EXECUTIVE SUMMARY
A recent campaign orchestrated by the Pakistan-linked threat group Transparent Tribe (APT36) has targeted Indian Government and Defense personnel using phishing documents themed around the Pahalgam terror attack. The campaign strategically capitalizes on a national security event, using it as a lure to increase trust and urgency among recipients. The malicious documents are disguised as official government briefings and internal response reports, crafted to resemble legitimate communications. These phishing files are distributed with links that lead victims to fake login portals designed to steal government credentials. Transparent Tribe registered fake domains that closely mimic official websites, incorporating language tied to the incident in Kashmir to enhance authenticity.
Upon examination, the phishing documents were found to contain embedded URLs that redirect to spoofed login pages visually identical to authentic government platforms. The link targets users with email addresses tied to Indian governmental institutions. In addition to PDF-based lures, the campaign also includes PowerPoint add-ins embedded with malicious macros. These files extract payloads into hidden system directories and determine the next steps based on the operating system version. Once executed, they open decoy files while silently launching the Crimson Remote Access Trojan (RAT), a malware strain frequently deployed by Transparent Tribe in its campaigns. This dual-function approach blends social engineering with stealthy payload delivery, ensuring both user interaction and technical execution. The lure documents cover a broad range of topics, including internal defense meetings and diplomatic agendas, showing how quickly the group adapts its themes based on current affairs.
The Crimson RAT deployed in this campaign exhibits signs of consistent development, with executables masked under innocuous names and stored in concealed paths. The malware supports over twenty commands for surveillance, system manipulation, and data exfiltration, giving Transparent Tribe extensive control over infected machines. The C2 connection is hardcoded, allowing uninterrupted communication between compromised systems and attacker infrastructure. All the malware samples identified were compiled shortly before the phishing campaign began, indicating a tightly coordinated timeline. The operation highlights Transparent Tribe’s ability to merge psychological tactics with sophisticated malware deployment, using realistic and contextually relevant themes to bypass user skepticism. Their focus on high-value government targets and use of strategic lures aligned with real-world events demonstrate their intent to maintain long-term access for espionage and intelligence-gathering activities.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Execution | T1204 | User Execution |
| Persistence | T1574 | Hijack Execution Flow |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1562 | Impair Defenses |
| T1027 | Obfuscated Files or Information | |
| T1055 | Process Injection | |
| T1497 | Virtualization/Sandbox Evasion | |
| Discovery | T1010 | Application Window Discovery |
| T1083 | File and Directory Discovery | |
| T1057 | Process Discovery | |
| T1012 | Query Registry | |
| T1082 | System Information Discovery | |
| T1124 | System Time Discovery | |
| Collection | T1113 | Screen Capture |
| Command and Control | T1071 | Application Layer Protocol |
| T1095 | Non-Standard Port |