{ "id": "2c8022a6-7661-471e-9f1d-5f5081cc3068", "created_at": "2026-04-23T02:55:23.462512Z", "updated_at": "2026-04-25T02:18:43.307128Z", "deleted_at": null, "sha1_hash": "e0b443656535cef3c187a0b643ca3f60a73f1f9d", "title": "Threat actors target recent Election Results", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1519345, "plain_text": "Threat actors target recent Election Results\r\nPublished: 2024-07-23 · Archived: 2026-04-23 02:23:32 UTC\r\nRecently, we saw a tweet about a document claiming to be reporting about the recent  “Indian Election Results”.\r\nOn analysis, we found that it was dropping a “Crimson RAT” payload. This RAT, mostly used by the Transparent\r\nTribe APT, is capable of stealing credentials and other sensitive information. While checking the IOC’s related to\r\nthis Crimson RAT, we also noticed that there was another Excel file which was disguised as “Syllabus of a\r\nUniversity in Delhi”. \r\nThis blog gets into the technical details of this document having a Crimson RAT payload.\r\nFigure 1: Tweet\r\nTransparent Tribe APT\r\nTransparent Tribe, a group believed to operate out of Pakistan, has been active since 2013. Their primary focus is\r\non infiltrating diplomatic, defence, and research entities located in India and Afghanistan. This time election\r\nresults were used as a bait to target Indian netizens.\r\nTechnical Details\r\nThe initial vector was a .docm file which has by default macro enabled setting. This document file contains\r\nembedded files, which includes the “Crimson RAT” payload and the Election results document.\r\nFigure 2: Embedded files\r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 1 of 8\n\nAfter extracting the macro contents from the document using olevba, it copies the files into the folder named\r\nData(sec)(min).\r\nFigure 3: Copies the files to appdata\r\nHere, it checks for the Office version and decodes the embedded files using oleobject7, oleobject10 and\r\noleobject11. All the three files contain a base64 encoded zip file having the “Crimson RAT” payload.\r\nFigure 4: Checks for Office version\r\nIn the revdbndfile function, it reads contents of one of the oleobject.bin and converts it into a string. The\r\nDecabav6f function (seen in Fig 5) is used to convert the base64 encoded string into a byte array by setting its\r\ndatatype as base64. The BirvTrving function (seen in Fig 5) is later used to convert it back into a string by\r\niterating through each byte.\r\nFigure 5: Base64 decoding\r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 2 of 8\n\nAfter decoding the base64 string, it is written to the Appdata folder. It then copies and decompresses it into the\r\nDocuments folder as a screensaver file “hacrvidth vibev.scr” and executes it.\r\nFigure 6: Payload (Crimson RAT)\r\nSimultaneously, it executes another embedded doc file(oleobject3.bin), which is actually the decoy file having the\r\nelection results of Uttarakhand.\r\nFigure 7: Loading embedded decoy \r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 3 of 8\n\nFigure 8: Decoy file content\r\nAs said, another Excel file disguised as the syllabus of a university also drops the same Crimson RAT. Here is the\r\ncontent of the decoy file.\r\nFigure 9: Syllabus decoy\r\nCrimson RAT\r\nThe payload, on execution, sleeps for about 25 minutes, so as to hinder sandboxing. It then adds a run registry of\r\nthe current user with a random hardcoded name for persistence.\r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 4 of 8\n\nFigure 10: Sleep call\r\nFigure 11: Run registry persistence\r\nOnce again, it sleeps for about 20 minutes before it tries to connect to its C2 from the hardcoded domain and IP. If\r\nthe payload does not connect to the attacker, the process exits.\r\nFigure 12: Second sleep call\r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 5 of 8\n\nFigure 13: Hardcoded C2\r\nOn connecting to the C2 server, the command and data to the process (getsEtype Func) are sent. The malware then\r\nmodifies the commands by inserting an integer value 5 before the 4th character and executing the code by\r\ncomparing with the received commands. If the attacker sends a null command, the process exits.\r\nFigure 14: Modified C2 commands\r\n These are the following C2 commands which could be executed.\r\nthy5umb Sends the picture back to c2 in gif\r\ngey5tavs, pry5ocl Gets the list of all running process\r\nscy5uren, scy5ren, scyr5en,\r\nscyu5ren, cdy5crgn, csy5crgn,\r\ncsy5dcrgn\r\nTakes a screenshot and sends it back in jpeg\r\npuy5tsrt Creates a run registry key\r\ndoy5wf Writes data into a file from the given path\r\ndiy5rs Retrieves the list of Drives in the system\r\nfiy5lsz Gets info of a file from the system\r\niny5fo Gets the OS info, User Domain and Username info.\r\nliy5stf\r\nGets the file path and file info from all the sub\r\ndirectories which has extension, from the given path\r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 6 of 8\n\nfly5es Check for the files in the given directory\r\nruy5nf Ability to run commands\r\nudy5lt\r\nWrites data into the file(itaivsasidr.exe) in the same\r\nfolder as this file(Document folder)\r\nfiy5le, afy5ile Sends the contents of a file which path was given\r\ndey5lt Delete a file in the given path\r\ndoy5wr Writes data into a file from the given path\r\nfly5dr Check for the sub directories from the given directory\r\nBy using these commands, they can access all the files, pictures, system info, the running processes from the\r\nsystem. It also has the capability to delete the files in the system and also to download additional payloads and\r\nexecute them.\r\nThe discovery of malware disguised as a “Lok Sabha Election Results” document from India, underscores the\r\ntricky strategies employed by cyber attackers. As cyber threats continue to evolve, staying informed and proactive\r\nis essential to protect against such deceptive and potentially disruptive attacks. At K7 Labs, we provide robust\r\ndetection for these RATs and other day-to-day threats. We recommend using a dependable security solution like\r\n“K7 Total Security” and keeping it up-to-date to safeguard your devices effectively.\r\nIOCs\r\nMalware Type Hash Detection name\r\nElection Lure 4473b78e67067a9299227cc02b8e28e2 Trojan ( 0001140e1 )\r\nSyllabus Lure ad90e16ea4a9fe11525da7669cb4b8ee Trojan ( 0001140e1 )\r\nCrimson RAT e6f4bb8ed235f43cb738447fbf1757c3 Trojan ( 005b635b1 )\r\nCrimson RAT da2331ac3e073164d54bcc5323cf0250 Trojan ( 005b67de1 )\r\nCrimson RAT a54c435bdbc17608fa0b8826bbe9936d Trojan ( 005b67de1 )\r\nCrimson RAT 7a18b1bf9b07726327ba50e549764731 Trojan ( 005b635b1 )\r\nCrimson RAT d6b38a2272876d039d48b46aa874e7b9 Trojan ( 005b67de1 )\r\nCrimson RAT f49375748b279565b5aed83d9ee01eb2 Trojan ( 005b635b1 )\r\nC2\r\nDomain: waqers[.duckdns[.com\r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 7 of 8\n\nIP: 94.72.105.227\r\nDecoy\r\nElection Decoy – 24fc6cacfbf0f87d2a24be7361c78c76\r\nSyllabus Decoy – 4166a122e5eac964ba9f4b22e2881052\r\nSource: https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nhttps://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/" ], "report_names": [ "threat-actors-target-recent-election-results" ], "threat_actors": [ { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-25T02:00:04.08475Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-25T02:00:04.77412Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-25T02:00:02.851188Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "C-Major", "Transparent Tribe", "ProjectM", "TMP.Lapis", "Green Havildar", "COPPER FIELDSTONE", "Mythic Leopard", "APT36", "APT 36", "Earth Karkaddan", "Storm-0156" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1776912923, "ts_updated_at": 1777083523, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0b443656535cef3c187a0b643ca3f60a73f1f9d.pdf", "text": "https://archive.orkl.eu/e0b443656535cef3c187a0b643ca3f60a73f1f9d.txt", "img": "https://archive.orkl.eu/e0b443656535cef3c187a0b643ca3f60a73f1f9d.jpg" } }