India Targeted Again: Transparent Tribe’s Persistent Campaign Unveiled

Cyfirma specialists conducted an OSINT investigation and uncovered infrastructure linked to the “Transparent Tribe” (APT36) group, focusing specifically on their command and control (C2) servers. The investigation commenced following a post on X by security expert @PrakkiSathwik, who identified two IP addresses associated with the group’s C2 servers — 206.189.134.185 and 143.198.64.151.

The starting point of the investigation was the IP address 143.198.64.151, registered with the DigitalOcean platform (ASN AS14061). This IP was identified as a Mythic C2 server operating on ports 22 (SSH), 80 (HTTP), and 7443 (HTTPS). Mythic is a versatile framework designed for post-exploitation operations in red team exercises, but it is frequently utilized by malicious actors.

To uncover other servers related to this infrastructure, tools such as JARM (to identify TLS configurations) and HTML title metadata were employed for server scanning and analysis. As a result, specialists discovered 15 additional IP addresses, also registered with DigitalOcean and linked to the Mythic framework.

It was revealed that the attack involved Linux desktop entry files, disguised as PDFs, that were used to disseminate malware. These files were first detected in India, suggesting that the campaign likely targeted Indian users and organizations. This aligns with the historical activity of Transparent Tribe, which is notorious for attacks on Indian government entities through phishing and other attack vectors.

Transparent Tribe heavily leverages Linux environments, given their extensive use in Indian government agencies, particularly on Debian-based operating systems such as BOSS OS and Maya OS.

As mentioned earlier, the investigation identified 15 IP addresses associated with Mythic and Poseidon agents. These addresses function as C2 servers, enabling attackers to control compromised systems.

APT36, also known as Transparent Tribe, is a group believed to be based in Pakistan, active since 2013. Despite limited technical capabilities, the group exhibits persistence and continuous evolution of its tactics. Their primary targets are India’s governmental, defense, and educational institutions.

During their attacks, the perpetrators employ phishing techniques and distribute malware via Linux binary files and open-source tools such as Mythic. Their methods allow them to evade traditional security measures and maintain persistent access to compromised systems.

Cyfirma’s investigation has provided invaluable insights into Transparent Tribe’s infrastructure and methods, enabling security professionals to better understand the threat and swiftly respond to potential attacks.