Imagine a shadowy group of hackers, operating with precision and stealth, launching a series of cyberattacks against a nation's government and academic institutions. This is the chilling reality India faces as Transparent Tribe, a notorious hacking collective, unleashes a new wave of Remote Access Trojan (RAT) attacks. But here's where it gets even more alarming: these attacks are not just random; they're meticulously designed to evade detection and maintain persistent control over compromised systems.
In a recent technical report, CYFIRMA (https://www.cyfirma.com/research/apt36-multi-stage-lnk-malware-campaign-targeting-indian-government-entities/) revealed that Transparent Tribe, also known as APT36, employs cunning delivery techniques. For instance, they disguise malicious Windows shortcut (LNK) files as legitimate PDF documents, complete with embedded PDF content to trick users. And this is the part most people miss: the attackers go a step further by using a remote HTML Application (HTA) script that decrypts and loads the RAT payload directly into memory, all while displaying a decoy PDF to keep users oblivious.
Transparent Tribe, believed to be of Indian origin and state-sponsored, has been active since at least 2013. Their arsenal includes an ever-evolving suite of RATs like CapraRAT (https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html), Crimson RAT (https://thehackernews.com/2023/04/pakistan-based-transparent-tribe.html), ElizaRAT (https://thehackernews.com/2024/11/icepeony-and-transparent-tribe-target.html), and DeskRAT (https://thehackernews.com/2025/10/apt36-targets-indian-government-with.html). What's truly concerning is their adaptability—the malware adjusts its persistence methods based on the antivirus software installed on the victim's machine. For example:
- If Kaspersky is detected, it creates a hidden directory and uses a LNK file in the Startup folder to launch the HTA script.
- If Quick Heal is present, it employs a batch file and a malicious LNK file for persistence.
- For Avast, AVG, or Avira, it directly copies the payload into the Startup directory.
- If no recognized antivirus is found, it combines batch file execution, registry-based persistence, and payload deployment.
But here's the controversial part: Is this level of sophistication a sign of state-sponsored cyber warfare, or are we witnessing the evolution of independent hacking groups? The line between the two is increasingly blurred, and it raises questions about global cybersecurity norms.
The RAT itself, named 'iinneldc.dll,' is a full-featured tool capable of remote system control, data exfiltration, screenshot capture, and more. CYFIRMA emphasizes that APT36 remains a highly persistent threat, focusing on intelligence collection from Indian government entities, educational institutions, and strategic sectors.
In a separate but equally alarming development, APT36 has been linked to another campaign using a malicious shortcut file disguised as a government advisory PDF. This file retrieves an MSI installer from a remote server, which then extracts a decoy PDF, writes DLL files, and establishes persistence via registry modifications. And this is where it gets even more intriguing: the decoy PDF is a legitimate advisory issued by Pakistan's National Cyber Emergency Response Team (PKCERT) in 2024, adding a layer of geopolitical complexity to the attack.
The DLL connects to a command-and-control (C2) infrastructure, using HTTP GET-based endpoints to communicate with the server. To evade detection, the endpoint characters are stored in reverse order. The endpoints include:
- /retsiger (register)
- /taebtraeh (heartbeat)
- /dnammocteg (getcommand)
- /dnammocmvitna (antivmcommand)
But here's a thought-provoking question: As these attacks become more sophisticated, are traditional cybersecurity measures enough to counter them? Or do we need a fundamental shift in how we approach digital defense?
Shifting gears, another hacking group, Patchwork (aka Dropping Elephant or Maha Grass), believed to be of Indian origin, has been linked to attacks targeting Pakistan's defense sector. According to security researcher Idan Tarab (https://www.linkedin.com/posts/idan-tarab-7a9057200_india-backdoor-msbuild-activity-7397661496421470208-ltCf/), Patchwork uses a Python-based backdoor distributed via phishing emails containing ZIP files. The malware contacts a C2 server, executes commands, and uploads/downloads files.
And this is where it gets controversial: Patchwork's tactics, including the use of MSBuild LOLBin loaders and geofencing, suggest a level of professionalism often associated with state-sponsored actors. But is Patchwork truly state-sponsored, or are they an independent group with advanced capabilities?
In December 2025, Patchwork was also linked to StreamSpy, a previously undocumented trojan using WebSocket and HTTP protocols for C2 communication. StreamSpy shares similarities with Spyder, a variant of the WarHawk backdoor attributed to SideWinder. Distributed via ZIP archives, StreamSpy can harvest system information, establish persistence, and execute a range of commands, including file uploads, downloads, and deletions.
But here's the most intriguing part: QiAnXin noted that StreamSpy's download site also hosts Spyder variants with extensive data collection features. Furthermore, the malware's digital signature correlates with ShadowAgent, a Windows RAT attributed to the DoNot Team. This raises questions about resource sharing among different hacking groups.
As QiAnXin aptly puts it, 'The emergence of the StreamSpy Trojan and Spyder variants indicates that the group is continuously iterating its arsenal of attack tools.' But here's the bigger question: As these groups evolve, how can nations and organizations stay one step ahead? The answer may lie in collaborative cybersecurity efforts and proactive threat intelligence.
What do you think? Are we doing enough to combat these sophisticated cyber threats, or is it time for a radical rethink of our cybersecurity strategies? Let us know in the comments below.
Found this article fascinating? Follow us on Google News (https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ), Twitter (https://twitter.com/thehackersnews), and LinkedIn (https://www.linkedin.com/company/thehackernews/) for more exclusive content.
