Comprehensive Threat Exposure Management Platform
Transparent Tribe (also tracked as APT36, ProjectM, Mythic Leopard, TEMP.Lapis, Copper Fieldstone, Earth Karkaddan, and numerous other aliases), a well-established Pakistan-aligned advanced persistent threat group, has significantly expanded its cyber-espionage operations in February 2026 by targeting India’s rapidly growing startup ecosystem. This campaign represents a notable strategic shift from the threat actor’s traditional focus on Indian government agencies, military organizations, defense contractors, and educational institutions. The group is now actively pursuing startups and technology professionals operating in cybersecurity, technology development, and intelligence-adjacent domains, likely viewing these emerging organizations as indirect pathways to sensitive government information, strategic business intelligence, and insights into India’s growing technology capabilities.
The Transparent Tribe campaign targeting Indian startups demonstrates sophisticated understanding of the entrepreneurial ecosystem and the interconnections between emerging technology companies and government collaborations. Many Indian startups, particularly those in cybersecurity, defense technology, and artificial intelligence sectors, maintain close relationships with government agencies through procurement contracts, research partnerships, technology pilot programs, and advisory roles. By compromising these startup organizations, Transparent Tribe gains potential access to government collaboration details, emerging technology capabilities relevant to national security, strategic business plans and intellectual property, and professional networks connecting startup founders with government decision-makers.
The attack methodology relies heavily on tailored social engineering techniques that demonstrate extensive pre-operational reconnaissance and deep understanding of startup culture and professional interests. Transparent Tribe crafts phishing lures themed around startup-specific topics including professional networking opportunities on platforms like LinkedIn, industry conference invitations and speaking engagements, investment and funding opportunity documentation, technology partnership proposals, government procurement and tender announcements, and startup accelerator program information. These contextually relevant lures are significantly more effective than generic phishing attempts, as they align precisely with the professional interests and business development priorities of target startup founders, executives, and technical leaders.
The technical delivery mechanism leverages malicious ISO container files distributed via phishing emails or malicious links. ISO files provide significant operational advantages for attackers including bypassing Windows Mark-of-the-Web (MotW) security controls that normally flag downloaded files as potentially dangerous, appearing as legitimate software distributions or documentation packages, and containing multiple file components in a single convenient package. When victims mount these ISO files, Windows automatically assigns them a drive letter and treats the contents as trusted local files, effectively circumventing security warnings that would normally be displayed for downloaded executable content.
Inside the malicious ISO containers, victims encounter LNK shortcut files or staged executable files designed to initiate the infection chain with minimal additional user interaction. Batch scripts embedded in the attack chain leverage PowerShell commands to programmatically remove Zone.Identifier alternate data streams that Windows uses to track file origins. By stripping these markers, the malware effectively suppresses SmartScreen warnings and other security prompts that would normally alert users to potentially dangerous file execution. The final payload is Crimson RAT, a well-established remote access trojan consistently associated with Transparent Tribe operations. Crimson RAT implements sophisticated anti-analysis techniques including artificial file inflation to approximately 34MB through embedded junk data despite the functional malicious code being only 80-150KB, custom TCP-based command-and-control protocols rather than standard HTTP/HTTPS to complicate network detection, and comprehensive post-compromise capabilities including system reconnaissance, file exfiltration, screenshot and audio/video capture, remote command execution, and long-term persistence mechanisms.
Transparent Tribe has strategically expanded its long-standing cyber-espionage operations beyond traditional government, military, and defense-related targets to actively pursue India’s rapidly growing startup ecosystem. This targeting evolution demonstrates sophisticated threat actor adaptation to changing geopolitical and economic landscapes. The group has begun focusing specifically on startups and technology professionals operating in cybersecurity firms developing security products or services, technology companies with government contracts or partnerships, intelligence-adjacent organizations providing data analytics or investigation services, defense technology startups working on dual-use technologies, and artificial intelligence firms with potential national security applications.
This targeting shift reflects the threat actor’s recognition that Indian startups increasingly serve as important intelligence collection targets for several strategic reasons. Many technology startups maintain close collaborative relationships with government agencies through procurement contracts, pilot programs, advisory roles, and research partnerships, providing indirect access to government operations and decision-making processes. Startups developing cutting-edge technologies in cybersecurity, artificial intelligence, autonomous systems, and data analytics possess intellectual property and technical capabilities relevant to national security. The startup ecosystem features less mature security programs compared to established government agencies and defense contractors, potentially presenting softer targets with valuable intelligence access. Additionally, startup founders and executives maintain extensive professional networks connecting them to government officials, military personnel, and intelligence community members, making them valuable targets for network mapping and future compromise operations.
The Transparent Tribe campaign relies fundamentally on sophisticated social engineering tactics that demonstrate extensive pre-operational reconnaissance of target organizations and individuals. The threat actors craft phishing lures specifically tailored to the interests, responsibilities, and business priorities of startup founders, executives, and technical personnel. Observed lure themes include professional networking invitations claiming to be from potential business partners, investors, or government procurement officials; industry conference and event invitations featuring realistic agendas, speaker lineups, and registration information; investment pitch decks and funding opportunity documentation appearing to come from venture capital firms or government funding programs; technology partnership and collaboration proposals suggesting mutually beneficial business arrangements; government tender documents and procurement announcements for technology services; and startup accelerator program applications and selection notices.
These carefully crafted lures are distributed via targeted phishing emails that often impersonate legitimate organizations, industry associations, government agencies, or well-known venture capital firms. The emails contain links to malicious ISO file downloads hosted on file-sharing services, cloud storage platforms, or compromised legitimate websites. Alternatively, some campaigns directly attach small malicious files that subsequently download the larger ISO payloads. The use of ISO container files provides multiple tactical advantages for the attackers. ISO files bypass Windows Mark-of-the-Web security controls because files extracted from mounted ISOs do not inherit the untrusted zone identifier that triggers security warnings. ISO files appear more legitimate than executable files, as they are commonly used for software distribution, operating system installations, and large documentation packages. ISO files can contain multiple components including legitimate-appearing decoy documents, malicious LNK shortcuts, batch scripts, and executable payloads in a single convenient package.
When victims download and mount the malicious ISO files provided by Transparent Tribe, Windows automatically assigns a drive letter to the virtual disk and makes the contents accessible through Windows Explorer. This mounting process is seamless and familiar to users who regularly work with software distributions or documentation packages. Critically, the mounting operation causes Windows to treat the ISO contents as local trusted files rather than downloaded internet content, effectively bypassing Mark-of-the-Web (MotW) protections that would normally flag executable content from untrusted sources.
Inside the mounted ISO, victims encounter files designed to appear legitimate and benign. Common patterns include apparent PDF documents, Word documents, or software installer files. However, these are actually LNK shortcut files that have been disguised with double extensions or misleading icons to appear as document files. When the victim double-clicks what they believe is a document or installer, the LNK shortcut instead executes a malicious batch script or PowerShell command embedded in the shortcut target field. These batch scripts implement several critical functions. They locate and execute additional malicious payloads contained within the ISO or downloaded from external infrastructure. They leverage PowerShell commands to programmatically remove Zone.Identifier alternate data streams from downloaded files using commands like Get-Item -Path <file> -Stream Zone.Identifier | Remove-Item, effectively stripping the security markers that Windows uses to track file origins and trigger security warnings. They establish persistence mechanisms ensuring malware execution across system reboots, and they initiate the Crimson RAT deployment process.
The ultimate payload delivered through this attack chain is Crimson RAT, a sophisticated remote access trojan that has been consistently associated with Transparent Tribe operations for several years. Crimson RAT implements multiple anti-analysis and evasion techniques designed to complicate security research, defeat automated analysis, and avoid detection by security products. A particularly distinctive technique is artificial file size inflation where the malware binary is padded with junk data to reach approximately 34 megabytes in total file size, despite the functional malicious code representing only 80-150 kilobytes. This file padding serves multiple purposes including bypassing file size-based scanning limits in security products that skip analysis of very large files, defeating automated sandbox analysis systems that prioritize smaller files, and consuming significant disk space that may cause issues for security logging and forensic collection.
Crimson RAT utilizes a custom TCP-based command-and-control protocol rather than standard HTTP or HTTPS communications. This design choice complicates network-level detection because security monitoring tools and intrusion detection systems are primarily optimized to detect malicious HTTP/HTTPS traffic patterns. Custom TCP protocols require specific protocol signatures or behavioral analysis to identify malicious communications. Once successfully deployed and connected to command-and-control infrastructure, Crimson RAT provides comprehensive post-exploitation capabilities. The malware conducts extensive system reconnaissance including enumerating running processes, installed software, security products, network configurations, and user accounts. Crimson RAT implements robust file exfiltration capabilities supporting recursive directory enumeration and automated theft of documents, spreadsheets, presentations, and other data types. The malware captures screenshots enabling visual surveillance of victim activities and access to displayed information. Audio and video capture capabilities allow real-time surveillance through system microphones and webcams. Remote command execution allows attackers to run arbitrary commands, deploy additional tools, and conduct lateral movement operations. Finally, multiple persistence mechanisms including registry modifications and scheduled tasks ensure continued malware execution across system reboots and user logoff/logon cycles.
Infrastructure reuse analysis, malware code similarities, consistent victimology patterns, and operational tradecraft allow this campaign to be attributed to Transparent Tribe with high confidence. The command-and-control infrastructure overlaps with previously identified Transparent Tribe campaigns including operations deploying the GymRAT implant against Indian government agencies. While the specific lure themes and target victim profiles have evolved to focus on the startup ecosystem, the underlying strategic motivation remains intelligence collection in support of Pakistani national security objectives rather than financially motivated cybercrime.
Organizations should configure email security gateways to quarantine or block ISO, IMG, VHD, VHDX, and other container-based file attachments, which represent a primary delivery mechanism used by Transparent Tribe and numerous other threat actors in recent campaigns. Email security policies should implement strict controls on these file types, particularly when received from external senders or unknown sources. Organizations requiring legitimate ISO file exchanges for software distribution or system administration should establish secure alternative distribution channels such as authenticated file sharing services, secure FTP servers with access controls, or verified physical media distribution processes.
Security teams must ensure that SmartScreen and Mark-of-the-Web enforcement policies are actively configured and operational across all managed Windows endpoints. Organizations should implement Group Policy settings or Microsoft Endpoint Configuration Manager policies that prevent users from disabling SmartScreen warnings. Critically, security operations centers should deploy detection rules that alert on PowerShell commands attempting to strip Zone.Identifier alternate data streams from files, as this represents a clear indicator of malware attempting to bypass Windows security controls. Example detection patterns should include PowerShell commands containing “Zone.Identifier” and “Remove-Item”, PowerShell commands using Get-Item with the -Stream parameter, and any programmatic removal of alternate data streams from recently downloaded files.
Network security teams should immediately add the identified command-and-control indicators including IP address 93.127.133.9 and domains Sharmaxme11.org and Certstorein.shop to network-level blocklists implemented across firewalls, web proxies, DNS filtering solutions, and intrusion prevention systems. Organizations should also implement threat intelligence feeds that provide regularly updated indicators of compromise associated with Transparent Tribe operations. Security teams should review historical network flow data, proxy logs, and DNS query records for evidence of past connections to these indicators, which may reveal previously undetected compromises requiring investigation and remediation.
Endpoint detection and response platforms should be configured with specific detection rules targeting execution patterns characteristic of Transparent Tribe operations. Security teams should create alerts for LNK shortcut files invoking cmd.exe or %COMSPEC% environment variables to launch batch scripts, particularly when the command line includes the /MIN flag designed to minimize the console window and reduce user visibility. Additional detection should focus on LNK files with unusually long command-line arguments containing embedded batch commands, execution chains where LNK files launch PowerShell scripts that subsequently download additional payloads, and any LNK files located within recently mounted ISO or IMG virtual disk files.
Given that Crimson RAT utilizes custom TCP-based command-and-control protocols rather than standard HTTP/HTTPS communications, organizations should implement network detection capabilities specifically designed to identify non-standard TCP connections from endpoints. Security monitoring should alert on endpoint systems establishing direct TCP connections to external IP addresses on uncommon ports (anything outside standard HTTP/443, HTTPS/80, SMTP/25, DNS/53, etc.), particularly when these connections originate from user workstations rather than servers. Organizations should establish baseline network communication patterns for different system types and generate alerts on anomalous TCP traffic that deviates from expected behaviors.
The Transparent Tribe campaign targeting Indian startups demonstrates sophisticated nation-state threat actor tradecraft mapped to multiple MITRE ATT&CK tactics and techniques:
Initial Access: T1566.001 (Spearphishing Attachment) – The campaign relies on targeted spear-phishing emails delivering malicious ISO container files to startup employees.
Execution: T1204.002 (Malicious File), T1059.003 (Windows Command Shell), T1059.001 (PowerShell) – Execution occurs when victims mount ISO files and interact with malicious LNK shortcuts that launch batch scripts and PowerShell commands.
Defense Evasion: T1553.005 (Mark-of-the-Web Bypass), T1027.001 (Binary Padding), T1027.002 (Software Packing), T1036.005 (Match Legitimate Name or Location) – Sophisticated evasion includes ISO-based MotW bypass, artificial file size inflation to 34MB, malware packing, and file masquerading.
Persistence: T1547 (Boot or Logon Autostart Execution) – Crimson RAT establishes persistence through registry modifications and scheduled tasks.
Discovery: T1082 (System Information Discovery), T1083 (File and Directory Discovery), T1057 (Process Discovery), T1016 (System Network Configuration Discovery), T1518.001 (Security Software Discovery) – Comprehensive system reconnaissance.
Collection: T1113 (Screen Capture), T1125 (Video Capture), T1123 (Audio Capture) – Surveillance capabilities including screenshot, webcam, and microphone capture.
Command and Control: T1095 (Non-Application Layer Protocol) – Custom TCP-based command-and-control protocol.
Exfiltration: T1041 (Exfiltration Over C2 Channel) – Stolen data exfiltrated through established command-and-control channels.
The Transparent Tribe campaign involved multiple malicious file samples with documented SHA256 and MD5 hash values. Organizations should integrate these hash values into endpoint detection platforms, antivirus solutions, and threat intelligence feeds for detection and prevention purposes.
The threat actor operates command-and-control infrastructure using IP address 93.127.133.9 and domains Sharmaxme11.org and Certstorein.shop. Organizations should block these indicators at network security controls and investigate any historical connections.
The threat advisory references a recent breach disclosure at https://sis.voldebug.in/, suggesting a compromised organization or threat actor testing infrastructure associated with this campaign.
https://hivepro.com/threat-advisory/silent-clicks-lasting-access-apt36s-fileless-espionage-playbook/
Get through updates and upcoming events, and more directly in your inbox