A new cyber-espionage campaign has been detected that is targeting Indian and Pakistani Android users with a backdoor called CapraRAT.

The ongoing operation has been linked by ESET researchers to a suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) that largely targets Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan.

The latest Transparent Tribe campaign is focused on Indian and Pakistani Android users – presumably with a military or political orientation, ESET says. The threat actor is using trojanized secure messaging and calling apps branded as MeetsApp and MeetUp to infect victims with the CapraRAT malware capable of stealing any sensitive information from target devices.

CapraRAT is believed to be a modified version of the open source AndroRAT that was first detailed by Trend Micro in February 2022 and which exhibits overlaps with a Windows malware known as CrimsonRAT, known to be used only by Transparent Tribe.

The backdoor can take screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information. It can also receive commands to download files, make calls, and send SMS messages.

“Victims were probably targeted through a honey-trap romance scam, where they were initially contacted on another platform and then convinced to use supposedly “more secure” apps, which they were then lured into installing,” the researchers said.

These trojanized apps were distributed via fake websites disguised as the official distribution centers and there’s no indication that the malicious apps were ever available on Google Play.

Due to threat actor’s week operational security ESET researchers were able to identify more than 150 victims in India, Pakistan, Russia, Oman, and Egypt.