Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

APT36, a Pakistan-based threat actor, has launched a sophisticated cyber-espionage campaign targeting the Indian defense sector. The group has adapted its tactics to focus on Linux-based environments, particularly BOSS Linux, used by Indian government agencies. The attack involves phishing emails with a ZIP file containing a malicious .desktop file. When executed, it downloads a legitimate PowerPoint file as a decoy while simultaneously deploying a malicious ELF binary. This multi-stage approach aims to bypass user suspicion and evade traditional security measures. The campaign signifies an advancement in APT36's capabilities and poses an increased risk to critical government and defense infrastructure. Organizations using Linux-based systems are advised to implement robust cybersecurity controls and threat detection mechanisms to mitigate potential risks.

This threat involves a sophisticated cyber-espionage campaign conducted by APT36, a Pakistan-based advanced persistent threat group, targeting the Indian defense sector. The campaign specifically focuses on Linux-based environments, with an emphasis on BOSS Linux, a Linux distribution used by Indian government agencies. The attack vector is phishing emails containing a ZIP archive with a malicious .desktop file. When the victim executes this .desktop file, it triggers a multi-stage infection process. First, a legitimate PowerPoint file is downloaded and presented as a decoy to reduce user suspicion. Simultaneously, a malicious ELF binary is deployed on the system. This ELF binary is designed to operate stealthily within the Linux environment, enabling the attacker to maintain persistence, execute arbitrary code, and potentially exfiltrate sensitive information. The use of a .desktop file as the initial infection vector is notable because it exploits the trust users place in desktop shortcut files on Linux systems, which are less commonly scrutinized compared to Windows executables. The campaign employs multiple tactics, techniques, and procedures (TTPs) aligned with MITRE ATT&CK techniques such as T1543 (Create or Modify System Process), T1564 (Hide Artifacts), T1566.001 (Spearphishing Attachment), T1071 (Application Layer Protocol), T1036 (Masquerading), T1064 (Scripting), T1571 (Non-Standard Port), T1095 (Non-Application Layer Protocol), T1518.001 (Software Discovery), T1543.003 (Windows Service), T1543.002 (Systemd Service), T1105 (Ingress Tool Transfer), and T1564.001 (Hidden Files and Directories). These techniques indicate a high level of sophistication aimed at evading detection and maintaining long-term access. While the campaign currently targets Indian defense infrastructure, the adaptation to Linux environments marks an evolution in APT36's capabilities, increasing the threat to any organization using BOSS Linux or similar Linux distributions in sensitive sectors. No known exploits in the wild have been reported yet, but the campaign's complexity and targeted nature suggest a significant espionage risk.

Detailed information about Phishing Attack: Deploying Malware on Indian Defense BOSS Linux. Get real-time updates, technical details, and mitigation strategies.

Phishing Attack: Deploying Malware on Indian Defense BOSS Linux - Live Threat Intelligence - Threat Radar | OffSeq.com

Phishing Attack: Deploying Malware on Indian Defense BOSS Linux

APT36, a Pakistan-based cyber espionage group, is actively targeting Indian defense personnel through sophisticated phishing campaigns. The group disseminates emails with malicious PDF attachments resembling official government documents. When opened, these PDFs display a blurred background and a button mimicking the National Informatics Centre login interface. Clicking the button redirects users to a fraudulent URL and initiates the download of a ZIP archive containing a malicious executable disguised as a legitimate application. This campaign highlights APT36's focus on credential theft and long-term infiltration of Indian defense networks, emphasizing the need for robust email security, user awareness programs, and proactive threat detection systems.

This threat involves a sophisticated phishing campaign orchestrated by APT36, a Pakistan-based cyber espionage group known for targeting Indian defense entities. The campaign uses carefully crafted emails containing malicious PDF attachments that impersonate official government documents. When the targeted user opens the PDF, it displays a blurred background with a button designed to mimic the National Informatics Centre (NIC) login interface, a trusted Indian government portal. Clicking the button redirects the user to a fraudulent website URL, which initiates the download of a ZIP archive containing a malicious executable. This executable is disguised as a legitimate application to evade suspicion. The primary objective of this campaign is credential theft, enabling long-term infiltration and espionage within Indian defense networks. The attack chain leverages social engineering, malware delivery, and credential harvesting techniques. Indicators of compromise include multiple file hashes, IP addresses, and domains associated with the campaign. The campaign does not exploit software vulnerabilities but relies on user interaction and deception to succeed. The malware likely employs persistence and evasion tactics to maintain access and avoid detection, consistent with APT36’s known tactics, techniques, and procedures (TTPs).

Detailed information about Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware. Get real-time updates, technical details, and mitigation 

Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware

APT36, also known as Transparent Tribe, has been observed using VPS provider Contabo to host malicious infrastructure for CapraRAT and Crimson RAT. Their latest tactic involves disguising spyware as the popular messaging app Viber, granting extensive permissions to record calls, read messages, and track location. The investigation traced the infrastructure, identified key Indicators of Compromise, and uncovered the full extent of this Android surveillance campaign. The threat actor employs social engineering tactics to distribute their Android Remote Access Trojans, with lures crafted to align with the RAT's disguise. The malware's capabilities include targeted surveillance, credential theft, and infrastructure abuse, potentially eroding brand trust in legitimate communication platforms.

APT36, also known as Transparent Tribe, has re-emerged with a sophisticated Android malware campaign involving two Remote Access Trojans (RATs): CapraRAT and Crimson RAT. The threat actor leverages social engineering techniques to distribute these RATs by impersonating the popular messaging application Viber. This impersonation is designed to deceive users into installing the spyware, which requests extensive permissions on Android devices. Once granted, the malware can record calls, read messages, track user location, and steal credentials, enabling comprehensive surveillance and espionage capabilities. The malicious infrastructure supporting this campaign is hosted on VPS services provided by Contabo, complicating takedown efforts due to the legitimate nature of the hosting provider. The campaign uses spearphishing via malicious links (MITRE ATT&CK T1566.001) and user execution (T1204) tactics to lure victims. Indicators of compromise include multiple file hashes associated with the malware samples, which can be used for detection and blocking. Although no known exploits in the wild have been reported, the persistent and targeted nature of this campaign highlights the evolving tactics of APT36 in exploiting mobile platforms for espionage and data theft. The impersonation of a trusted communication platform like Viber also risks eroding user trust in legitimate apps, potentially impacting broader communication security ecosystems.

Detailed information about The Transparent Tribe Vibe: APT36 Returns With CapraRAT Impersonating Viber. Get real-time updates, technical details, and mitigation

Title	Severity	Type	Source	Date

Threats Tagged 'transparent tribe'

Filter Threats

Threats Tagged 'transparent tribe'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility