{ "id": "4a336c5c-d15f-44e5-81a9-558de63ac324", "created_at": "2026-04-06T00:14:40.264746Z", "updated_at": "2026-04-10T03:36:50.183336Z", "deleted_at": null, "sha1_hash": "f0f701494fe4b7cb917f791f5ed543e39c17cb6b", "title": "Transparent Tribe: Evolution analysis, part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1130432, "plain_text": "Transparent Tribe: Evolution analysis, part 1\r\nBy Giampaolo Dedola\r\nPublished: 2020-08-20 · Archived: 2026-04-05 13:02:10 UTC\r\nBackground and key findings\r\nTransparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly prolific group whose\r\nactivities can be traced as far back as 2013. Proofpoint published a very good article about them in 2016, and\r\nsince that day, we have kept an eye on the group. We have periodically reported their activities through our APT\r\nthreat intelligence reports, and subscribers of that service already know that in the last four years, this APT group\r\nhas never taken time off. They continue to hit their targets, which typically are Indian military and government\r\npersonnel.\r\nThe TTPs have remained consistent over the years, and the group has constantly used certain tools and created\r\nnew programs for specific campaigns. Their favorite infection vector is malicious documents with an embedded\r\nmacro, which seem to be generated with a custom builder.\r\nTheir main malware is a custom .NET RAT publicly known as Crimson RAT, but over the years, we also have\r\nobserved the use of other custom .NET malware and a Python-based RAT known as Peppy.\r\nOver the past year, we have seen this group undergo an evolution, stepping up its activities, starting massive\r\ninfection campaigns, developing new tools and strengthening their focus on Afghanistan.\r\nThe summary of our recent investigations will be described in two blogposts. This first publication will cover the\r\nfollowing key points:\r\nWe discovered the Crimson Server component, the C2 used by Transparent Tribe for managing infected\r\nmachines and conducting espionage. This tool confirmed most of our observations on Crimson RAT and\r\nhelped us to understand the attackers’ perspective.\r\nTransparent Tribe continues to spread Crimson RAT, infecting a large number of victims in multiple\r\ncountries, mainly India and Afghanistan.\r\nThe USBWorm component is real, and it has been detected on hundreds of systems. This is malware whose\r\nexistence was already speculated about years ago, but as far as we know, it has never been publicly\r\ndescribed.\r\nI will be talking more about the TransparentTribe and its tools on GReAT Ideas. Powered by SAS webinar on\r\nAugust 26, you can register for it here: https://kas.pr/1gk9\r\nCrimson Server\r\nCrimson is the main tool used by Transparent Tribe for their espionage activities. The tool is composed of various\r\ncomponents, which are used by the attacker for performing multiple activities on infected machines:\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 1 of 15\n\nmanage remote filesystems\r\nupload or download files\r\ncapture screenshots\r\nperform audio surveillance using microphones\r\nrecord video streams from webcam devices\r\ncapture screenshots\r\nsteal files from removable media\r\nexecute arbitrary commands\r\nrecord keystrokes\r\nsteal passwords saved in browsers\r\nspread across systems by infecting removable media\r\nIn the course of our analysis, we spotted a .NET file, identified by our products as Crimson RAT, but a closer look\r\nrevealed that it was something different: a server-side implant used by the attackers to manage the client\r\ncomponents.\r\nWe found two different server versions, the one being a version that we named “A”, compiled in 2017, 2018 and\r\n2019, and including a feature for installing the USBWorm component and executing commands on remote\r\nmachines. The version that we named “B” was compiled in 2018 and again at the end of 2019. The existence of\r\ntwo versions confirms that this software is still under development and the APT group is working to enhance it.\r\nBy analysing the .NET binary, we were able to set up a working environment and communicate with samples\r\npreviously detected on victims’ machines.\r\nCrimson Server version “A”\r\nMain panel\r\nThe first window is the main panel, which provides a list of infected machines and shows basic information about\r\nthe victims’ systems.\r\nServer main panel\r\nGeolocation information is retrieved from a legitimate website using a remote IP address as the input. The URL\r\nused by the server is:\r\nhttp://ip-api.com/xml/\u003cip\u003e\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 2 of 15\n\nAt the top, there is a toolbar that can be used for managing the server or starting some actions on the selected bot.\r\nAt the bottom, there is an output console with a list of actions performed by the server in the background. It will\r\ndisplay, for example, information about received and sent commands.\r\nThe server uses an embedded configuration specified inside a class named “settings”.\r\nExample of embedded configuration\r\nThe class contains TCP port values, default file names and installation paths used by each malware component.\r\nThe server does not include any features to build the other components; they need to be manually placed in\r\nspecific predefined folders. For example, based on the configuration displayed in the picture above, the “msclient”\r\nmust be placed in “.\\tmps\\rfaiwaus.exe”.\r\nThis leads us to conclude that the resulting server file was generated by another builder, which created the\r\nexecutable files, directories and the other files used by the application.\r\nBot panel\r\nThe main features are accessible from the “bot panel”, an interface with twelve tabs, which can be used to manage\r\na remote system and collect information.\r\nUpdate module\r\nThe first tab is used for checking the client configuration, uploading Crimson components and executing these on\r\nremote system.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 3 of 15\n\nUpdate modules tab\r\nThe Crimson framework is composed of seven client components:\r\nThin Client -\u003e a tiny version of the RAT used for recognizing the victim. The “thin” client is the most common\r\none; it is usually dropped during the infection process by which Transparent Tribe is distributed and is most\r\ncommonly found on OSINT resources. It contains a limited number of features and can typically be used to:\r\ncollect information about infected system\r\ncollect screenshots\r\nmanage the remote filesystem\r\ndownload and upload files\r\nget a process list\r\nkill a process\r\nexecute a file\r\nMain Client -\u003e the full-featured RAT. It can handle all “Thin Client” features, but it can also be used to:\r\ninstall the other malware components\r\ncapture webcam images\r\neavesdrop using a computer microphone\r\nsend messages to the victim\r\nexecute commands with COMSPEC and receive the output.\r\nUSB Driver -\u003e a USB module component designed for stealing files from removable drives attached to infected\r\nsystems.\r\nUSB Worm -\u003e this is the USBWorm component developed for stealing files from removable drives, spread across\r\nsystems by infecting removable media, and download and execute the “Thin Client” component from a remote\r\nCrimson server.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 4 of 15\n\nPass Logger -\u003e a credential stealer, used for stealing credentials stored in the Chrome, Firefox and Opera\r\nbrowsers.\r\nKeyLogger -\u003e this is simple malware used for recording keystrokes.\r\nRemover -\u003e this cannot be pushed using the “Update module tab”, but it can be uploaded to an infected machine\r\nautomatically using the “Delete User” button. Unfortunately, we did not acquire that component and we cannot\r\nprovide a description of it.\r\nInterestingly, Transparent Tribe tries to circumvent certain vendors’ security tools by configuring the Server to\r\nprevent installation of some of the malware components, specifically the “USB Driver” and the “Pass Logger”, on\r\nsystems protected with Kaspersky products. They also prevent installation of the “Pass Logger” on systems\r\nprotected by ESET.\r\nSnippet of code that prevents installation of certain components on systems protected by Kaspersky products\r\nFile Manager \u0026 Auto Download tabs\r\nThe file manager allows the attacker to explore the remote file system, execute programs, download, upload and\r\ndelete files.\r\nFile manager tab\r\nMost of the buttons are self-explanatory. The most interesting ones are “USB Drive” and “Delete USB”, used for\r\naccessing data stolen by the USB Driver and USB Worm components and the “Auto File Download” feature. This\r\nfeature opens another window, which can also be accessed via the second last tab. It allows the attacker to\r\nconfigure the bot to search files, filter results and upload multiple files.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 5 of 15\n\nAuto download tab\r\nScreen and Webcam monitoring tabs\r\nScreen monitoring tab Webcam monitoring tab\r\nThese tabs are used for managing two simple and powerful features. The first one is designed for monitoring the\r\nremote screen and checking what the user is doing on their system. The second one can be used for spying on a\r\nremote webcam and performing video surveillance. The attacker can retrieve a single screenshot or start a loop\r\nthat forces the bot to continuously send screenshots to the server, generating a live stream of sorts. The attacker\r\ncan also configure the RAT component to record the images on the remote system.\r\nOther tabs\r\nThe other tabs are used for managing the following features:\r\nAudio surveillance: The malware uses the NAudio library to interact with the microphone and manage the\r\naudio stream. The library is stored server-side and pushed to the victim’s machine using a special\r\ncommand.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 6 of 15\n\nSend message: The attacker can send messages to victims. The bot will display the messages using a\r\nstandard message box.\r\nKeylogger: Collects keyboard data. The log includes the process name used by the victim, and keystrokes.\r\nThe attacker can save the data or clear the remote cache.\r\nPassword Logger: The malware includes a feature to steal browser credentials. The theft is performed by a\r\nspecific component that enumerates credentials saved in various browsers. For each entry, it saves the\r\nwebsite URL, the username and the password.\r\nProcess manager: The attacker can obtain a list of running processes and terminate these by using a\r\nspecific button.\r\nCommand execution: This tab allows the attacker to execute arbitrary commands on the remote machine.\r\nCrimson Server version “B”\r\nThe other version is quite similar to the previous one. Most noticeably, in this “B” version, the graphical user\r\ninterface is different.\r\nMain toolbar version B\r\n“Update USB Worm” is missing from the Update Bot tab, which means that the USB Worm feature is not\r\navailable in these versions.\r\nUpdate modules tab, version B\r\nThis version does not include the check that prevents installation of certain components on systems protected with\r\nKaspersky products, and the Command execution tab is missing. At the same position, we find a different tab,\r\nused for saving comments about the infected machine.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 7 of 15\n\nNotes\r\nUSBWorm\r\nLast January, we started investigating an ongoing campaign launched by Transparent Tribe to distribute the\r\nCrimson malware. The attacks started with malicious Microsoft Office documents, which were sent to victims\r\nusing spear-phishing emails.\r\nDecoy document used in an attack against Indian entities\r\nThe documents typically have malicious VBA code embedded, and sometimes protected with a password,\r\nconfigured to drop an encoded ZIP file which contains a malicious payload.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 8 of 15\n\nUser form with encoded payloads\r\nThe macro drops the ZIP file into a new directory created under %ALLUSERPROFILE% and extracts the archive\r\ncontents at the same location. The directory name can be different, depending on the sample:\r\n%ALLUSERSPROFILE%\\Media-List\\tbvrarthsa.zip\r\n%ALLUSERSPROFILE%\\Media-List\\tbvrarthsa.exe\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 9 of 15\n\nSnippet of VBA code\r\nThe executable file is the Crimson “Thin Client”, which allows the attacker to gain basic information about the\r\ninfected machine, collect screenshots, manipulate the file system and download or upload arbitrary files.\r\nDuring our analysis, we noticed an interesting sample connected to a Crimson C2 server. This sample was related\r\nto multiple detections, all of these having different file names and most of them generated from removable\r\ndevices.\r\nOne of the file path name combinations observed was ‘C:\\ProgramData\\Dacr\\macrse.exe’, also configured in a\r\nCrimson “Main Client” sample and used for saving the payload received from the C2 when invoking the usbwrm\r\ncommand.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 10 of 15\n\nUSBWorm file construction function\r\nWe concluded that this sample was the USBWorm component mentioned by Proofpoint in its analysis of the\r\nmalware.\r\nBased on previous research, we knew that this RAT was able to deploy a module to infect USB devices, but as far\r\nas we know, it had never been publicly described.\r\nUSB Worm description\r\nOur analysis has revealed that USBWorm is much more than a USB infector. In fact, it can be used by the attacker\r\nto:\r\ndownload and execute the Crimson “Thin Client”\r\ninfect removable devices with a copy of USBWorm itself\r\nsteal files of interest from removable devices (i.e. USB Stealer)\r\nBy default, the program behaves as a downloader, infector and USB stealer. Usually, the component is installed by\r\nthe Crimson “Main Client”, and when started, it checks if its execution path is the one specified in the embedded\r\nconfiguration and if the system is already infected with a Crimson client component. If these conditions are met, it\r\nwill start to monitor removable media, and for each of these, the malware will try to infect the device and steal\r\nfiles of interest.\r\nThe infection procedure lists all directories. Then, for each directory, it creates a copy of itself in the drive root\r\ndirectory using the same directory name and changing the directory attribute to “hidden”. This results in all the\r\nactual directories being hidden and replaced with a copy of the malware using the same directory name.\r\nMoreover, USBWorm uses an icon that mimics a Windows directory, tricking the user into executing the malware\r\nwhen trying to access a directory.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 11 of 15\n\nUSBWorm icon\r\nThis simple trick works very well on default Microsoft Windows installations, where file extensions are hidden\r\nand hidden files are not visible. The victim will execute the worm every time he tries to access a directory.\r\nMoreover, the malware does not delete the real directories and executes “explorer.exe” when started, providing the\r\nhidden directory path as argument. The command will open the Explorer window as expected by the user.\r\nView of infected removable media with default\r\nWindows settings\r\nView of infected removable media with visible hidden\r\nfiles and file extensions\r\nThe data theft procedure lists all files stored on the device and copies those with an extension matching a\r\npredefined list:\r\nFile extensions of interest: .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt\r\nIf the file is of interest, i.e. if the file extension is on the predefined list, the procedure checks if a file with the\r\nsame name already has been stolen. The malware has a text file with a list of stolen files, which is stored in the\r\nmalware directory under a name specified in the embedded configuration.\r\nOf course, this approach is a little buggy, because if the worm finds two different files with the same name, it will\r\nsteal only the first one. Anyway, if the file is of interest and is not on the list of stolen files, it will be copied from\r\nthe USB to a local directory usually named “data” or “udata”, although the name could be different.\r\nIf the worm is executed from removable media, the behavior is different. In this case, it will check if the “Thin\r\nClient” or the “Main Client” is running on the system. If the system is not infected, it will connect to a remote\r\nCrimson Server and try to use a specific “USBW” command to download and execute the “Thin Client”\r\ncomponent.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 12 of 15\n\nSnippet of code used to build USBW request\r\nThe persistence is guaranteed by a method that is called when the program is closing. It checks if the malware\r\ndirectory exists as specified in an embedded configuration and then copies the malware executable inside it. It also\r\ncreates a registry key under “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” to execute the worm\r\nautomatically.\r\nUSB Worm distribution\r\nDuring our investigation, we found around two hundred distinct samples related to Transparent Tribe Crimson\r\ncomponents. We used the Kaspersky Security Network (KSN) to collect some statistics about the victims.\r\nConsidering all components detected between June 2019 and June 2020, we found more than one thousand\r\ndistinct victims distributed across twenty-seven countries.\r\nCrimson distribution map\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 13 of 15\n\nMost of the detections were related to the USB Worm components; and in most of the countries, the number of\r\nevents was very low.\r\nCrimson detections – USBWorm vs other components\r\nIf we check victims compromised with the other client components, we can find the real targets.\r\nTop five infected countries from June 2019 to June 2020 – USBWorm excluded\r\nThe graph includes the highest number of distinct victims, and it shows that Transparent Tribe maintained a strong\r\nfocus on Afghanistan during the final part of 2019 and then started to focus again on Indian users during 2020.\r\nWe may speculate that detections in other countries may be related to entities related to main targets, such as\r\npersonnel of embassies.\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 14 of 15\n\nConclusions\r\nTransparent Tribe continues to show high activity against multiple targets. In the last twelve months, we observed\r\na broad campaign against military and diplomatic targets, using extensive infrastructure to support their operations\r\nand continuous improvements in their arsenal. The group continue to invest in their main RAT, Crimson, to\r\nperform intelligence activities and spy on sensitive targets. We do not expect any slowdown from this group in the\r\nnear future and we will continue to monitor their activities.\r\nIoC\r\nThe followings IOC list is not complete. If you want more information about the APT discussed here, as well as a\r\nfull IOC list, and YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact:\r\nintelreports@kaspersky.com\r\n5158C5C17862225A86C8A4F36F054AE2 – Excel document – NHQ_Notice_File.xls\r\nD2C407C07CB5DC103CD112804455C0DE – Zip archive – tbvrarthsa.zip\r\n76CA942050A9AA7E676A8D553AEB1F37 – Zip archive – ulhtagnias.zip\r\n08745568FE3BC42564A9FABD2A9D189F – Crimson Server Version “A”\r\n03DCD4A7B5FC1BAEE75F9421DC8D876F – Crimson Server Version “B”\r\n075A74BA1D3A5A693EE5E3DD931E1B56 – Crimson Keylogger\r\n1CD5C260ED50F402646F88C1414ADB16 – Crimson Keylogger\r\nCAC1FFC1A967CD428859BB8BE2E73C22 – Crimson Thin Client\r\nE7B32B1145EC9E2D55FDB1113F7EEE87 – Crimson Thin Client\r\nF5375CBC0E6E8BF10E1B8012E943FED5 – Crimson Main Client\r\n4B733E7A78EBD2F7E5306F39704A86FD – Crimson Main Client\r\n140D0169E302F5B5FB4BB3633D09B48F – Crimson USB Driver\r\n9DD4A62FE9513E925EF6B6D795B85806 – Crimson USB Driver\r\n1ED98F70F618097B06E6714269E2A76F – Crimson USB Worm\r\nF219B1CDE498F0A02315F69587960A18 – Crimson USB Worm\r\n64.188.25.206 – Crimson C2\r\n173.212.192.229 – Crimson C2\r\n45.77.246.69 – Crimson C2\r\nnewsbizupdates.net – Crimson C2\r\n173.249.22.30 – Crimson C2\r\nuronlinestores.net – Crimson C2\r\nSource: https://securelist.com/transparent-tribe-part-1/98127/\r\nhttps://securelist.com/transparent-tribe-part-1/98127/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/transparent-tribe-part-1/98127/" ], "report_names": [ "98127" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434480, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0f701494fe4b7cb917f791f5ed543e39c17cb6b.pdf", "text": "https://archive.orkl.eu/f0f701494fe4b7cb917f791f5ed543e39c17cb6b.txt", "img": "https://archive.orkl.eu/f0f701494fe4b7cb917f791f5ed543e39c17cb6b.jpg" } }