A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021.
“Transparent Tribe has been a highly active APT group in the Indian subcontinent,” Cisco Talos researchers said in an analysis shared with The Hacker News. “Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage.”
Last month, the advanced persistent threat expanded its malware toolset to compromise Android devices with a backdoor named CapraRAT that exhibits a high “degree of crossover” with CrimsonRAT.
The latest set of attacks detailed by Cisco Talos involves making use of fake domains that mimic legitimate government and related organizations to deliver the malicious payloads, including a Python-based stager used to install .NET-based reconnaissance tools and RATs as well as a barebones .NET-based implant to run arbitrary code on the infected system.
Besides continually evolving their deployment tactics and malicious functionalities, Transparent Tribe is known to rely on a variety of delivery methods, such as executables impersonating installers of legitimate applications, archive files, and weaponized documents to target Indian entities and individuals.
images from Hacker News