Menu
Browse

Cyber Threat Actor: APT36

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Pakistan
2 incidents
Profile

Transparent Tribe, also tracked as APT36, is a threat actor group that has been publicly linked to Pakistan. The group focuses its operations on Indian government entities, as evidenced by multiple campaigns targeting employees of Indian government organizations. Its activities have been observed throughout 2022, during which it employed a mix of custom and existing malware tools. The actor’s infrastructure includes compromised Indian government‑related websites for staging and German‑hosted servers for command and control.

Initial access is commonly achieved through phishing emails that deliver malicious ZIP archives containing shortcut (.LNK) files, which execute HTA scripts via mshta.exe to launch multi‑stage infection chains. The group also uses malvertising via Google advertisements to distribute trojanized versions of two‑factor authentication software, redirecting victims from spoofed government domains to credential‑harvesting pages. Observed malware families include CrimsonRAT, ObliqueRAT, and a custom data exfiltration tool named Limepad, which is modular and built with custom Python libraries. Persistence is established through registry keys, and the deployed RATs seek specific files such as the Kavach authentication database while enabling screenshot capture, additional payload execution, and encrypted C2 communication.

In December 2022, a campaign dubbed STEPPY#KAVACH targeted Indian government entities with a phishing‑delivered ZIP that led to a C#‑based RAT designed to exfiltrate the kavach.db file and maintain long‑term access. Earlier in November 2022, the group leveraged the Limepad tool alongside CrimsonRAT and ObliqueRAT in a malvertising campaign that used Google ads to spread trojanized authentication software and harvest credentials from Indian IP addresses. Public reporting notes tactical overlaps with other Pakistan‑linked groups such as SideCopy, reinforcing the attribution of these activities to APT36/Transparent Tribe. These incidents illustrate the actor’s recurring focus on data theft and credential harvesting against Indian government targets.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source