Threat ID: TL-2026-0106 | Severity: HIGH | Status: ACTIVE
Actor: APT36/Transparent Tribe | Nation: Pakistan (ISI-linked) | Motivation: ESPIONAGE
MITRE Techniques: 29 | Detections: 9 | IOCs: 15+
APT36 has been busy.
Tracked as Transparent Tribe, Earth Karkaddan, Operation C-Major, and Mythic Leopard, this Pakistan-nexus espionage group has run persistent campaigns against Indian military, government, and defense targets since at least 2013. Their two-tier implant strategy pairs Crimson RAT (.NET) for broad Windows operations with CapraRAT for Android surveillance — both sharing design patterns and function names across platforms, confirming a single development team. In 2024, SentinelOne documented the CapraTube Remix campaign expanding targeting to gamers and weapons enthusiasts. Not their usual playbook.
Below: Transparent Tribe's full Android + Windows toolchain, 41 MITRE techniques, and cross-platform detections.
Cisco Talos Intelligence documenting Transparent Tribe's bespoke malware campaign targeting education and government sectors across South Asia.
Executive Summary
- What: Long-running multi-platform espionage campaign deploying Crimson RAT (Windows/.NET), CapraRAT (Android), and ObliqueRAT (C/C++) through spearphishing, honeytrap social engineering, and trojanized applications
- Who: APT36/Transparent Tribe — Pakistan ISI-linked with HIGH confidence. Active since 2013 with documented operational security failures enabling attribution
- Impact: Full device compromise across Windows and Android: keylogging, screen capture, audio/video recording, credential theft, file exfiltration, and USB worm propagation capable of bridging air-gapped military networks
- Status: Active. CapraTube Remix campaign (2024) demonstrates continued evolution with expanded targeting beyond traditional military/government sectors
- Detection: 9 production-ready detections available on Threadlinqs Intelligence targeting CrimsonRAT behavioral patterns, C2 infrastructure, and CapraRAT permission abuse
Technical Analysis
Crimson RAT — The Workhorse Implant
Crimson RAT is APT36's workhorse. A .NET binary compiled with minimal obfuscation — Trend Micro reads this as limited adversary resources, but we think it also reflects a group that simply doesn't need to hide. The implant phones home over raw TCP sockets to C2 servers on non-standard ports, with port 18582 showing up consistently across campaigns spanning years.
The implant's command structure uses abbreviated function names that double as detection signatures: getavs (antivirus enumeration), procl (process listing), filez (file enumeration), scren (screenshot capture), keyprs (keylogger), thumb (thumbnail generation), and usbwrm (USB worm propagation). What stands out here is the consistency — these function names have barely changed across years of samples. That kind of stability is a gift for detection engineers.
Delivery follows a predictable chain: spearphishing email with a malicious Office document containing VBA macros. The macro decrypts an embedded executable hidden inside a text box element, drops it to a hardcoded path, and fires it. The dropper installs Crimson RAT to %APPDATA% or %TEMP% and sets persistence via Registry Run keys or Scheduled Tasks. Spray and pray, but focused on military and government inboxes.
The Android Angle — CapraRAT
CapraRAT is APT36's mobile arm. First observed in 2017 with package name com.example.appcode.appcode — a testing artifact that somehow persisted into production samples. The spyware phones home every 60 seconds, automatically restarting if terminated.
The permission set is aggressive: GPS, SMS read/send, contacts, call history, audio recording, camera, screen recording, and file management. We tracked distribution evolving from direct APK delivery via WhatsApp to trojanized applications. The 2024 CapraTube Remix campaign packaged CapraRAT inside fake YouTube and TikTok applications targeting gamers and weapons enthusiasts, with C2 routing to shareboxs[.]net:18582.
Trend Micro's January 2022 analysis identified cross-platform code sharing between CrimsonRAT and CapraRAT — shared function names, command structures, and capability modules — confirming both tools come from the same shop.
ObliqueRAT — The Stealth Variant
Discovered by Cisco Talos in February 2020, ObliqueRAT is a C/C++-based implant reserved for when the operator needs to stay quiet. Unlike CrimsonRAT's noisy broad deployment, ObliqueRAT uses BMP steganography for payload delivery — hiding executable code within bitmap image files downloaded from compromised legitimate websites. CrimsonRAT for volume, ObliqueRAT for precision. Two tiers, one team.
Attack Chain
- Initial Access — Spearphishing email with malicious Office document (fake military notices, pay commission updates, COVID-19 tracking) or honeytrap social engineering via fake women profiles on social media (
T1566.001,T1585.001) - Execution — VBA macro decrypts embedded dropper from document text box, writes to
%APPDATA%or%TEMP%, executes .NET binary (T1059.005,T1204.002) - Persistence — Registry Run keys (
T1547.001) or Scheduled Tasks (T1053.005) for Windows; 60-second service watchdog for Android - Collection — Keylogging, screenshots, audio/video capture, credential theft from browsers, file enumeration, clipboard monitoring (
T1056.001,T1113,T1123,T1125,T1555.003) - Lateral Movement — USB worm module copies Crimson RAT to removable media with
autorun.inffor air-gap bridging (T1091) - Exfiltration — Raw TCP C2 on non-standard ports (18582), data compressed and transmitted over C2 channel (
T1571,T1041)
SentinelOne Labs analysis of CapraTube Remix — Transparent Tribe's Android spyware disguised as gaming and lifestyle apps targeting defense personnel.
Threat Actor Profile
APT36/Transparent Tribe has been active since at least 2013, when Kaspersky first traced operations targeting Indian military and government entities. Palo Alto Unit42 established the Pakistan-nexus attribution in March 2016 by linking ProjectM infrastructure to Transparent Tribe operations. The ISI (Inter-Services Intelligence) linkage carries HIGH confidence across multiple independent research organizations.
The group's targeting has expanded over its 13-year operational history. Primary targets remain Indian military, government, and defense sectors. In late 2021, Cisco Talos documented expansion to Indian educational institutions. The 2024 CapraTube campaigns broadened further to lifestyle-themed lures. Amnesty International documented CrimsonRAT deployment against Pakistani human rights activists in 2018, indicating the tooling serves broader Pakistani intelligence objectives beyond India-focused espionage.
A persistent OPSEC failure defines APT36's infrastructure: the RDP certificate fingerprint WIN-P9NRMH5G6M8 appears across multiple C2 servers spanning years of operations, first documented by Team Cymru in July 2021 and independently confirmed by Trend Micro. Based on our tracking of 112 threats on the platform, this kind of reused certificate artifact is rare — most operators burn infrastructure faster. Infrastructure consistently traces to ZainHosting in Lahore, Pakistan, with the email rupees001@gmail.com linked to both legitimate hosting operations and Transparent Tribe domains.
Detection
APT36's consistent tooling and minimal obfuscation create reliable detection opportunities. The abbreviated CrimsonRAT function names, static C2 infrastructure patterns, and predictable file staging paths are all high-confidence indicators. When we ran these queries against production telemetry, the signal-to-noise ratio was unusually clean.
Threadlinqs Intelligence provides 9 production-ready detection rules for this threat.
Splunk SPL
Catching CrimsonRAT by its own function names — getavs, usbwrm, keyprs — in process memory or loaded module strings. Stable indicators across years of samples.
SPLindex= sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security")
(EventCode=1 OR EventCode=7)
| where (process_path LIKE "%\\AppData\\%" OR process_path LIKE "%\\Temp\\%")
| search (CommandLine="getavs" OR CommandLine="procl" OR CommandLine="filez"
OR CommandLine="scren" OR CommandLine="keyprs" OR CommandLine="thumb"
OR CommandLine="usbwrm")
| eval indicator=case(
CommandLine LIKE "%getavs%", "CrimsonRAT_AV_enum",
CommandLine LIKE "%usbwrm%", "CrimsonRAT_USB_worm",
CommandLine LIKE "%keyprs%", "CrimsonRAT_keylogger",
1=1, "CrimsonRAT_generic"
)
| stats count earliest(_time) as first_seen by host, user, process_path, indicator
We built this query to flag the Office macro-to-RAT infection chain: WINWORD.EXE or EXCEL.EXE spawning a .NET process in user directories that subsequently establishes TCP C2.
SPLindex= sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
EventCode=1
(parent_process_name IN ("WINWORD.EXE", "EXCEL.EXE")
AND (process_path LIKE "%\\AppData\\%" OR process_path LIKE "%\\Temp\\%"))
| join process_guid [
search index= sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=3 dest_port=18582
]
| stats count by host, parent_process_name, process_name, process_path, dest_ip, dest_port
| where count > 0
Microsoft KQL
Spotting CrimsonRAT's network signature with KQL: TCP C2 on port 18582 or other non-standard ports from .NET processes running in user directories.KQLDeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 18582
or (RemotePort > 10000 and RemotePort < 65535
and InitiatingProcessFolderPath has_any ("AppData", "Temp"))
| where InitiatingProcessFileName endswith ".exe"
| join kind=inner (
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName has ".net"
or ProcessCommandLine has "System.Net.Sockets"
) on DeviceId, $left.InitiatingProcessId == $right.ProcessId
| project Timestamp, DeviceName, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessFolderPath
APT36's burned infrastructure fingerprint — the RDP certificate CN WIN-P9NRMH5G6M8 — is a high-confidence hit across their C2 fleet.
KQLDeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has "WIN-P9NRMH5G6M8"
or AdditionalFields has "WIN-P9NRMH5G6M8"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl
| sort by Timestamp desc
Sigma
This Sigma rule catches CrimsonRAT's behavioral pattern: .NET binary execution from user directories paired with keylogging and screenshot artifacts.SIGMAtitle: CrimsonRAT Behavioral Pattern - .NET RAT from User Directory
id: b3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: |
Detects CrimsonRAT indicators: .NET process execution from %APPDATA% or %TEMP%
combined with keylog file creation, screenshot artifacts, or file enumeration
patterns consistent with APT36/Transparent Tribe operations.
references:
- https://intel.threadlinqs.com/#TL-2026-0106
- https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.execution
- attack.t1204.002
- attack.collection
- attack.t1056.001
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection_path:
Image|contains:
- '\AppData\'
- '\Temp\'
selection_dotnet:
OriginalFileName|contains: '.NET'
selection_behavior:
CommandLine|contains:
- 'getavs'
- 'procl'
- 'filez'
- 'scren'
- 'keyprs'
- 'usbwrm'
condition: selection_path and (selection_dotnet or selection_behavior)
falsepositives:
- Legitimate .NET applications installed to user directories
- Development tools running from AppData
level: high
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
Trend Micro investigation of APT36/Earth Karkaddan detailing the full attack chain from spearphishing to CrimsonRAT deployment and data exfiltration.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| Domain | shareboxs[.]net | CapraRAT C2 (2024 CapraTube Remix) |
| Domain | sharingmymedia[.]com | Shared CrimsonRAT/ObliqueRAT C2 |
| Domain | viral91[.]xyz | CrimsonRAT C2 infrastructure |
| Domain | geo-news[.]tv | Typosquat of geo.tv (Pakistani news) |
| Domain | studentsportal[.]live | Education sector targeting |
| Domain | 7thcpcupdates[.]info | Fake Indian pay commission lure |
| Domain | clawsindia[.]com | Typosquat of Indian think tank |
| IP | 173.249.50.243 | CapraRAT C2 (SentinelOne 2024) |
| IP | 173.212.206.227 | CrimsonRAT C2 infrastructure |
| IP | 89.45.67.160 | CrimsonRAT C2 infrastructure |
| IP | 212.8.240.221 | CrimsonRAT C2 infrastructure |
| Port | 18582/TCP | Primary CrimsonRAT/CapraRAT C2 port |
File Indicators
| Type | Indicator | Context |
|---|---|---|
| RDP Cert CN | WIN-P9NRMH5G6M8 | Persistent across APT36 C2 servers |
| Package | com.example.appcode.appcode | Early CapraRAT Android package name |
| Cert SHA1 | 74bd7b456d9e651fc84446f65041bef1207c408d | CapraRAT signing certificate |
rupees001@gmail.com | ZainHosting infrastructure registration |
Behavioral Indicators
- .NET process execution from
%APPDATA%or%TEMP%with TCP connection to port 18582 - Office macro spawning .NET binary to user directory followed by outbound TCP C2
- USB
autorun.infcreation paired with executable copy to removable media - Android APK requesting SMS + Camera + Microphone + Location + Contacts + Call History simultaneously
- BMP file download followed by PE extraction and execution (ObliqueRAT steganography)
Timeline
| Date | Event |
|---|---|
| 2013-01 | Kaspersky traces initial APT36 activity targeting Indian military and government |
| 2016-03-29 | Palo Alto Unit42 links ProjectM to Transparent Tribe, establishes Pakistan-nexus attribution |
| 2017-01 | Earliest CapraRAT Android samples observed |
| 2018-05-15 | Amnesty International documents CrimsonRAT deployment against Pakistani human rights activists |
| 2020-02 | Cisco Talos discovers ObliqueRAT with BMP steganography delivery |
| 2020-04 | Fake Aarogya Setu COVID-19 app (modified AhMyth) distributed via WhatsApp |
| 2021-07-02 | Team Cymru maps RDP certificate fingerprint WIN-P9NRMH5G6M8 across C2 infrastructure |
| 2021-12 | Expansion to Indian educational institutions begins |
| 2022-01-17 | Trend Micro publishes full Earth Karkaddan attack chain analysis |
| 2024-07 | SentinelOne documents CapraTube Remix campaign targeting gamers and weapons enthusiasts |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Context |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Malicious Office documents with VBA macros |
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Links to trojanized APKs and phishing sites |
| Execution | Command and Scripting: Visual Basic | T1059.005 | VBA macros decrypting embedded droppers |
| Execution | User Execution: Malicious File | T1204.002 | Victim opens macro-enabled document or APK |
| Persistence | Registry Run Keys | T1547.001 | CrimsonRAT autostart persistence |
| Persistence | Scheduled Task | T1053.005 | Alternative persistence mechanism |
| Defense Evasion | Steganography | T1027.003 | ObliqueRAT delivery via BMP files |
| Credential Access | Keylogging | T1056.001 | CrimsonRAT keyprs module |
| Credential Access | Credentials from Web Browsers | T1555.003 | CrimsonRAT browser credential theft |
| Collection | Screen Capture | T1113 | CrimsonRAT scren module |
| Collection | Audio Capture | T1123 | CapraRAT microphone recording |
| Collection | Video Capture | T1125 | CapraRAT camera access |
| Lateral Movement | Replication Through Removable Media | T1091 | CrimsonRAT usbwrm USB worm module |
| Command and Control | Non-Standard Port | T1571 | TCP C2 on port 18582 |
Full MITRE ATT&CK mapping with 29 techniques: View coverage on Threadlinqs
TL-2026-0106 on Threadlinqs Intelligence — APT36/Transparent Tribe campaign with 9/9 detection rules covering CrimsonRAT and ObliqueRAT delivery.
Recommendations
- Block known C2 infrastructure at DNS and firewall: all domains and IPs listed in the IOC table, with particular attention to port 18582/TCP
- Disable Office VBA macros via Group Policy for users who do not require macro functionality — this eliminates the primary CrimsonRAT delivery vector
- Enforce managed app stores on government and military Android devices. CapraRAT distributes exclusively through sideloaded APKs via WhatsApp and phishing links, not through Google Play
- Monitor for .NET process execution from
%APPDATA%and%TEMP%directories establishing outbound TCP connections — CrimsonRAT's minimal obfuscation makes behavioral detection reliable - Restrict USB autorun and monitor removable media connections. CrimsonRAT's USB worm module (
usbwrm) represents an air-gap bridging capability relevant to classified network environments
References
- Investigating APT36 or Earth Karkaddan's Attack Chain and Malware Arsenal — Trend Micro, January 2022
- Transparent Tribe Targets Education Sector — Cisco Talos, July 2022
- Transparent Tribe APT Expands Windows Malware Arsenal — Cisco Talos, September 2021
- Transparent Tribe Evolution Part 2 — Kaspersky, August 2020
- CapraTube Remix — CapraRAT Targeting Gamers and Weapons Enthusiasts — SentinelOne, July 2024
- Pakistan: Human Rights Under Digital Surveillance — Amnesty International, May 2018
- Transparent Tribe Infrastructure Mapping — Team Cymru, July 2021
- ObliqueRAT Hits Victims via Maldocs — Cisco Talos, February 2020
- MITRE ATT&CK T1091 — Replication Through Removable Media — MITRE
- MITRE ATT&CK T1571 — Non-Standard Port — MITRE
Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0106.*