HQ/EMEAFind out how we can help your business
A notorious hacker group with ties to Pakistan, known as Transparent Tribe, has launched a series of sophisticated cyberattacks against the Indian government, defence, and aerospace sectors.
This campaign, spanning from late 2023 to April 2024, is projected to continue. Transparent Tribe, also known as APT36, Earth Karkaddan, and PROJECTM, among other aliases, has a long history of cyber espionage dating back to at least 2013.
The recent attacks involve cross-platform malware written in Python, Golang, and Rust, demonstrating the group’s ability to exploit multiple programming languages to achieve their objectives. According to a report, the spear-phishing campaigns leverage legitimate online services like Discord, Google Drive, Slack, and Telegram, highlighting how cybercriminals misuse trusted platforms in their attack strategies.
These email-based attacks targeted three companies connected to the Department of Defense Production (DDP) in India, all headquartered in Bengaluru. While the specific names of the firms were not disclosed, indications suggest that Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited were among the intended victims.
Transparent Tribe is known for its evolving tactics and extensive use of various malware families, including CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango, and Tangelo. Notably, some of these tools are linked to a freelance developer group based in Lahore, Pakistan, where at least one government employee is reported to work as a mobile app developer.
Preying on the Indian government’s reliance on Linux systems, Transparent Tribe distributes ELF binaries via spear-phishing emails containing malicious URLs or ZIP packages.
The group’s attack methodology primarily involves spear-phishing emails that deliver payloads via malicious links or ZIP archives. Due to the Indian government’s reliance on Linux-based systems, the group focuses particularly on distributing ELF binaries. The malware deployed includes three different versions of GLOBSHELL, a Python-based information-gathering tool, and PYSHELLFOX, which extracts data from Mozilla Firefox.
Additionally, researchers identified several scripts and binaries hosted on a domain controlled by the hackers. These include swift_script.sh, a bash version of GLOBSHELL; Silverlining.sh, an open-source command-and-control framework called Sliver; swift_uzb.sh, designed to gather files from connected USB drives; afd.exe, an intermediary executable that downloads win_hta.exe and win_service.exe, which are Windows variants of GLOBSHELL.
In October 2023, Transparent Tribe observed a tactical shift. They began using ISO images to deploy a Python-based remote access trojan that communicates with its operators via Telegram. This method has been part of their strategy since early 2024.
Further analysis revealed a Golang-compiled “all-in-one” espionage tool capable of finding and exfiltrating files, taking screenshots, uploading and downloading files, and executing commands. This tool, a modified version of the open-source project Discord-C2, uses Discord for command-and-control and is distributed through ELF binaries packed in ZIP archives.
Security researchers emphasised the persistent threat posed by Transparent Tribe, noting their continual adaptation of tactics, techniques, and procedures to evade detection and maintain pressure on critical sectors vital to India’s national security.
