The threat group known as Transparent Tribe has launched a new wave of attacks. These attacks target Indian government, academic, and strategic organizations. The group uses a remote access trojan (RAT) that gives them long-term control over infected systems.
“The attack campaign uses misleading delivery methods, according to CYFIRMA. It spreads a harmful Windows shortcut (LNK) file that looks like a real PDF document. The file even contains full PDF content to avoid raising suspicion among users.
Transparent Tribe
It is also known as APT36, is a hacking group. It is knoswn for running cyber espionage attacks. These attacks mainly target Indian organizations. Assessed to be of Indian origin, the state-sponsored adversary has been active since at least 2013.
Transparent Tribe uses many types of remote access trojans to achieve its goals. The group keeps updating its tools over time.
The latest set of attacks began with a spear-phishing email containing a ZIP archive with a LNK file disguised as a PDF. When the file is opened, it runs a remote HTML Application (HTA) script using mshta.exe. This script decrypts the malware and loads the final RAT directly into memory. In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users’ suspicion.
After setting up the decoding process, the HTA script uses ActiveX objects like WScript.Shell to work with the Windows system. CYFIRMA explained that this helps the malware understand the system environment. It also allows the malware to adjust itself while running.
One of the most important things about the malware is that it acts differently depending on what antivirus software is on the computer. This lets it stay buried and keep going for a long time-
- If Kaspersky is detected, the malware creates a folder at C:\Users\Public\core\. It saves a hidden HTA file there and adds a shortcut (LNK) to the Windows Startup folder. This shortcut runs the HTA file using mshta.exe every time the system starts
- If Quick Heal is detected, the malware uses a different method. It creates a batch file and a malicious shortcut in the Startup folder. It then saves the HTA file to disk and runs it through the batch file to stay active.
- If Avast, AVG, or Avira is detected, the malware follows a simple method. It copies the malicious payload directly into the Windows Startup folder and runs it from there.
- If no known antivirus software is found, the malware uses another approach. . After this setup, it runs the batch script to keep the malware active.
The second HTA file contains a DLL called iinneldc.dll. This DLL works as a full remote access trojan (RAT). It allows attackers to control the system from a distance. They handle files and steal data, take screenshots. And read clipboard content, and control running processes.
The cybersecurity company said that APT36, which is also known as Transparent Tribe. remains a serious cyber-espionage threat. The group is very persistent and focused on collecting intelligence. Its main targets include Indian government bodies, educational institutions, and other important sectors.
In recent weeks, APT36 has also been linked to another attack campaign. This attack campaign uses a harmful shortcut file. The file looks like a government advisory PDF. Its name is “NCERT-Whatsapp-Advisory.pdf.lnk When opened, it installs a .NET-based loader. This loader then drops more malicious files and DLLs. These files help the attackers run commands, gather system information, and keep long-term access.
The shortcut file runs a hidden command using cmd.exe. This command downloads an MSI installer called “nikmights.msi” from a remote server. The installer then starts a chain of actions that help the malware fully infect the system.
- Extract and display a decoy PDF document to the victim
- Decode and write DLL files to “C:\ProgramData\PcDirvs\pdf.dll” and “C:\ProgramData\PcDirvs\wininet.dll”
- Drop “PcDirvs.exe” to the same the same location and execute it after a delay of 10 seconds
- The malware stays active by creating a file called PcDirvs.hta. This file contains Visual Basic Script. It changes the Windows Registry to run PcDirvs.exe every time the system starts.
It is important to note that the PDF shown to users is real. It is an advisory released in 2024 by National Cyber Emergency Response Team of Pakistan. The advisory warns about a fake WhatsApp message campaign. This campaign targets government offices in Pakistan and spreads malware using a harmful WinRAR file.
The DLL file named wininet.dll connects to a fixed command-and-control (C2) server at dns.wmiprovider[.]com. This server was registered in mid-April 2025. The C2 server is not active right now. However, the malware uses Windows Registry settings to stay persistent. This allows the threat to become active again at any time in the future..
The list of endpoints is as follows –
- /retsiger (register): Registers the infected system with the C2 server.
- /taebtraeh (heartbeat): Sends regular signals to show the system is active.
- /dnammoc_teg (get_command): Runs attacker commands using cmd.exe.
- /dnammocmvitna (antivmcommand): Checks or changes anti-VM settings to adjust how the malware behaves.
The DLL also checks which antivirus software is installed on the system. This helps it collect system details and makes it a powerful tool for spying and stealing sensitive information.
Patchwork Linked to New StreamSpy Trojan#
The disclosure comes a few weeks after Patchwork, also known as Dropping Elephant or Maha Grass, was linked to new cyber attacks. The group is believed to be based in India. These attacks targeted Pakistan’s defense sector. Acc to researcher security Idan Tarab, the group used phishing emails with ZIP files to spread a Python-based backdoor.
The malware is spread through ZIP files named “OPS-VII-SIR.zip” hosted on fire bases cloud email[.]com. Inside the ZIP file is a malicious file called “Annexure.exe.” This malware can collect system information and stay active on the system. It does this using the Windows Registry, a scheduled task, or a shortcut file in the Startup folder. It also communicates with its command-and-control server using HTTP and WebSocket connections . The list of support commands is below –
- F1A5C3, to download a file and open it using ShellExecuteExW
- B8C1D2, to set the shell for command execution to cmd
- E4F5A6, to set the shell for command execution to PowerShell
- FL_SH1, to close all shells
- C9E3D4, E7F8A9, H1K4R8, and C0V3RT are used to download encrypted ZIP files from the C2 server.
- F2B3C4, to gather information about the file system and all disks connected to the device
- D5E6F7, to perform file upload and download
- A8B9C0, to perform file upload
- D1E2F3, to delete a file
- A4B5C6, to rename a file
- D7E8F9, to enumerate a specific folder
Coclusion
The Chinese security company said that new tools like StreamSpy . And Spyder show the Maha Grass group keeps improving its attack tools.
In the StreamSpy trojan, attackers use WebSocket channels to send commands and receive results. This helps them avoid detection that often happens with normal HTTP traffic. The related samples. And also that the Maha Grass group shares some resources with the DoNot attack group. which suggests a possible connection between the two groups..”
