ProjectM

Threat Actor updated a month ago (2024-11-29T14:19:34.835Z)
Download STIX
Preview STIX
ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of cyber attack methods. These include spear-phishing emails and watering hole attacks, where they set up malicious websites or compromise legitimate ones to deliver payloads to their targets. ProjectM notably used a blog titled “India News Tribe” as a watering hole to deliver these payloads. During the investigation into ProjectM's activities, several command and control domains used by the group were analyzed, including those for the Andromeda, Crimson, and Peppy Trojans. This analysis led to the discovery of connections between ProjectM’s infrastructure and an individual residing in Pakistan. The email address linked to this individual was found in the advertisement for Xtex Studios and was further associated with a Google+ profile containing posts related to domains hosting payloads or acting as C2 servers for ProjectM. This suggests that the individual possesses skills that could be valuable to offensive campaigns like those conducted by ProjectM. Trend Micro reported finding gigabytes of personal identifiable information (PII), primarily belonging to Indian Army personnel, on open directories on C2 servers related to ProjectM. This indicates that the threat actor not only carries out targeted attacks but also collects and possibly exploits sensitive data. In addition, the group has been observed using malicious Excel documents with macros to download and install payloads in its attack campaign. Unit 42 saw this domain hosting several ProjectM tools, including identical Andromeda and Peppy samples previously observed using a different C2, suggesting that the actor reuses domains and servers to host content and payloads unrelated to their original purpose.
Description last updated: 2024-05-04T20:32:02.504Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT36 is a possible alias for ProjectM. APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco T
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the ProjectM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more