Transparent Tribe, an advanced persistent threat (APT) group that has been active since at least 2013, updated its Windows malware toolkit with a new malware called ObliqueRAT, which was used in a cyber-espionage campaign targeting entities in India.

Transparent Tribe (aka APT36 and Mythic Leopard) is mainly focused on military and defense personnel, but recently expanded its target list to include diplomatic entities, defense contractors, research organizations and conference attendees. The group’s campaigns usually involve fake domains mimicking legitimate military and defense organizations used to spread malware, according to Cisco Talos.

While analyzing recent Transparent Tribe’s activities the researchers discovered two types of domains used by the threat actor: fake domains masquerading as legitimate Indian defense and government-related websites, and malicious domains posing as content-hosting sites. These domains work in conjunction with each other to deliver maldocs distributing CrimsonRAT and ObliqueRAT.

“Based on our findings, Transparent Tribe's tactics, techniques, and procedures (TTPs) have remained largely unchanged since 2020, but the group continues to implement new lures into its operational toolkit. The variety of maldoc lures Transparent Tribe employs indicates the group still relies on social engineering as a core component of its operations,” the researchers wrote in their recent report.

Email and maldoc lures used to deliver the malware used multiple themes, including military and defence themes, conference agendas, honeytrap lures and diplomatic themes.

“The actors recently deviated from the CrimsonRAT infection chains to make their ObliqueRAT phishing maldocs appear more legitimate. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc,” Cisco Talos said.

“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants. While CrimsonRAT remains the group's staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”