Transparent Tribe

Transparent Tribe is a suspected Pakistan-aligned, Pakistan-based cyberespionage threat actor also tracked as APT36, Operation C-Major, ProjectM, Earth Karkaddan, Copper Fieldstone, Mythic Leopard, and STORM-0156. The content describes the group as active since at least 2013, with reporting also noting activity since at least 2016. It has a long history of targeting Indian government, military, diplomatic, and defense-related entities, including Indian embassies, and has also targeted military and diplomatic personnel in both India and Pakistan. More recent reporting in the content says the group expanded targeting to the Indian education sector, educational institutions, students, and related personnel. Multiple references also describe SideCopy as operating under the broader Transparent Tribe umbrella or as an associated subgroup/cluster. Across the cited reporting, Transparent Tribe primarily conducts espionage and commonly uses spearphishing emails with malicious attachments, weaponized documents, and social engineering lures. The content specifically states it has used weaponized documents in email, malicious Office documents, OLE embedding, and exploits such as CVE-2012-0158. It has hosted malicious documents on domains registered by the group, used actor-controlled and compromised infrastructure, and employed watering-hole lures and malicious websites. Additional tradecraft mentioned in the content includes hiding legitimate directories and replacing them with malicious copies of the same name, mimicking legitimate Windows directories with the same icons and names, and using cloud or hosted infrastructure including Tencent Cloud and Alibaba Cloud in campaigns assessed as resembling or linked to APT36. Malware and tooling directly associated with Transparent Tribe in the content include Crimson RAT / MSIL-Crimson, CapraRAT, ElizaRAT, ApoloStealer, and in older clustered activity njRAT, DarkComet, Luminosity Link RAT, Python/Peppy, Bezigate, Meterpreter, Beendoor, and Andromeda. Crimson RAT is described as supporting espionage functions such as system information theft, screenshots, process control, file and drive enumeration, Outlook email theft, webcam capture, microphone recording, keylogging, browser credential theft, and USB file collection. CapraRAT is described as an Android spyware/RAT used in trojanized apps distributed outside Google Play via fake websites and social engineering, including honey-trap or romance-themed lures and themed apps such as messaging, YouTube, TikTok, gaming, weapons, and dating applications. Reported CapraRAT capabilities include screenshots, photos, audio and call recording, SMS interception and sending, contact and call-log theft, file exfiltration, location tracking, app control, and broader device surveillance. The content also references additional campaigns assessed as linked to Transparent Tribe or APT36 with varying confidence. These include Operation Transparent Tribe targeting Indian diplomatic and military resources; Android CapraRAT campaigns against users with likely military or political relevance; education-themed Crimson RAT delivery campaigns; a 2026 SHEETCREEP campaign abusing Google Sheets as command and control and assessed with moderate confidence as linked to APT36; and Operation TrustTrap, a large deceptive-domain campaign whose infrastructure and TTPs were said to resemble prior APT36 activity. The content further states that Transparent Tribe has targeted entities such as Hindustan Aeronautics, the Indian Army, the Indian Navy, and Indian diplomatic and military institutions, and that analysts assess the group to have deep ties to Pakistan’s military and intelligence apparatus.