APT36

Threat Actor updated 17 days ago (2024-11-08T12:44:40.649Z)

Download STIX

Preview STIX

APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco Talos. APT36 is notorious for its use of custom tools such as ElizaRAT, a Windows Remote Access Tool (RAT) first disclosed in September 2023, and ApoloStealer, which employs techniques similar to other Transparent Tribe malware. These tools have been deployed in targeted attacks on high-profile entities in India, with multiple likely successful campaigns observed in 2024. The Transparent Tribe APT group has shown a distinctive pattern in their operations, including the use of unique authorship attributes in their decoy files, specifically the name "Apolo Jones". The same name has been found in various aspects of Transparent Tribe’s operations and across samples of malware associated with the group. They also maintain a network of malicious domains under the names vebhost[.]com and zainhosting[.]net/com, operated by "ZainHosting", which are used to register, renew, and administer several malicious web pages over time. In terms of attack vectors, APT36 has demonstrated innovation and adaptation. In 2023, Zscaler documented the group's unprecedented use of Linux desktop entry files as an attack vector. Furthermore, while the weaponization of legitimate tooling is not a new phenomenon among threat actors, Transparent Tribe only started using ISO images, which typically appear as disks to the operating system, toward the end of 2023 according to BlackBerry. This highlights the group's persistent efforts to evolve their tactics and techniques to achieve their malicious objectives.

Description last updated: 2024-11-04T16:02:47.160Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Transparent Tribe is a possible alias for APT36. Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has	4
SideCopy is a possible alias for APT36. SideCopy is a Pakistani threat actor, or Advanced Persistent Threat (APT), that has been active since at least 2019, predominantly targeting South Asian countries, specifically India and Afghanistan. Its modus operandi includes the use of archive files embedded with Lnk, Microsoft Publisher, or Troj	3
Sidewinder is a possible alias for APT36. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its u	3
Mythic Leopard is a possible alias for APT36. Mythic Leopard, also known as Transparent Tribe, APT36, and ProjectM, is a threat actor group likely serving the strategic intelligence requirements of the Pakistani state. The group has been active since at least 2013, demonstrating prolific activity in cyber espionage. The group primarily targets	3
ProjectM is a possible alias for APT36. ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Rat

Android

Implant

Windows

Trojan

Phishing

Espionage

Payload

Spyware

Linux

Backdoor

Decoy

Pakistan

Scams

Youtube

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Crimson Malware is associated with APT36. Crimson is a malware used in various cyber-espionage campaigns, most notably in Operation Crimson Palace. This operation has been active since March 2023, with heightened activity observed in 2024. It is a concerted effort by three Chinese Advanced Persistent Threat (APT) groups targeting Southeast	Unspecified	4
The Elizarat Malware is associated with APT36. ElizaRAT, a malicious software first discovered in 2023, has been continuously tracked and analyzed by Check Point Research due to its persistent use in targeted cyberattacks. The malware is deployed by Transparent Tribe (also known as APT36), a cyber espionage group attributed to Pakistan, primaril	Unspecified	3
The Crimson Rat Malware is associated with APT36. Crimson RAT is a malicious software, or malware, primarily used by the threat actor known as APT36 or Transparent Tribe. This custom .NET Remote Access Trojan (RAT) has been observed in multiple instances of cyber-attacks, mainly targeting India and Afghanistan. Over time, alongside Crimson RAT, Tra	Unspecified	3

Source Document References

Information about the APT36 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	20 days ago	Pakistani Hackers Targeted High-Profile Indian Entities
DARKReading	20 days ago	APT36 Refines Tools in Attacks on Indian Targets
Checkpoint	21 days ago	Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT - Check Point Research
DARKReading	6 months ago	Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact
Securityaffairs	5 months ago	Security Affairs newsletter Round 479 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	5 months ago	Pakistan's 'Cosmic Leopard' Is Targeting India With RATs
DARKReading	5 months ago	Pakistani APT 'Celestial Force' Spies on Indian Gov't, Defense Orgs
BankInfoSecurity	6 months ago	Pakistani-Aligned APT36 Targets Indian Defense Organizations
ESET	7 months ago	eXotic Visit campaign: Tracing the footprints of Virtual Invaders
CERT-EU	8 months ago	12 Months of Fighting Cybercrime & Defending Enterprises \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities
CERT-EU	a year ago	SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU	a year ago	DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan
CERT-EU	a year ago	Cyber Security Week in Review: September 22, 2023
CERT-EU	a year ago	Fake YouTube Android Apps Used to Distribute CapraRAT
CERT-EU	a year ago	Second highest ransomware profits expected this year
CERT-EU	a year ago	Fake YouTube apps leveraged for CapraRAT malware distribution
CERT-EU	a year ago	Chinese cyberespionage campaign involves novel Linux backdoor
CERT-EU	a year ago	Hackers Using Fake YouTube Apps To Infect Android Devices
CERT-EU	a year ago	CapraTube - Transparent Tribe's CapraRAT mimics YouTube to hijack Android phones – Global Security Mag Online