Transparent Tribe

Threat Actor updated 7 months ago (2024-05-04T20:09:18.393Z)

Download STIX

Preview STIX

Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has also used CapraRAT backdoor against Indian and Pakistani users, as reported by news outlets in April 2023. Additionally, ESET researchers have identified an ongoing campaign by Transparent Tribe targeting mainly Indian and Pakistani Android users with military or political backgrounds. Cisco Talos has been tracking a new malicious campaign operated by Transparent Tribe that uses a spear-phishing attack to distribute the CrimsonRAT malware disguised as a Microsoft Word document. The document contains a macro that downloads the malware onto the victim's computer. Researchers from Talos believe that the group is using this campaign to establish long-term access into victim networks. The constantly changing operational and targeting strategies of Transparent Tribe require constant vigilance to mitigate the threat posed by the group. Organizations in South Asia, particularly those with military or political affiliations, should be aware of the group's activities and take appropriate measures to protect themselves from cyber attacks.

Description last updated: 2023-06-21T15:15:48.750Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT36 is a possible alias for Transparent Tribe. APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco T	4
Sidewinder is a possible alias for Transparent Tribe. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its u	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Rat

Android

Backdoor

Windows

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Crimson Malware is associated with Transparent Tribe. Crimson is a malware used in various cyber-espionage campaigns, most notably in Operation Crimson Palace. This operation has been active since March 2023, with heightened activity observed in 2024. It is a concerted effort by three Chinese Advanced Persistent Threat (APT) groups targeting Southeast	Unspecified	4

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The SideCopy Threat Actor is associated with Transparent Tribe. SideCopy is a Pakistani threat actor, or Advanced Persistent Threat (APT), that has been active since at least 2019, predominantly targeting South Asian countries, specifically India and Afghanistan. Its modus operandi includes the use of archive files embedded with Lnk, Microsoft Publisher, or Troj	Unspecified	3

Source Document References

Information about the Transparent Tribe Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	TriangleDB, spyware implant of Operation Triangulation
MITRE	2 years ago	Transparent Tribe begins targeting education sector in latest campaign
MITRE	2 years ago	APT trends report Q1 2020
MITRE	2 years ago	SideCopy APT: Connecting lures to victims, payloads to infrastructure
MITRE	2 years ago	ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
MITRE	2 years ago	Adversary: Mythic Leopard - Threat Actor \| Crowdstrike Adversary Universe
MITRE	2 years ago	ObliqueRAT returns with new campaign using hijacked websites
ESET	2 years ago	Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials \| WeLiveSecurity
CERT-EU	2 years ago	APT hackers set a honeytrap to ensnare victims – Week in security with Tony Anscombe \| WeLiveSecurity
CERT-EU	2 years ago	Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence
CERT-EU	2 years ago	SideCopy маскируется под презентацию о ракете К-4 - Индийская оборона под угрозой
CERT-EU	2 years ago	Resumen de amenazas de ciberseguridad más destacadas de marzo
InfoSecurity-magazine	2 years ago	Pakistan-Aligned Hackers Disrupt Indian Education Sector
BankInfoSecurity	2 years ago	APT36 Running Espionage Ops Against India's Education Sector
CERT-EU	2 years ago	Pakistan-linked hackers target India’s education sector with Crimson malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
Fortinet	2 years ago	Clean Rooms, Nuclear Missiles, and SideCopy, Oh My! \| FortiGuard Labs
CERT-EU	2 years ago	Researchers Identify Second Developer of ‘Golden Chickens’ Malware