Executive Summary
Pakistan-based threat actor group Mythic Leopard was recently observed using new CapraRAT samples to expand their targeting.
Key Takeaways
- Pakistan-based threat actor group Mythic Leopard was recently observed using new CapraRAT samples to expand their targeting.
- The recent CapraRAT campaign targets users of video apps, mobile gamers, and weapons enthusiasts.
- The latest versions of CapraRAT have been updated to have a wider range of compatibility with both old and new Android devices and operating systems, including Android 14.
- Changes to requested app permissions may indicate the threat actors plan to use CapraRAT for surveillance rather than a fully featured backdoor.
What is CapraRAT?
Pakistan based threat actor group Mythic Leopard was recently observed using new CapraRAT samples to expand their targeting. Known to target Indian government and military entities, the group has expanded their scope to include users of video apps, mobile gamers, and weapons enthusiasts. Sentinel One recently reported on this activity.
CapraRAT is an Android RAT that functions as spyware. It is delivered via weaponized APKs. The threat actors behind CapraRAT, Mythic Leopard, typically leverage social engineering, spearphishing, and watering hole attacks to target both Android and Windows devices.
Mythic Leopard has used CapraRAT in past campaigns, including the CapraTube campaign that was exposed in late 2023. A continuation of this activity has persisted into 2024, with four new APKs. The APKs include a gaming app, a TikTok app, an app for adult video content, and an app for weapons enthusiasts. Sentinel One noted the new CapraRAT activity, which demonstrates Transparent Tribe expanding their targeting.
The latest versions of CapraRAT have been updated to have a wider range of compatibility with both old and new Android devices and operating systems, including Android 14. These versions use WebView to launch either a mobile gaming site or YouTube.
When the weaponized APK launches, the victim is prompted to grant several permissions, including allowing the app to access GPS location, manage network state, read and send text messages, read contacts, record audio and take screenshots, read and write to storage, use the camera, view call history, and make calls. However, some permissions used in previous CapraRAT campaigns are no longer requested. This change may indicate the threat actors plan to use CapraRAT for surveillance rather than a fully featured backdoor. If the victim refuses to grant permissions, the app still runs.
Who is Mythic Leopard?
Mythic Leopard, also known as APT36, Operation C-Major, and Transparent Tribe, is a Pakistan-based threat actor group active since at least 2013. They are typically known for espionage activity, primarily targeting India’s government and military.
Mythic Leopard TTPs include social engineering, phishing, maldocs, BreachRAT, DarkComet, Luminosity RAT, njRAT, Crimson RAT, CapraRAT, and ObliqueRAT. They are known to target both Windows systems and Android devices. In recent years, they have leveraged Android malware masquerading as legitimate applications.
IOCs
PolySwarm has a sample associated with this activity.
7f981fc12dcb4621ac2a8c4f3882d24f113ac98fe4fb24207743ae24be762978
You can use the following CLI command to search for all CapraRAT samples in our portal:
$ polyswarm link list -f CapraRAT
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
