Several recent cyber espionage campaigns have drawn attention to Transparent Tribe, a long-standing advanced persistent threat group associated with a new wave of intrusions targeting Indian government bodies, academic institutions, and strategically sensitive organizations, which have re-opened the issue of Transparent Tribe.
According to security researchers, the activity has been attributed to the deployment of a sophisticated remote access trojan that is designed to establish a persistent, covert control over the compromised system, allowing the monitoring and access of data over a period of time.
In the process of carrying out this operation, it is evident that the execution was carried out with a high degree of social engineering finesse, as it used carefully crafted delivery mechanisms, including a weaponized Windows shortcut file disguised as a legitimate PDF document, filled with authentic-looking content, which reduced suspicion and increased execution rates, according to the technical analysis carried out by CYFIRMA.
APT36 is a name that has been associated with Transparent Tribe in the security community for more than a decade. Transparent Tribe has maintained a consistent focus on Indian targets since the beginning of the 20th century, refining tradecraft and tooling to support the group's goals. In the past few years, the group has steadily added malware to its malware portfolio.
To adapt to changing defenses while maintaining access to high-value networks, the group has deployed a suite of custom remote access trojans like CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.
As the investigation has found, the intrusion chain was initiated by a targeted spear-phishing email that delivered a compressed ZIP archive that contained a Windows shortcut file, crafted to look like a benign PDF document.
Upon execution, the file silently invokes a remote HTML Application using the native Windows component called mshta.exe, which has been abused numerous times over the years to circumvent security checks.
To maintain the illusion of legitimacy, a PDF decoy file is also downloaded and opened while the HTA script is decrypted and loaded entirely in memory, minimizing its footprint on the disk. This decoy PDF can be downloaded and opened without triggering the HTA script.
It has been reported by CYFIRMA that when the malware is able to decode the data, it will make extensive use of ActiveX objects, particularly WScript.Shell, to profile the host environment and manipulate runtime behavior. As a result of this technique, execution reliability and compatibility with the victim system will be improved.
Furthermore, this campaign's adaptive persistence strategy differs from the rest in that it dynamically adjusts itself in accordance with the endpoint security software detecting the compromised machine on the runtime.
Depending on the software people are running, Kaspersky, Quick Heal, Avast, AVG, or Avira have a tailor-made persistence mechanism that includes obfuscated HTA payloads, batch scripts, registry modifications, and malicious shortcut files placed in the Windows Startup directory to encrypt data.
As for systems lacking recognizable antivirus protection, a broader combination of these strategies can be used.
This operation is anchored on a secondary HTA component which delivers a malicious DLL — known as iinneldc.dll — that performs the function of a fully featured RAT capable of allowing attackers to remotely administer a host, execute file operations, exfiltrate data, capture screenshots, monitor clipboards and control processes, allowing them to take complete control of infected systems.
In terms of operations, this campaign underscores Transparent Tribe's reliance on deceiving its adversaries as a central pillar of its intrusion strategy, emphasizing the importance of adaptability and deception.
The researchers found that attackers intentionally embedded complete, legitimate-looking PDF documents as shortcut files, presenting them as regular correspondence while hiding executable logic under the surface so that they would appear to be routine correspondence.
When this is done, it greatly increases the chances that the user will interact with the malware before it becomes apparent that any warning signs have been raised. Once access is gained, the malware doesn't need to rely on a single, static method to maintain its position.
Instead, it actively evaluates the compromised system's security posture and dynamically selects persistence mechanisms based on the installed endpoint protection, with a degree of conditional logic that is a reflection of careful planning and familiarity with common defensive environments in an attempt to meet their needs.
Using encrypted command-and-control channels, the remote access trojan can communicate with attacker-controlled infrastructure, enabling it to receive instructions and exfiltrate sensitive data all while blending into the normal traffic stream on the network, reducing the chances it will be detected.
According to security analysts, this operation has far broader implications than just a routine malware incident and has a lot to do with the overall threat landscape.
It is clear from the campaign that it is an operation of cyber-espionage carried out by a cyber-espionage group with a long history of targeting the Indian government, defense and research institutions as a target for their attacks.
There is an intentional effort to avoid traditional signature-based defenses with this attack by focusing on in-memory execution and fileless techniques, while the use of socially engineered, document-based lures indicates that an understanding is in place of how trust and familiarity can be exploited within targeted organizations in order to achieve a successful attack.
The combination of these elements suggests that a persistent and mature adversary has been refining its tradecraft for years, reinforcing concerns about the sustained cyber threat facing critical sectors in India. Additionally, the malware deployed in this campaign functions as a remote access trojan that allows attackers to control infected systems in a persistent and covert manner. Based on this analysis, it can be concluded that this malware is a highly sophisticated remote access trojan.
In addition to the use of trusted Windows binaries such as mshta.exe, PowerShell, and cmd.exe, researchers discovered the toolset focuses heavily on stealth, utilizing in-memory execution as well, which minimizes the on-disk footprint, as well as evading traditional detection methods.
In addition to setting up an encrypted command-and-control channel, the RAT also provides operators with the ability to issue commands, collect detailed system information, and exfiltrate sensitive information without being noticed.
By exploiting the exploits of the malware, operators are able to create a profile of compromised hosts by gathering information such as the operating system’s details, usernames, installed software, and active antivirus software, enabling them to implement follow-up actions tailored to their needs.
This software enables remote command execution, comprehensive file management, targeted document theft, screenshot capture, clipboard monitoring and manipulation, granular process control, as well as the ability to execute commands remotely. This software is supported by persistence mechanisms that are adjusted according to the victim's security environment.
Collectively, these capabilities strengthen the perception that the malware has been designed to support long-term surveillance and data collection rather than short-term disruption, thus confirming that it was built specifically for espionage.
Typically, the infection lifecycle begins with a carefully constructed social engineering lure that appears to be legitimate and routine.
As the payload in this case was framed as an examination-related document, it was used to target victims and spread the word that they would be able to receive a ZIP archive titled "Online JLPT Exam Dec 2025.zip."
The archive reveals a shortcut file whose extension is .pdf.lnk when extracted, which is a tactic that exploits Windows’ way of handling shortcut files, where it conceals the executable nature of the payload even though the file extensions can be seen on the file.
This shortcut, which is unusually large—measuring over 2 megabytes instead of the usual 10 to 12 megabytes—prompted closer examination to reveal that the file was deliberately inflated in order to closely resemble a legitimate PDF file.
It was discovered that the shortcut contained multiple markers associated with embedded image objects, indicating that it contained a complete PDF structure as opposed to serving simply as a pointer. This design choice was made so the shortcut would appear in line with user expectations, as well as fit the file size within the archive.
In addition to this, a multi-stage design can be observed in the archive as well.
An investigation revealed that there is a hidden directory labelled “usb” containing a file titled usbsyn.pim in it, which was unable to be decoded conclusively during analysis, but which researchers believe to contain encrypted data or code that will be used later on in the execution process.
As a result of activating the shortcut, a legitimate Windows application called MSSHTA.exe is invoked, passing a remote URL to a malicious HTML application hosted on attacker-controlled infrastructure in order to retrieve and execute this malicious HTML application.
It is evident from file metadata that the shortcut was created in late March 2025, a timeframe which provides some insight into the campaign's timeline. It is the intent of the HTA loader, to create the illusion of legitimacy, to retrieve and open a legitimate PDF document simultaneously, so the victim perceives the activity as harmless and expected.
Moreover, the HTA loader itself is the basis of the execution chain, which has been designed to operate with the least amount of user visibility possible.
A script launching at zero dimensions hides the activity of its execution by resizing its window to zero dimensions. The script then initializes a series of custom functions that perform Base64 decoding and XOR-based decryption routines, in order to gradually reconstruct the malicious payload in memory. This is all accomplished by the loader exploiting ActiveX components, such as WScript.Shell, in order to interact with the underlying Windows environment during this process.
Through the querying of registry keys to determine which .NET runtimes are available and the dynamic adjustment of environment variables such as COMPLUS_Version, the malware ensures that the malware is compatible with different systems.
It is clear that Transparent Tribe's campaign has been highly calculated and methodical in its approach to environment profiling, runtime manipulation, and abuse of legitimate system components, demonstrating a mature tradecraft that is reflected in the campaign's methodical approach.
Researchers report that, beyond the activities linked to Transparent Tribe, there are growing threats that are being targeted at Indian institutions, and tools and infrastructure that overlap are increasingly blurring the lines between various regional espionage groups who are using overlapping tools and infrastructure.
A former hacker named Patchwork has also been identified as the perpetrator of an assault program dubbed StreamSpy, which introduces a dual-channel command-and-control model that utilizes WebSocket and HTTP protocols to deliver distinct operational benefits, as of December 2025.
Using WebSocket connections for executing commands and returning execution results, as opposed to the traditional HTTP connections for transferring files, displays the analysis by QiAnXin, indicating a design choice intended to reduce visibility and evade routine network inspection by the company.
By using ZIP archive delivery services hosted on attacker-controlled domains, the malware has delivered a payload capable of harvesting information about a system, establishing persistence through multiple mechanisms, including registry modifications, scheduled tasks, and startup shortcuts, and providing an array of commands for remote file manipulation, execution, and file retrieval.
Furthermore, investigators have identified code-level similarities between StreamSpy and Spyder, a backdoor variant previously attributed to SideWinder and historically used by Patchwork, as well as digital signatures reminiscent of ShadowAgent, a Windows RAT associated with the DoNot Team, that are similar to ShadowAgent.
According to the convergence of these technical indicators, coupled with independent detections by several security firms in late 2025, it appears that regional threat actors continue to integrate tooling and cross-pollinate among themselves.
Analysts are stating that the emergence of StreamSpy and its variants reflects a sustained effort among these groups to refine the arsenals they possess, experiment with alternative communication channels, and maintain operational relevance while the defensive capabilities of these groups improve.
Taking all of the findings presented in this investigation together, people are able to identify a cyber-espionage ecosystem that is more widespread and more entrenched against Indian institutions.
It is characterized by patience, technical depth, and convergence between multiple threat actors in terms of tools and techniques.
This campaign provides an example of how mature adversaries continue to improve their social engineering skills, take advantage of trusted components of systems and customize persistence mechanisms in order to maintain long-term access to high-value networks through social engineering and system abuse.
StreamSpy, for instance, illustrates a parallel trend in which regional espionage groups iterate on one another's malware frameworks, while experimenting with alternative command-and-control systems to evade detection, a trend that has been accelerating since the advent of related toolsets.
Defendants should be aware that the significance of these campaigns lies not in any particular exploit or payload, but rather in the cumulative messages that they send, demonstrating that state-aligned threat actors are still deeply involved in collecting persistent intelligence and that the threat to government institutions, educational institutions, and strategic sectors is evolving rather than receding in sophistication.
