Transparent Tribe APT spreads CapraRAT backdoor via fake secure messaging apps

Transparent Tribe APT spreads CapraRAT backdoor via fake secure messaging apps

A new cyber-espionage campaign has been detected that is targeting Indian and Pakistani Android users with a backdoor called CapraRAT.

The ongoing operation has been linked by ESET researchers to a suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) that largely targets Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan.

The latest Transparent Tribe campaign is focused on Indian and Pakistani Android users – presumably with a military or political orientation, ESET says. The threat actor is using trojanized secure messaging and calling apps branded as MeetsApp and MeetUp to infect victims with the CapraRAT malware capable of stealing any sensitive information from target devices.

CapraRAT is believed to be a modified version of the open source AndroRAT that was first detailed by Trend Micro in February 2022 and which exhibits overlaps with a Windows malware known as CrimsonRAT, known to be used only by Transparent Tribe.

The backdoor can take screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information. It can also receive commands to download files, make calls, and send SMS messages.

“Victims were probably targeted through a honey-trap romance scam, where they were initially contacted on another platform and then convinced to use supposedly “more secure” apps, which they were then lured into installing,” the researchers said.

These trojanized apps were distributed via fake websites disguised as the official distribution centers and there’s no indication that the malicious apps were ever available on Google Play.

Due to threat actor’s week operational security ESET researchers were able to identify more than 150 victims in India, Pakistan, Russia, Oman, and Egypt.


Back to the list

Latest Posts

Moldovan authorities arrest suspect tied to DoppelPaymer ransomware attacks

Moldovan authorities arrest suspect tied to DoppelPaymer ransomware attacks

The suspect remains in custody and is awaiting extradition to the Netherlands.
13 May 2025
North Korean TA406 hackers target Ukraine in ongoing phishing campaigns

North Korean TA406 hackers target Ukraine in ongoing phishing campaigns

The campaigns aim to harvest credentials and deliver malware, likely to gather intelligence related to the ongoing Russian invasion of Ukraine.
13 May 2025
International operation takes down Anyproxy and 5Socks botnet services

International operation takes down Anyproxy and 5Socks botnet services

In a separate action, German authorities shut down the German server infrastructure of the crypto swapping service eXch, suspected of laundering illicit funds.
13 May 2025