Transparent Tribe & Patchwork: New RAT Campaigns Target Indian Government, Academia, and Pakistan’s Defense Sector

Cyber espionage never sleeps. Two notorious advanced persistent threat (APT) groups — Transparent Tribe (APT36) and Patchwork (aka Dropping Elephant / Maha Grass) — have launched fresh waves of remote access trojan (RAT) attacks across South Asia, targeting government, academia, and strategic sectors. Their evolving toolkits and deceptive delivery methods highlight how state‑linked adversaries are refining their arsenals to achieve long‑term persistence and intelligence collection.

Transparent Tribe’s Latest Campaign

Transparent Tribe, active since at least 2013, is infamous for its focus on Indian organizations. In late 2025, researchers observed a new spear‑phishing campaign that weaponizes Windows shortcut (LNK) files disguised as PDFs.

Attack Chain

1. Delivery: Victims receive a ZIP archive containing a malicious LNK file.
2. Execution: Opening the file triggers mshta.exe, which runs a remote HTML Application (HTA) script.
3. Deception: A decoy PDF opens to mask malicious activity.
4. Payload: The HTA decrypts and loads a RAT DLL (iinneldc.dll) directly in memory.

RAT Capabilities

• Remote system control
• File management & exfiltration
• Screenshot capture
• Clipboard manipulation
• Process control

Adaptive Persistence

Transparent Tribe’s malware cleverly tailors persistence based on installed antivirus software:

• Kaspersky: Drops obfuscated HTA + LNK in Startup.
• Quick Heal: Uses batch + LNK combo.
• Avast/AVG/Avira: Direct payload copy to Startup.
• Fallback: Registry‑based persistence if no AV detected.

The “NCERT Advisory” Lure

Another Transparent Tribe campaign leveraged a malicious shortcut disguised as a government advisory PDF (NCERT-Whatsapp-Advisory.pdf.lnk).

• Retrieves an MSI installer (nikmights.msi) from aeroclubofindia.co[.]in.
• Drops DLLs (pdf.dll, wininet.dll) and executable (PcDirvs.exe).
• Establishes persistence via registry modifications.
• Connects to hard‑coded C2 infrastructure (dns.wmiprovider[.]com) using reversed string endpoints like /retsiger (register) and /taebtraeh (heartbeat).

This campaign demonstrates sophisticated obfuscation and dormant persistence, ensuring attackers can revive operations long after initial infection.

Patchwork’s StreamSpy Trojan

Meanwhile, Patchwork, believed to be of Indian origin, has been linked to attacks on Pakistan’s defense sector. Their new RAT, StreamSpy, represents a modernized toolkit blending:

• MSBuild LOLBin loaders
• PyInstaller‑modified Python runtimes
• WebSocket + HTTP C2 channels for stealthy communication

StreamSpy Features

• Harvests system information
• File upload/download & deletion
• Command execution via cmd/PowerShell
• Encrypted ZIP download & execution
• Persistence via registry, scheduled tasks, or Startup LNKs

Distributed via ZIP archives (OPS-VII-SIR.zip), StreamSpy shares DNA with Spyder and ShadowAgent, suggesting resource sharing between Patchwork and the DoNot Team (Brainworm).

Why This Matters

• Transparent Tribe: Persistent espionage against Indian government and academia.
• Patchwork: Expanding arsenal to target Pakistan’s defense sector.
• Shared tactics: Both groups exploit LNK files, HTA scripts, and LOLBins to bypass detection.
• Strategic impact: These campaigns aren’t smash‑and‑grab — they’re designed for long‑term intelligence collection and regional geopolitical leverage.

Defensive Recommendations

• For organizations:
  • Block execution of mshta.exe and monitor for suspicious LNK files.
  • Harden email gateways against spear‑phishing attachments.
  • Monitor registry changes and Startup folder activity.
  • Deploy EDR/XDR solutions capable of detecting LOLBin abuse.
• For individuals:
  • Be wary of ZIP archives and “government advisory” PDFs.
  • Keep antivirus and endpoint protection updated.
  • Report suspicious emails to IT/security teams immediately.

Takeaway

Transparent Tribe and Patchwork are iterating faster than defenders patch. Their latest RAT campaigns show how state‑linked APTs weaponize everyday file formats (PDFs, LNKs, ZIPs) to infiltrate critical sectors. The lesson is clear: cyber espionage thrives on trust and familiarity — and defenders must stay one step ahead.