Cybersecurity researchers have identified ongoing cyber-espionage campaigns targeting government departments, academic institutions, and strategically important organizations across South Asia. The activity has been attributed to two established threat actors, Transparent Tribe and Patchwork, both known for maintaining long-term access to compromised systems.

Transparent Tribe, also tracked as APT36, has been active since at least 2013 and is associated with repeated intelligence-gathering operations against Indian organizations. In its latest campaign, the group used spear-phishing emails carrying ZIP archives that contained Windows shortcut files disguised as legitimate PDF documents. These shortcut files included real PDF content to appear harmless.

When opened, the shortcut launches a hidden process using the Windows utility mshta.exe, which runs an HTML Application script. This script decrypts and loads the final remote access trojan directly into system memory while simultaneously opening a decoy PDF to avoid alerting the victim. The script also interacts with Windows through ActiveX components, such as WScript.Shell, allowing it to analyze the environment and adjust execution behavior.

The malware adapts its persistence strategy based on the antivirus software installed. On systems with Kaspersky, it creates a working directory under C:\Users\Public\core and uses startup shortcuts to relaunch the malicious script. If Quick Heal is detected, it relies on batch files and startup entries. On machines running Avast, AVG, or Avira, the payload is copied directly into the Startup folder. If no recognized antivirus is found, the malware combines batch execution, registry-based persistence, and delayed payload deployment.

A second-stage component includes a malicious DLL named iinneldc.dll, which functions as a fully featured RAT. It allows attackers to remotely control the system, manage files, steal data, capture screenshots, monitor clipboard activity, and manipulate running processes.

Researchers also identified a separate APT36 campaign using a shortcut file disguised as a government advisory PDF. This file retrieves an installer from a remote server, extracts multiple malicious files, displays a legitimate advisory issued by Pakistan’s national CERT, and establishes persistence through registry modifications. One DLL communicates with a hard-coded command-and-control server using reversed strings to hide command endpoints and supports system registration, heartbeat signals, command execution, and anti-virtual-machine checks.

In a related disclosure, researchers linked Patchwork, also known as Maha Grass or Dropping Elephant, to espionage campaigns targeting Pakistan’s defense sector. These attacks used phishing emails with ZIP attachments containing MSBuild project files that abuse msbuild.exe to install a Python-based backdoor. The malware can communicate with command servers, execute Python modules, run commands, and transfer files.

Patchwork has also been associated with a previously undocumented trojan named StreamSpy. Delivered through ZIP archives hosting an executable named Annexure.exe, StreamSpy collects system information, establishes persistence through registry entries, scheduled tasks, or startup shortcuts, and communicates using both WebSocket and HTTP. WebSocket channels are used for command delivery and result transmission, while HTTP handles file transfers. Researchers observed technical similarities between StreamSpy, Spyder, and other malware families, indicating shared infrastructure and continued collaboration among related threat groups.