A Pakistan-affiliated cyber espionage group tracked as Transparent Tribe and APT36 has orchestrated a series of cyber espionage campaigns targeting high-profile Indian entities throughout 2024. A new report from researchers at Check Point Research highlights new tactics and malware employed by the group, with particular focus on an advanced tool called ElizaRAT, which has evolved significantly in recent months.

Transparent Tribe has frequently targeted Indian government agencies, military installations, and diplomatic networks. The group deployed ElizaRAT in multiple campaigns in 2024 aimed at infiltrating Indian systems.

ElizaRAT is a custom Remote Access Tool (RAT) disclosed in September 2023. The malware is typically deployed to systems through phishing campaigns, with victims lured into downloading infected files via Google Storage links. While in its early stages ElizaRAT communicated with its operators through Telegram channels, more recently its command and control (C2) communication shifted to private virtual servers (VPS), making detection more challenging.

The first documented campaign with ElizaRAT used a Slack API for C2 communications, involving phishing to distribute malicious executables. This variant employed such functionality as downloading next-stage payloads, dropping decoy documents, and gathering targeted information. It leveraged SQLite databases to collect and organize sensitive data before exfiltration.

Following the Slack API variant, Transparent Tribe introduced ApoloStealer, a new payload designed for file collection and exfiltration. Once deployed, ApoloStealer cataloged victims’ desktop files and transmitted them to the C2 server.

The second major ElizaRAT variant, called Circle, implemented a dropper component, further evading detection by avoiding cloud-based C2 communication and instead relying on a VPS. Circle embedded additional evasion techniques and spread through decoy PDFs and MP4 files.

In mid-2024, Transparent Tribe executed a third campaign using another advanced ElizaRAT variant that leveraged Google Cloud for C2 communication. This version employed a two-stage approach, sending commands to download new payloads from separate VPS, each with specific data-gathering purposes. Unlike earlier versions, this campaign targeted systems by verifying Indian Standard Time settings, indicating its regional targeting of Indian assets.