The threat group known as Transparent Tribe has been linked to a new wave of cyberattacks aimed at Indian government agencies, academic institutions, and strategic organizations. These attacks deploy a remote access trojan (RAT) designed to provide persistent control over compromised systems.
According to a technical report by CYFIRMA, the campaign uses deceptive delivery techniques, notably a weaponized Windows shortcut (LNK) file disguised as a legitimate PDF document. The file even contains the full PDF content to reduce suspicion among users.
Transparent Tribe, also referred to as APT36, is a state-sponsored hacking group believed to originate from India. Active since at least 2013, the group is notorious for conducting cyber-espionage operations against Indian entities. Over the years, it has employed an evolving toolkit of RATs, including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
The latest campaign begins with a spear-phishing email carrying a ZIP archive that contains the malicious LNK file. When opened, the file executes a remote HTML Application (HTA) script via mshta.exe, which decrypts and loads the RAT payload directly into memory. Simultaneously, the HTA script downloads and opens a decoy PDF to avoid raising suspicion.
CYFIRMA notes that once the decoding process is complete, the HTA script uses ActiveX objects, particularly WScript.Shell, to interact with the Windows environment. This enables system profiling and runtime manipulation, ensuring compatibility and reliability—techniques commonly seen in malware leveraging mshta.exe.
A distinctive feature of this malware is its ability to adapt persistence mechanisms based on the antivirus software detected on the infected machine:
- Kaspersky detected: Creates a working directory under C:\Users\Public\core\, writes an obfuscated HTA payload to disk, and adds a LNK file in the Startup folder to launch the HTA script via mshta.exe.
- Quick Heal detected: Creates a batch file and a malicious LNK in the Startup folder, writes the HTA payload to disk, and executes it through the batch script.
- Avast, AVG, or Avira detected: Copies the payload directly into the Startup directory and runs it.
- No recognized antivirus: Falls back to a combination of batch file execution, registry-based persistence, and payload deployment before launching the batch script.
The second HTA file includes a DLL named iinneldc.dll, which acts as a fully functional RAT. Its capabilities include remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control.
CYFIRMA emphasizes that APT36 remains a highly persistent and strategically motivated cyber-espionage threat, continuing to focus on intelligence collection from Indian government bodies, educational institutions, and other critical sectors.
In recent weeks, APT36 has been associated with another campaign that uses a malicious shortcut file disguised as a government advisory PDF (NCERT-Whatsapp-Advisory.pdf.lnk). This file delivers a .NET-based loader, which subsequently drops additional executables and DLLs to enable remote command execution, system reconnaissance, and persistent access. The shortcut executes an obfuscated command via cmd.exe to download an MSI installer (nikmights.msi) from a remote server (aeroclubofindia.co[.]in). Once retrieved, the installer performs several actions:
- Extracts and displays a decoy PDF document to the victim.
- Decodes and writes DLL files to C:\ProgramData\PcDirvs\pdf.dll and C:\ProgramData\PcDirvs\wininet.dll.
- Drops PcDirvs.exe in the same directory and executes it after a 10-second delay.
- Establishes persistence by creating PcDirvs.hta, which contains Visual Basic Script to modify the Windows Registry so that PcDirvs.exe runs at every system startup.
The displayed PDF is a legitimate advisory issued by the National Cyber Emergency Response Team of Pakistan (PKCERT) in 2024, warning about a fraudulent WhatsApp campaign distributing a malicious WinRAR file. The DLL wininet.dll connects to a hard-coded command-and-control (C2) server hosted at dns.wmiprovider[.]com, registered in mid-April 2025. Although the C2 is currently inactive, the Registry-based persistence ensures the threat can be reactivated at any time. According to CYFIRMA, the DLL uses multiple HTTP GET endpoints for communication, updates, and command retrieval. To evade detection, the endpoint strings are stored in reverse order. The endpoints include:
- /retsiger (register) – Registers the infected system with the C2.
- /taebtraeh (heartbeat) – Sends periodic beacons to the C2.
- /dnammoc_teg (get_command) – Executes arbitrary commands via cmd.exe.
- /dnammocmvitna (antivmcommand) – Queries or sets anti-VM status, likely to adjust behavior.
The DLL also enumerates installed antivirus products, making it a powerful reconnaissance tool.
Patchwork and StreamSpy Trojan
This disclosure follows reports linking Patchwork (aka Dropping Elephant or Maha Grass), another suspected Indian-origin APT group, to attacks on Pakistan’s defense sector using a Python-based backdoor delivered via phishing emails with ZIP archives. Inside the archive is an MSBuild project that, when executed via msbuild.exe, deploys a dropper to install and launch the Python RAT. The malware can contact a C2 server, execute remote Python modules, run commands, and transfer files.
Security researcher Idan Tarab described the campaign as a modernized Patchwork toolkit, incorporating:
- MSBuild LOLBin loaders
- PyInstaller-modified Python runtimes
- Marshalled bytecode implants
- Geofencing
- Randomized PHP C2 endpoints
- Realistic persistence mechanisms
As of December 2025, Patchwork has also been linked to a new trojan named StreamSpy, which uses WebSocket and HTTP protocols for C2 communication. WebSocket handles command delivery and result feedback, while HTTP is used for file transfers. StreamSpy shares similarities with Spyder, a variant of the WarHawk backdoor attributed to SideWinder, suggesting resource-sharing between groups. Distributed via ZIP archives (OPS-VII-SIR.zip) hosted on firebasescloudemail[.]com, the malware (Annexure.exe) can:
- Harvest system information
- Establish persistence via Registry, scheduled tasks, or Startup LNK files
- Communicate with C2 using HTTP and WebSocket
Supported commands include:
- F1A5C3 – Download and open a file using ShellExecuteExW
- B8C1D2 – Set shell for command execution to cmd
- E4F5A6 – Set shell for command execution to PowerShell
- FL_SH1 – Close all shells
- C9E3D4, E7F8A9, H1K4R8, C0V3RT – Download encrypted ZIP files, extract, and open them
- F2B3C4 – Gather file system and disk information
- D5E6F7 – Upload and download files
- A8B9C0 – Upload files
- D1E2F3 – Delete files
- A4B5C6 – Rename files
- D7E8F9 – Enumerate folders
QiAnXin noted that StreamSpy’s download site also hosts Spyder variants with extensive data collection capabilities. The malware’s digital signature correlates with ShadowAgent, a RAT linked to the DoNot Team (aka Brainworm). Interestingly, 360 Threat Intelligence flagged the same Annexure.exe as ShadowAgent in November 2025.
QiAnXin concluded:
“The emergence of StreamSpy and Spyder variants from Maha Grass indicates continuous evolution of its attack arsenal. The use of WebSocket for command and feedback aims to evade detection and censorship of HTTP traffic. Correlated samples confirm resource-sharing between Maha Grass and DoNot groups.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
