The Pakistan-linked advanced persistent threat group (APT) known as Transparent Tribe has been identified targeting the Indian government, defense, and aerospace sectors using cross-platform malware. The activity, spanning from late 2023 to April 2024, according to a recent report by the BlackBerry Research and Intelligence Team.
Transparent Tribe, also tracked as APT36, ProjectM, Mythic Leopard, or Earth Karkaddan, has a well-documented history of cyber espionage against Indian targets. The group's latest campaign leverages malware written in Python, Golang, and Rust to enhance their attack vectors and evade detection.
While Transparent Tribe’s operations is not overly sophisticated, the group is known for its adaptability and persistent targeting of India's defense and government sectors. Its arsenal includes a variety of malware families such as CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango, and Tangelo. The latter two have been linked to a freelance developer group based in Lahore, Pakistan.
The group's attack chains often begin with spear-phishing emails, which deliver malicious payloads via links or ZIP archives. A key focus has been on distributing ELF binaries, taking advantage of the Indian government’s reliance on Linux-based systems. The infections typically culminate in the deployment of various versions of GLOBSHELL, a Python-based information-gathering utility. Additionally, PYSHELLFOX has been used to exfiltrate data specifically from Mozilla Firefox.
Recent campaigns have seen the group utilizing cross-platform programming languages such as Python, Golang, and Rust. They have also exploited popular web services like Telegram, Discord, Slack, and Google Drive for their malicious activities.
In October 2023, the group introduced ISO images as an attack vector, a method observed in their current operations. The BlackBerry team said they discovered a new Golang-compiled “all-in-one” espionage tool capable of finding and exfiltrating files with common extensions, taking screenshots, uploading and downloading files, and executing commands.
The spear-phishing campaigns have specifically targeted three companies that are key stakeholders and clients of India’s Department of Defense Production (DDP), specifically those in the aerospace sector and a major manufacturer of earth moving equipment.