Unveiling Transparent Tribe’s (APT36) C&C and Network Tradecraft
Targeting Indian Government and Defence
Transparent Tribe (APT36) and the related SideCopy cluster form a persistent espionage ecosystem targeting Indian government and defense entities. They rely on spear-phishing, trusted document abuse, and custom or commodity RATs. Recent campaigns observed by Aryaka targeted Windows and Linux systems, deploying GETA RAT, ARES RAT, and Desk RAT. These operations showcase evolving, stealthy techniques, cross-platform tooling, memory-resident execution, and advanced persistence and command-and-control mechanisms.
Key Insights You’ll Gain from This Report
- Sustained Espionage Focus on India: Transparent Tribe (APT36) and the related SideCopy cluster continue long-term, targeted espionage operations against Indian government, defense, and strategic infrastructure entities.
- Multi-Platform Attack Coverage: The campaigns actively target both Windows and Linux systems, demonstrating operational maturity and the ability to adapt tooling across environments.
- Sophisticated Phishing-Led Initial Access: Attacks primarily begin with spear-phishing emails delivering weaponized LNK, HTA, ELF, and PPAM files, disguised as legitimate defense and administrative documents.
- Advanced Stealth & Evasion Techniques: The malware heavily relies on living-off-the-land binaries (mshta.exe, PowerShell), in-memory execution, XAML deserialization, and encrypted payloads to evade traditional detection.
- Diverse and Evolving RAT Ecosystem: The use of GETA RAT (Windows), ARES RAT (Linux), and the newly observed Desk RAT (Go-based) highlights an expanding toolkit optimized for persistence and intelligence collection.
- Persistent, Low-Noise Command-and-Control: C2 communication leverages custom encrypted TCP protocols and WebSocket connections, with regular heartbeat patterns that support long-term access while minimizing visibility.
- Comprehensive Host Surveillance & Data Theft: Capabilities include system profiling, file enumeration, screenshot capture, clipboard monitoring, USB surveillance, credential harvesting, and automated data exfiltration.
- Actionable Defensive Detection Opportunities: Despite encryption and stealth, predictable network timing, fixed packet sizes, beaconing behavior, and protocol misuse provide strong indicators defenders can leverage for detection and disruption.
