Threat actors target recent Election Results
Published: 2024-07-23 · Archived: 2026-04-23 02:23:32 UTC
Recently, we saw a tweet about a document claiming to be reporting about the recent  “Indian Election Results”.
On analysis, we found that it was dropping a “Crimson RAT” payload. This RAT, mostly used by the Transparent
Tribe APT, is capable of stealing credentials and other sensitive information. While checking the IOC’s related to
this Crimson RAT, we also noticed that there was another Excel file which was disguised as “Syllabus of a
University in Delhi”. 
This blog gets into the technical details of this document having a Crimson RAT payload.
Figure 1: Tweet
Transparent Tribe APT
Transparent Tribe, a group believed to operate out of Pakistan, has been active since 2013. Their primary focus is
on infiltrating diplomatic, defence, and research entities located in India and Afghanistan. This time election
results were used as a bait to target Indian netizens.
Technical Details
The initial vector was a .docm file which has by default macro enabled setting. This document file contains
embedded files, which includes the “Crimson RAT” payload and the Election results document.
Figure 2: Embedded files
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 1 of 8

After extracting the macro contents from the document using olevba, it copies the files into the folder named
Data(sec)(min).
Figure 3: Copies the files to appdata
Here, it checks for the Office version and decodes the embedded files using oleobject7, oleobject10 and
oleobject11. All the three files contain a base64 encoded zip file having the “Crimson RAT” payload.
Figure 4: Checks for Office version
In the revdbndfile function, it reads contents of one of the oleobject.bin and converts it into a string. The
Decabav6f function (seen in Fig 5) is used to convert the base64 encoded string into a byte array by setting its
datatype as base64. The BirvTrving function (seen in Fig 5) is later used to convert it back into a string by
iterating through each byte.
Figure 5: Base64 decoding
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 2 of 8

After decoding the base64 string, it is written to the Appdata folder. It then copies and decompresses it into the
Documents folder as a screensaver file “hacrvidth vibev.scr” and executes it.
Figure 6: Payload (Crimson RAT)
Simultaneously, it executes another embedded doc file(oleobject3.bin), which is actually the decoy file having the
election results of Uttarakhand.
Figure 7: Loading embedded decoy 
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 3 of 8

Figure 8: Decoy file content
As said, another Excel file disguised as the syllabus of a university also drops the same Crimson RAT. Here is the
content of the decoy file.
Figure 9: Syllabus decoy
Crimson RAT
The payload, on execution, sleeps for about 25 minutes, so as to hinder sandboxing. It then adds a run registry of
the current user with a random hardcoded name for persistence.
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 4 of 8

Figure 10: Sleep call
Figure 11: Run registry persistence
Once again, it sleeps for about 20 minutes before it tries to connect to its C2 from the hardcoded domain and IP. If
the payload does not connect to the attacker, the process exits.
Figure 12: Second sleep call
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 5 of 8

Figure 13: Hardcoded C2
On connecting to the C2 server, the command and data to the process (getsEtype Func) are sent. The malware then
modifies the commands by inserting an integer value 5 before the 4th character and executing the code by
comparing with the received commands. If the attacker sends a null command, the process exits.
Figure 14: Modified C2 commands
 These are the following C2 commands which could be executed.
thy5umb Sends the picture back to c2 in gif
gey5tavs, pry5ocl Gets the list of all running process
scy5uren, scy5ren, scyr5en,
scyu5ren, cdy5crgn, csy5crgn,
csy5dcrgn
Takes a screenshot and sends it back in jpeg
puy5tsrt Creates a run registry key
doy5wf Writes data into a file from the given path
diy5rs Retrieves the list of Drives in the system
fiy5lsz Gets info of a file from the system
iny5fo Gets the OS info, User Domain and Username info.
liy5stf
Gets the file path and file info from all the sub
directories which has extension, from the given path
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 6 of 8

fly5es Check for the files in the given directory
ruy5nf Ability to run commands
udy5lt
Writes data into the file(itaivsasidr.exe) in the same
folder as this file(Document folder)
fiy5le, afy5ile Sends the contents of a file which path was given
dey5lt Delete a file in the given path
doy5wr Writes data into a file from the given path
fly5dr Check for the sub directories from the given directory
By using these commands, they can access all the files, pictures, system info, the running processes from the
system. It also has the capability to delete the files in the system and also to download additional payloads and
execute them.
The discovery of malware disguised as a “Lok Sabha Election Results” document from India, underscores the
tricky strategies employed by cyber attackers. As cyber threats continue to evolve, staying informed and proactive
is essential to protect against such deceptive and potentially disruptive attacks. At K7 Labs, we provide robust
detection for these RATs and other day-to-day threats. We recommend using a dependable security solution like
“K7 Total Security” and keeping it up-to-date to safeguard your devices effectively.
IOCs
Malware Type Hash Detection name
Election Lure 4473b78e67067a9299227cc02b8e28e2 Trojan ( 0001140e1 )
Syllabus Lure ad90e16ea4a9fe11525da7669cb4b8ee Trojan ( 0001140e1 )
Crimson RAT e6f4bb8ed235f43cb738447fbf1757c3 Trojan ( 005b635b1 )
Crimson RAT da2331ac3e073164d54bcc5323cf0250 Trojan ( 005b67de1 )
Crimson RAT a54c435bdbc17608fa0b8826bbe9936d Trojan ( 005b67de1 )
Crimson RAT 7a18b1bf9b07726327ba50e549764731 Trojan ( 005b635b1 )
Crimson RAT d6b38a2272876d039d48b46aa874e7b9 Trojan ( 005b67de1 )
Crimson RAT f49375748b279565b5aed83d9ee01eb2 Trojan ( 005b635b1 )
C2
Domain: waqers[.duckdns[.com
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 7 of 8

IP: 94.72.105.227
Decoy
Election Decoy – 24fc6cacfbf0f87d2a24be7361c78c76
Syllabus Decoy – 4166a122e5eac964ba9f4b22e2881052
Source: https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/
Page 8 of 8