Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actors

CrimsonRAT

CrimsonRAT is a Windows .NET remote access trojan used by Transparent Tribe (APT36), and the provided reporting describes it as malware known to be used only by that actor. It has been Transparent Tribe’s primary Windows implant since at least 2020 and is used to establish long-term access in victim networks. Reported delivery commonly relies on spear-phishing or phishing attacks using malicious Office documents with VBA macros that extract an embedded archive, unzip it, and execute the payload. Campaigns using CrimsonRAT have targeted Indian entities, including government, military, defense-related organizations, and educational institutions and students; broader reporting in the content also ties Transparent Tribe to targeting military, diplomatic, education, activist, rail, oil, and critical infrastructure sectors in the India-Pakistan context.

Capabilities directly described in the content include directory and drive listing, process listing, screenshot capture, file read/write/delete, arbitrary command execution, and exfiltration to command-and-control infrastructure. CrimsonRAT can also run or manage keylogger and USB-related modules and report their presence or versions to C2. The malware is associated with long-term espionage access and data theft. Reporting also notes overlaps in maldocs, macros, infrastructure, and operational patterns with other Transparent Tribe tooling, including ObliqueRAT and Android malware such as CapraRAT and AhMyth.

Infrastructure and indicators mentioned in the content include IP address 198.37.123[.]126, which was tied to Transparent Tribe spyware hosting and related domains such as phone-drive[.]online and phone-drive.online.geo-news[.]tv, and 173.249.50[.]243, which was tied to CrimsonRAT and AhMyth Android RAT C2 activity since at least 2022. Additional infrastructure overlap cited by Talos includes studentsportal[.]live, studentsportal[.]website, studentsportal[.]co, cloud-drive[.]store, user-onedrive[.]live, drive-phone[.]online, geo-news[.]tv and related subdomains, with recent resolution to 198.37.123[.]126. One report also notes a certificate common name WIN-P9NRMH5G6M8 as a longstanding indicator associated with Transparent Tribe’s CrimsonRAT servers. The content further places CrimsonRAT in Transparent Tribe’s tooling evolution, with continued Windows use alongside later Linux families such as Poseidon, AresRAT, and DeskRAT.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Transparent Tribe

CrimsonRAT is Windows malware, known to be used only by Transparent Tribe.

via eset welivesecurity blogwelivesecurity.com
TransparentTribe

“improving its custom .NET tool named CrimsonRAT.”

via securelistsecurelist.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence2

Quick Heal’s team has identified hacker group APT36 (Transparent Tribe) deploying CrimsonRAT malware through sophisticated phishing attacks along with an RMM tool known as MeshAgent, he said.

T1566.001Spearphishing AttachmentEvidence1

The current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks ... a plausible-enough artifact for a defense-contracting inbox to open without hesitation.

Stealth

1 technique
T1036MasqueradingEvidence1

The current lure is themed as Ministry of Defence procurement of indigenous trawl assemblies for T-72 and T-90 main battle tanks — a plausible-enough artifact for a defense-contracting inbox to open without hesitation.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

The sendData method is responsible for constructing the data collected by other methods and classes and sending it to the C2. The mRun method constructs the socket and sends the data to the C2 server using the variables specified in the Settings class.

T1090.003Multi-hop ProxyEvidence1

mRun performs a connectivity check to decide whether to connect to the C2 using the hostname shareboxs[.]net or the hardcoded IP address 173[.]249[.]50[.]243 .

T1219Remote Access ToolsEvidence1

Quick Heal’s team has identified hacker group APT36 (Transparent Tribe) deploying CrimsonRAT malware through sophisticated phishing attacks along with an RMM tool known as MeshAgent, he said.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app1 year ago
ip.v4●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
economictimes indiatimesNews
May 22, 2026
India, Pakistan hackers trade codes & command in digital firefight - The Economic Times

A remote access trojan deployed by APT36 via sophisticated phishing attacks.

Read more
breakglass intelNews
Apr 24, 2026
APT36 / Transparent Tribe - DeskRAT via `.desktop` Files, T-72/T-90 Procurement Lures, and a WebSocket C2 That Greets Visitors as 'Stealth Server' - Breakglass Intelligence - Breakglass Intelligence

A Windows RAT used by APT36 in parallel with its Linux malware development and delivered through lure documents such as xlam, ppam, and docm files.

Read more
sentinelone labsNews
Apr 11, 2025
CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones | SentinelOne

Windows remote access trojan associated with Transparent Tribe, referenced for shared versioning conventions and overlapping C2 infrastructure indicators.

Read more
sentinelone labsNews
Apr 11, 2025
CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts | SentinelOne

A RAT associated in the report with Transparent Tribe infrastructure; specifically mentioned as sharing C2-linked IP infrastructure with CapraRAT activity.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.