APT36, also known as Transparent Tribe, is a Pakistan-based advanced persistent threat (APT) group active since at least 2013. It is widely attributed to Pakistani state interests and is primarily focused on cyber espionage against Indian government organizations, military, defense contractors, research centers, diplomats, and critical infrastructure. The group is also known by aliases such as ProjectM, Mythic Leopard, Earth Karkaddan, and SideCopy.
Key Characteristics
The group’s primary motivation is espionage and information theft. They target Indian government ministries and agencies, military and defense organizations, research institutions, and critical infrastructure. Secondary targets include Afghanistan, Sri Lanka, and a broad range of countries globally, though the primary focus remains India. They are known to attack Windows, Linux, and Android systems.
Tactics, Techniques, and Procedures (TTPs)
• Spearphishing: The group’s preferred vector, using emails that mimic legitimate communications (e.g., government notifications, security updates) with malicious attachments or links.
• Malvertising: Abuse of Google Ads to distribute trojanized applications, such as backdoored versions of the Kavach MFA app.
• Credential Phishing: Fake login pages for Indian government portals (e.g., National Informatics Centre’s Kavach login) to harvest credentials.
• Website Compromise: Hosting malicious payloads or redirecting to phishing pages via compromised or attacker-controlled domains.
Malware Arsenal
• Custom RATs: Including ElizaRAT, CrimsonRAT, CapraRAT, and others, often compiled for Windows and Linux.
• Modular Approach: Use of new tools like Limepad for data exfiltration and ApolloStealer for credential theft.
• Mobile Malware: Trojanized Android apps masquerading as legitimate government applications.
Persistence & Lateral Movement
• Registry Keys & Scheduled Tasks: For maintaining access after infection.
• Lateral Movement: Exploiting network shares and stolen credentials to move within victim networks.
Command & Control (C2)
• Diverse Infrastructure: Use of HTTP/HTTPS, Telegram bots, and cloud services for C2.
• Obfuscation: Leveraging legitimate services (e.g., Google Drive, Telegram) to mask malicious activity.
Data Exfiltration
• Focus: Extraction of sensitive documents, credentials, and strategic information.
• Methods: Data is often compressed or encrypted and sent through established C2 channels.
Summary Table: APT36 (Transparent Tribe)
| Aspect | Details |
|---|---|
| Country of Origin | Pakistan |
| Active Since | At least 2013 |
| Aliases | Transparent Tribe, ProjectM, Mythic Leopard, Earth Karkaddan, SideCopy, APT-C-56 |
| Primary Motivation | Espionage, information theft |
| Main Targets | Indian government, military, defense, research, critical infrastructure |
| Techniques | Spearphishing, malvertising, credential phishing, custom RATs, mobile malware |
| Recent Tools | ElizaRAT, Limepad, ApolloStealer, trojanized Kavach apps |
| C2 Methods | HTTP/HTTPS, Telegram bots, cloud services |
| Notable Features | Cross-platform targeting, evolving toolkit, use of legitimate services for obfuscation |