APT36

Threat Actor updated a month ago (2024-11-29T13:43:36.014Z)
Download STIX
Preview STIX
APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco Talos. APT36 is notorious for its use of custom tools such as ElizaRAT, a Windows Remote Access Tool (RAT) first disclosed in September 2023, and ApoloStealer, which employs techniques similar to other Transparent Tribe malware. These tools have been deployed in targeted attacks on high-profile entities in India, with multiple likely successful campaigns observed in 2024. The Transparent Tribe APT group has shown a distinctive pattern in their operations, including the use of unique authorship attributes in their decoy files, specifically the name "Apolo Jones". The same name has been found in various aspects of Transparent Tribe’s operations and across samples of malware associated with the group. They also maintain a network of malicious domains under the names vebhost[.]com and zainhosting[.]net/com, operated by "ZainHosting", which are used to register, renew, and administer several malicious web pages over time. In terms of attack vectors, APT36 has demonstrated innovation and adaptation. In 2023, Zscaler documented the group's unprecedented use of Linux desktop entry files as an attack vector. Furthermore, while the weaponization of legitimate tooling is not a new phenomenon among threat actors, Transparent Tribe only started using ISO images, which typically appear as disks to the operating system, toward the end of 2023 according to BlackBerry. This highlights the group's persistent efforts to evolve their tactics and techniques to achieve their malicious objectives.
Description last updated: 2024-11-04T16:02:47.160Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Transparent Tribe is a possible alias for APT36. Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
4
SideCopy is a possible alias for APT36. SideCopy is a Pakistani threat actor, or Advanced Persistent Threat (APT), that has been active since at least 2019, predominantly targeting South Asian countries, specifically India and Afghanistan. Its modus operandi includes the use of archive files embedded with Lnk, Microsoft Publisher, or Troj
3
Sidewinder is a possible alias for APT36. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its u
3
Mythic Leopard is a possible alias for APT36. Mythic Leopard, also known as Transparent Tribe, APT36, and ProjectM, is a threat actor group likely serving the strategic intelligence requirements of the Pakistani state. The group has been active since at least 2013, demonstrating prolific activity in cyber espionage. The group primarily targets
3
ProjectM is a possible alias for APT36. ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Rat
Android
Implant
Windows
Trojan
Phishing
Espionage
Payload
Spyware
Linux
Youtube
Backdoor
Decoy
Pakistan
Scams
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Crimson Malware is associated with APT36. Crimson is a malware used in various cyber-espionage campaigns, most notably in Operation Crimson Palace. This operation has been active since March 2023, with heightened activity observed in 2024. It is a concerted effort by three Chinese Advanced Persistent Threat (APT) groups targeting Southeast Unspecified
4
The ElizaRAT Malware is associated with APT36. ElizaRAT, a malicious software first discovered in 2023, has been continuously tracked and analyzed by Check Point Research due to its persistent use in targeted cyberattacks. The malware is deployed by Transparent Tribe (also known as APT36), a cyber espionage group attributed to Pakistan, primarilUnspecified
3
The Crimson Rat Malware is associated with APT36. Crimson RAT is a malicious software, or malware, primarily used by the threat actor known as APT36 or Transparent Tribe. This custom .NET Remote Access Trojan (RAT) has been observed in multiple instances of cyber-attacks, mainly targeting India and Afghanistan. Over time, alongside Crimson RAT, TraUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with APT36. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
Source Document References
Information about the APT36 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
16 days ago
InfoSecurity-magazine
2 months ago
DARKReading
2 months ago
Checkpoint
2 months ago
DARKReading
7 months ago
Securityaffairs
6 months ago
BankInfoSecurity
6 months ago
DARKReading
6 months ago
BankInfoSecurity
7 months ago
ESET
8 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago