Transparent Tribe Hackers Attack Indian Officials With New Hacking Campaigns

Another campaign targeting Windows-based remote access trojan named CrimsonRAT has been associated with the Transparent Tribe hacking group, a threat actor of Pakistani origin, since as far back as June 2021.

CapraRAT, a backdoor that exhibits a high level of “crossover” with CrimsonRAT, was recently added to the arsenal of malware tools used by advanced persistent threats to compromise Android devices.


The Transparent Tribe hacking group mainly targets entities from the military and government sectors in the countries like Afghanistan and India for cyber espionage

Malware families used

The operators of the Transparent Tribe group carry out espionage against its targets primarily using three families of Windows-based malware, and here they are mentioned below:-

  • CrimsonRAT: A .NET-based implant, since at least 2020, the group has been using this .NET-based implant.
  • ObliqueRAT: It’s an implant that is based on C/C++ and this implant was discovered in early 2020 with the primary purpose of targeting officials from the government sector.
  • Custom malware: Comparatively to CrimsonRAT and ObliqueRAT, this malware offers a variety of downloaders, droppers, and lightweight RATs that can be deployed quickly.

Infection chain

To execute and run arbitrary code on the compromised systems the threat actors use fake domains through which they mimic or clone the legitimate government and related organizations.

With the help of these malicious cloned websites they deliver the following malicious payloads:-

  • Python-based stager – It’s used to install .NET-based reconnaissance tools.
  • RATs – They are used as barebones .NET-based implants.
  • Decoy PDF document containing a COVID-19-themed lure.
  • VBS file – for executing the stager and displaying the decoy.
  • Malicious LNK file – For activating the VBS on the endpoint.

Rather than using HTTP files for distribution, the attacker uses IMG files that contain multiple infection artifacts designed to trick targets into downloading the malware.

As they wrap the malware into IMG files and deliver them to infect their target, it’s one of the most sophisticated tactics used by the attackers to infect and compromise the systems of their targets.

The APTs and crimeware operators are increasingly using IMG files as delivery methods for malware since Windows versions newer than XP are natively capable of opening IMG files.

The Transparent Tribe makes use of a variety of delivery methods in addition to rapidly changing deployment tactics and malicious functionality. 

Here below we have mentioned all the delivery methods used by the Transparent Tribe:-

  • Executables impersonating installers
  • Archive files
  • Weaponized documents

To spread commodities RATs and Netwire and Warzone (AveMaria) trojans using themes pertaining to the “Kavach” MFA application, Talos announced Operation Armor Piercer in September 2021. 

For access to email in India, the government mandates Kavach as a two-factor authentication solution. It has also been observed that lures and decoys containing COVID-themed advisories specifically target Indian government employees.

While in previous operations, this tactic was used by the Transparent Tribe as well. In July 2021, a threat actor by the name of SideCopy conducted a campaign.

Several other APT groups have also attacked government personnel in India using similar themes and tactics to Transparent Tribe, including the APT group SideCopy.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.