r\nCommand and Control (C\u0026C) server to start receiving the commands from Threat Actor (TA).\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 1 of 11\n\nFigure 1 High-Level Execution Flow of Malware\r\nTechnical Analysis\r\nCyble Research started analysis with the malware file name AFD CSD APP.vhdx; the sample had an extension. vhdx. After\r\ndouble-clicking on the AFD CSD APP.vhdx we observed it creating a mount in the Operating System (OS) with the name\r\n“CSD App“. After opening the mounted drive, we got the malicious malware file which is CSD_AppLaunch.exe.\r\nFigure 2 Actual Malware present in CSD APP Mount\r\nWhile performing a static analysis of the CSD_AppLaunch.exe malicious file, we determined that that the file is an x86\r\narchitecture Windows-based Graphical User Interface (GUI) Application written in .NET Language shown in the figure\r\nbelow.\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 2 of 11\n\nFigure 3 Static Details of First Stager\r\nThe icon of the malicious app had the logo of the Canteen Store Department (CSD) of the Indian Armed Forces, as shown in\r\nthe figure below.\r\nFigure 4 Application Logo Used for First Stager\r\nCode Analysis (CSD_AppLaunch.exe)\r\nAs per the below code, once the malware has been executed, it checks whether the current OS time Zone is India Standard\r\nTime (IST); if the OS time is not in IST, the malware exits. This tells us that the malware has been created with the explicit\r\npurpose of targeting the Indian Defense establishment and service members.\r\nFigure 5 Malware Checks for Time Zone\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 3 of 11\n\nInitially, the code shown below figure uses the .NET WebBrowser() class to open the URL h[tt]ps:\r\n[//]afd.csdindia[.]gov[.]in and load the Form1_Load module to execute the malicious malware code.\r\nFigure 6 Malware Loading Indian CSD Website in Custom Browser and Execute Form1_Load\r\nOnce the Form1_Load method is called, the code shown in Figure 7 creates a directory in C:\\\\ProgramData as “Intel Wifi”.\r\nIf this directory is not present, it will be created, Once the directory is present, the malware proceeds to download the next\r\nstager payload from URL https[:]//secure256[.]net/ver4.mp3. Then, the malware decrypts the ver4.mp3 content to create\r\nIntelWifi.exe malicious binary in C:\\\\ProgramData\\\\Intel Wifi as shown in the code below.\r\nFigure 7 Create Folder in ProgramData and Download Second Stager\r\nThe code below contains the decryption logic used by the malware to decrypt the content of ver4.mp3 file.\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 4 of 11\n\nFigure 8 Decrypt Second Stager\r\nFinally, the first stager malware calls the Final method to create a new file name music.mp3 which contains the decrypted\r\ndata of ver4.mp3 in the C:\\\\ProgramData directory.\r\nAfter this step, it sleeps for 6 seconds and then uses the Move function to rename the music.mp3 file to IntelWifi.exe. It then\r\nsleeps for five more seconds and then executes IntelWifi.exe binary and delete CSD_AppLaunch.exe (first stager) binary as\r\nshown in the figure below.\r\nFigure 9 Create Second Stager Binary IntelWifi.exe\r\nTechnical Analysis for IntelWifi.exe (Second Stager)\r\nStatic analysis of IntelWifi.exe tells that the binary is an x86 architecture Windows-based Graphical User Interface (GUI)\r\napplication written in .NET language as shown in the figure below.\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 5 of 11\n\nFigure 10 Static Details of IntelWifi (Second Stager)\r\nAs per the below code, initially, the malware checks that only a single instance of a malware process is running. Then, it\r\nchecks whether the current time zone is India Standard Time. Further, it calls CheckDirectory() method to create \\\\Intel Wifi\r\ndirectory and vmnx.dll file. Finally, it calls the Form1 module to execute the malicious codes.\r\nFigure 11 Second Stager Malware Performing Various Checks\r\nForm1() module calls IntializeComponent method, which in turn loads the Form1_Load method. The Form1_Load then\r\ncalls Run() method to start the malware activity as shown in the figure below.\r\nFigure 12 Execution Flow to Initiate the Malicious Activity\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 6 of 11\n\nThe Run code is shown in Figure 13. Once executed, it connects to the attacker’s C\u0026C on address\r\n45[.]147[.]228[.]195[:]5434. After establishing contact with the C\u0026C server, it calls the Run method from the Grabber class\r\nto execute a series of methods to get the victim’s environment details, e.g., OS, current username, etc. Once the victim’s\r\nenvironment details are extracted, the malware sends the details to the attacker’s C\u0026C with key “x999” and then waits for\r\ncommands to be received from the attacker.\r\nFigure 13 Malware Communicating to Attacker’s C\u0026C and Waiting to receive the Command\r\nBelow we have listed a series of methods executed by the Run() method present in the Grabber class.\r\nFigure 14 Series of Methods Executed by Malware\r\nMethods Description\r\nCreateID()\r\nCreate vmvcx.dll file and Generate Victim ID based on processor detail and P-Followed by random number and write the ID is vmvcx.dll file. E.g., PXXX-XXXXXXXXXXXX\r\nName() Get the Computer Name and Current Username\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 7 of 11\n\nPubIp() Get the Victim’s public IP using hxxp://icanhazip[.]com\r\nLocIp() Get the Victim’s Local IP\r\nOSType() Get the Victim’s Operating System (OS) details\r\nAv() Get the AV’s List present in Victim’s Machine\r\nMacType() Check whether Victim’s is using desktop or Laptop\r\nCreateNonStop() Add persistence in Startup Folder\r\nTable 1 Methods Description Which Malware invokes\r\nThe below figure shows that the cynetcloud shortcut file is created in the startup folder using CreateNonStop() method. The\r\nvalue file:///C:\\ProgramData\\Intel Wifi\\IntelWifi.exe executes whenever the Windows machine starts. This is done for the\r\npurpose of creating and maintaining persistence on the victim machine.\r\nFigure 15 Malware Created Persistent in Start-Up Folder\r\nOnce all the methods are executed, as shown in Table 1, the malware sends the user data to Attacker’s C\u0026C. In the figure\r\nbelow, the malware has connected to our fake emulated C\u0026C.\r\nFigure 16 Malware Connected to Fake C\u0026C\r\nOnce connected, the malware sends the victim’s environment details. The malware goes into a dormant stage to get the next\r\ncommand from the attacker’s C\u0026C.\r\nFor example, in the below figure, we have sent “prc1” to the malware to get the process details of the victim.\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 8 of 11\n\nFigure 17 Output Received from malware\r\nBelow is the code used by the malware to handle the commands received from C\u0026C.\r\nFigure 18 Various Functionalities which Malware Support basis on the Command Received from C\u0026C\r\nConclusion\r\nThe APT groups are evolving their tools and techniques to stay ahead of various security solutions like AV \u0026 EDR. Based\r\non the fact that this malware has multiple artifacts such as the logo, the URL used in the initial code, we can conclude that\r\nthe malware has been created specifically to target Indian Defense or Government officials.\r\nCyble Research Labs will continuously monitor security threats, whether they are ongoing or emerging. We will continue to\r\nupdate our readers with our latest findings.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the suggestions given below:\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 9 of 11\n\nUse a reputed anti-virus and internet security software package on your connected devices.    \r\nUse the shared IOCs to monitor and block the malware infection. \r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution    T1204 User Execution\r\nPersistence T1547 Boot or Logon Autostart Execution\r\nDiscovery\r\nT1057\r\nT1124\r\nT1033\r\nT1082\r\nProcess Discovery\r\nSystem Time Discovery\r\nSystem Owner/User Discovery\r\nSystem Information Discovery\r\nCommand and Control\r\nT1095\r\nT1571\r\nNon-Application Layer Protocol\r\nNon-Standard Port\r\nIndicators of Compromise (IoCs):  \r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce SHA-256 IntelWifi.exe\r\n84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34 SHA-256 CSD_AppLaunch.exe\r\n5e645eb1a828cef61f70ecbd651dba5433e250b4724e1408702ac13d2b6ab836 SHA-256 AFD CSD APP.vhdx\r\nhxxp://secure256[.]net/ URL Second Stager URL\r\n45.147.228.195:5434 IP:Port Attacker’s C\u0026C\r\nGeneric signatures and Rules:\r\nYara Rules:\r\nrule win32_csdmalware\r\n{\r\nmeta:\r\nauthor= \"Cyble Research\"\r\ndate= \"2021-09-14\"\r\ndescription= \"Coverage for CSD_Application.exe \u0026 IntelWifi.exe\"\r\ncsd_application_hash= \"84841490ea2b637494257e9fe23922e5f827190ae3e4c32134cadb81319ebc34 \"\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 10 of 11\n\nintelwifi_hash= \"124023c0cf0524a73dabd6e5bb3f7d61d42dfd3867d699c59770846aae1231ce\"\r\nstrings:\r\n$header= \"MZ\"\r\n$sig1 = \"CreateNonStop\" wide ascii\r\n$sig2 = \"LocIp\" wide ascii\r\n$sig3 = \"MacType\" wide ascii\r\n$sig4 = \"45.147.228.195\" wide ascii\r\n$sig5 = \"qmquqsqiqcq.qmqpq3q\" wide ascii\r\n$sig6 = \"secure256.net\" wide ascii\r\n$sig7 = \"ver4.mp3\" wide ascii\r\n$sig8 = \"x33117\" wide ascii\r\ncondition:\r\n$header at 0 and (3 of ($sig*))\r\n}\r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure\r\nin the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by\r\nY Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best\r\nCybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,\r\nand India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. \r\nSource: https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nhttps://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/" ], "report_names": [ "apt-group-targets-indian-defense-officials-through-enhanced-ttps" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434646, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d80a1880b3e2cf9e12b9af8f0ec1377fe39576ba.pdf", "text": "https://archive.orkl.eu/d80a1880b3e2cf9e12b9af8f0ec1377fe39576ba.txt", "img": "https://archive.orkl.eu/d80a1880b3e2cf9e12b9af8f0ec1377fe39576ba.jpg" } }