In recent months, the advanced persistent threat (APT) group known as Transparent Tribe, or APT36, has intensified its cyber espionage activities against Indian government organizations. This Pakistan-linked group has been active since at least 2013, consistently evolving its tactics and tools to infiltrate and gather intelligence from targeted systems.
Recent Campaigns and Tactics
Between August and September 2025, cybersecurity firm Sekoia identified a series of spear-phishing attacks orchestrated by APT36. These attacks were designed to deploy a Golang-based remote access trojan (RAT) named DeskRAT. The campaign’s primary targets were Indian government entities, with a particular focus on systems running the Bharat Operating System Solutions (BOSS) Linux distribution.
The attack methodology involved sending phishing emails containing malicious ZIP file attachments or links to archives hosted on legitimate cloud services like Google Drive. Once the recipient opened the ZIP file, it revealed a deceptive Desktop file. This file, when executed, simultaneously displayed a decoy PDF document titled CDS_Directive_Armed_Forces.pdf using Mozilla Firefox and initiated the execution of the DeskRAT payload. Both the decoy document and the malware were retrieved from an external server, modgovindia[.]com.
DeskRAT Functionality and Persistence Mechanisms
DeskRAT is a sophisticated malware designed to establish command-and-control (C2) communication using WebSockets. It offers a range of functionalities, including:
– Ping: Sends a JSON message with the current timestamp and a pong response to the C2 server.
– Heartbeat: Transmits a JSON message containing a heartbeat response and a timestamp.
– Browse_files: Provides directory listings to the C2 server.
– Start_collection: Searches for and sends files matching predefined extensions and sizes below 100 MB.
– Upload_execute: Drops and executes additional payloads, such as Python scripts, shell scripts, or desktop files.
To maintain persistence on compromised systems, DeskRAT employs multiple techniques:
1. Systemd Service Creation: Registers itself as a systemd service to ensure execution upon system startup.
2. Cron Job Setup: Schedules tasks to run the malware at specified intervals.
3. Autostart Directory Addition: Places itself in the Linux autostart directory ($HOME/.config/autostart) to launch automatically.
4. .bashrc Modification: Alters the .bashrc file to execute the malware via a shell script located in the $HOME/.config/system-backup/ directory.
Infrastructure and Evolution of Attack Vectors
APT36’s infrastructure has evolved to enhance the stealth and effectiveness of its operations. The group’s C2 servers, referred to as stealth servers, are configured to avoid detection by not appearing in publicly visible NS records for their associated domains. This tactic complicates efforts to trace and block malicious activities.
Initially, the group leveraged legitimate cloud storage platforms like Google Drive to distribute malicious payloads. However, recent observations indicate a shift towards using dedicated staging servers, such as modgovindia[.]com, to host and deliver their malware. This transition suggests a strategic move to exert greater control over their attack infrastructure and reduce reliance on third-party services.
Cross-Platform Focus and Additional Variants
APT36’s campaigns are not limited to Linux systems. Research from QiAnXin XLab has revealed that the group also targets Windows endpoints using a Golang backdoor known as StealthServer. This malware has been observed in three variants:
1. StealthServer Windows-V1 (July 2025): Incorporates anti-analysis and anti-debugging techniques, establishes persistence through scheduled tasks and registry modifications, and uses TCP for C2 communication to perform file enumeration and transfer.
2. StealthServer Windows-V2 (Late August 2025): Enhances anti-debugging measures to detect tools like OllyDbg, x64dbg, and IDA, while maintaining the core functionality of its predecessor.
3. StealthServer Windows-V3 (Late August 2025): Adopts WebSocket for C2 communication, aligning its functionality with DeskRAT.
Additionally, two Linux variants of StealthServer have been identified. One aligns closely with DeskRAT, featuring an extra command called welcome, while the other utilizes HTTP for C2 communication.
Broader Implications and Historical Context
APT36’s persistent targeting of Indian government entities underscores the group’s commitment to cyber espionage activities in the region. Their ability to adapt and develop cross-platform malware highlights a sophisticated understanding of diverse operating environments.
Historically, Transparent Tribe has employed various malware families, including CrimsonRAT, CapraRAT, and ObliqueRAT, to infiltrate and exfiltrate sensitive information from targeted systems. Their consistent use of spear-phishing as an initial attack vector emphasizes the importance of user awareness and robust email security measures.
Mitigation Strategies
To defend against such sophisticated threats, organizations should implement comprehensive cybersecurity strategies, including:
– User Education: Conduct regular training sessions to help employees recognize and avoid phishing attempts.
– Email Filtering: Deploy advanced email filtering solutions to detect and block malicious attachments and links.
– Endpoint Protection: Utilize endpoint detection and response (EDR) tools to monitor and respond to suspicious activities.
– Regular Updates: Ensure all systems and software are up-to-date with the latest security patches.
– Network Segmentation: Implement network segmentation to limit the spread of malware within the organization.
By adopting these measures, organizations can enhance their resilience against APT36’s evolving tactics and protect sensitive information from unauthorized access.
