APT36

Threat Actor Profile Updated 6 days ago
Download STIX
Preview STIX
APT36, also known as Transparent Tribe and Earth Karkaddan, is a threat actor suspected to be based in Pakistan and has been active since at least 2013. This group has been involved in cyberespionage activities, deploying an array of espionage and data exfiltration tools primarily compatible with the Linux platform. APT36 was previously focused on Indian military and government personnel, distributing malicious education-themed content hosted on known APT36 infrastructure. The group has recently shifted its focus towards the distribution of Executable and Linkable Format (ELF) binaries, a common Linux executable file format specification, as reported by BlackBerry Threat Research and Intelligence team. The group's operations have been linked to several malicious campaigns, including the use of modified versions of widely available XploitSPY malware, distinctive for their unique modifications as part of the eXotic Visit campaign. Furthermore, APT36 has been associated with the CapraRAT malware distributed via a novel YouTube-like Android application named CapraTube. ObliqueRAT, another tool linked with APT36, has been used in their recent campaigns. The group has also been observed using a custom-built file exfiltration tool for Linux known as Globshell. Cisco Talos has identified a new malicious campaign operated by APT36. The group owns and operates several domains such as vebhost[.]com and zainhosting[.]net/com, which are used to register, renew, and administer numerous malicious web pages over time. Notably, there are tactical overlaps between APT36 and SideCopy, another threat actor believed to be subordinate within Transparent Tribe and linked to Pakistan. Both groups share a similar naming convention for their payloads, often starting with the 'boss' prefix.
What's your take? (Question 1 of 5)
7d6eaa92-864c-4ab0-b168-7e54d590de99 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Transparent Tribe
4
Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
SideCopy
3
SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applicat
Sidewinder
3
The Sidewinder group, also known as Rattlesnake, BabyElephant, APT Q4, APT Q39, Hardcore Nationalist, HN2, RAZOR Tiger, and GroupA21, is a threat actor with a history dating back to 2012. Believed to originate from South Asia, the group has targeted various sectors such as Government, Military, Educ
ProjectM
2
ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Android
Rat
Trojan
Phishing
Espionage
Linux
Windows
Youtube
Backdoor
Spyware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CrimsonUnspecified
4
Crimson is a malicious software (malware) that has been actively used in cyberattacks since 2013. It was notably deployed by ProjectM, a cybercriminal group known for its extensive use of malware such as the Crimson RAT, Capra RAT, and Oblique RAT in their campaigns. The malware was disseminated thr
Crimson RatUnspecified
3
Crimson RAT is a malicious software, or malware, primarily used by the threat actor known as APT36 or Transparent Tribe. This custom .NET Remote Access Trojan (RAT) has been observed in multiple instances of cyber-attacks, mainly targeting India and Afghanistan. Over time, alongside Crimson RAT, Tra
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the APT36 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
A peek into APT36’s updated arsenal | Zscaler
BankInfoSecurity
a year ago
APT36 Running Espionage Ops Against India's Education Sector
InfoSecurity-magazine
a year ago
Pakistan-Aligned Hackers Disrupt Indian Education Sector
ESET
a year ago
Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials | WeLiveSecurity
CERT-EU
7 months ago
SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
BankInfoSecurity
6 days ago
Pakistani-Aligned APT36 Targets Indian Defense Organizations
CERT-EU
8 months ago
Fake YouTube apps leveraged for CapraRAT malware distribution
MITRE
a year ago
Transparent Tribe APT expands its Windows malware arsenal
CERT-EU
a year ago
Meta Cracks Down on South Asian Cyberespionage Groups
MITRE
a year ago
SideCopy APT: Connecting lures to victims, payloads to infrastructure
CERT-EU
8 months ago
Hackers Using Fake YouTube Apps To Infect Android Devices
CERT-EU
8 months ago
APT36 state hackers infect Android devices using YouTube app clones
CERT-EU
8 months ago
Chinese cyberespionage campaign involves novel Linux backdoor
CERT-EU
8 months ago
Second highest ransomware profits expected this year
CERT-EU
a year ago
Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
CERT-EU
8 months ago
Cybersecurity threatscape of Asia: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
APT hackers set a honeytrap to ensnare victims – Week in security with Tony Anscombe | WeLiveSecurity
CERT-EU
10 months ago
Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns
CERT-EU
a year ago
Pakistan-based hackers target Indian Army, IITs; chat apps used, dangerous file names and more | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Why Pakistani Hackers Are Now Targeting IITs, NITs: All Details | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting