The cyber-collective known as Transparent Tribe, linked to Pakistan, has initiated a fresh wave of cyber incursions against India’s governmental, defense, and aerospace sectors. This campaign employs multi-platform malware crafted in Python, Golang, and Rust.
According to a detailed analysis by the BlackBerry Research and Intelligence Team, these nefarious activities have been ongoing from late 2023 through April 2024, with expectations of further persistence.
A significant facet of this spear-phishing operation is the exploitation of mainstream online services such as Discord, Google Drive, Slack, and Telegram, illustrating how cyber adversaries repurpose legitimate platforms for malevolent objectives.
Targets of these email-driven assaults include three pivotal enterprises allied with the Department of Defense Production (DDP), all headquartered in Bengaluru, India. Though the identities of these firms remain undisclosed, it is surmised that Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited were the intended victims.
Transparent Tribe, also cataloged by the cybersecurity realm under aliases such as APT36, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM, has been active since at least 2013. This group has a notorious history of cyber-espionage against Indian government, military, and academic institutions, along with targeted mobile spyware campaigns affecting entities in Pakistan, Afghanistan, Iraq, Iran, and the UAE.
This collective is recognized for its innovative intrusion methodologies, continuously evolving its malware arsenal to elude detection. Among their notable malware variants are CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango, and Tangelo. The last two are connected to a developer group based in Lahore, purportedly offering their services for hire and involving at least one government employee moonlighting as a mobile app developer, as noted by mobile security firm Lookout in 2018.
Their attack sequence often starts with spear-phishing emails that deliver malicious payloads via deceptive links or ZIP files, specifically targeting ELF binaries due to the Indian government’s preference for Linux-based systems.
The culmination of these intrusions has seen the deployment of various GLOBSHELL iterations, a Python-based reconnaissance tool previously documented by Zscaler, targeting Indian governmental Linux systems. Another tool, PYSHELLFOX, is used for data exfiltration from Mozilla Firefox.
BlackBerry also identified multiple bash script versions and Python-based Windows binaries from the adversary-controlled domain “apsdelhicantt[.]in,” including:
- swift_script.sh, a bash variant of GLOBSHELL
- Silverlining.sh, utilizing the Sliver C2 framework
- swift_uzb.sh, designed to extract files from connected USB drives
- afd.exe, which downloads win_hta.exe and win_service.exe
- win_hta.exe and win_service.exe, Windows variants of GLOBSHELL
In a testament to Transparent Tribe’s tactical progression, their phishing efforts in October 2023 incorporated ISO images to deploy a Python-based remote access trojan that leverages Telegram for command-and-control (C2).
The utilization of ISO image lures to compromise Indian governmental entities has been a documented strategy since early 2024, bearing the distinct signatures of a Transparent Tribe operation, as noted by the Canadian cybersecurity firm.
Further infrastructure scrutiny has revealed a Golang-compiled “all-in-one” espionage tool capable of file discovery and exfiltration, screenshot capture, file transfer, and command execution. This tool, a modified version of the Discord-C2 project, communicates via Discord and is distributed through an ELF binary downloader embedded within a ZIP archive.
“Transparent Tribe has consistently targeted sectors critical to India’s national security,” BlackBerry stated. “This threat actor continually refines its core tactics, techniques, and procedures, adapting over time to enhance its effectiveness.”