Pakistani-based cyber espionage groups have been increasingly targeting Indian government and military entities. Recent reports from cybersecurity firms have highlighted the use of programming languages. The groups have also been abusing popular web services like Telegram, Discord, Slack, and Google Drive to facilitate their attacks. One prominent group, Transparent Tribe, also known as APT36, has been particularly active. According to the Blackberry Research & Intelligence Team, Transparent Tribe has conducted numerous cyber espionage operations against Indian sectors, including education and defence.

The report suggested that they have adopted the use of programming languages such as Python, Golang, and Rust to develop cross-platform malware. “Transparent Tribe primarily employs phishing emails as the preferred method of delivery for their payloads, utilising either malicious ZIP archives or links. We observed the use of numerous different tools and techniques, some of which aligned with previous reporting from Zscaler in September 2023,” Blackberry Research & Intelligence Team mentioned.

According to recent research, Transparent Tribe has targeted three major aerospace and defence companies in Bengaluru, India, which are crucial stakeholders and clients of the Department of Defence Production (DDP). These companies could be Hindustan Aeronautics Limited (HAL), Bharat Electronics Limited (BEL), and BEML Limited, a report by HackersNews suggested.

Transparent Tribe has a various set of malware at its disposal, including CapraRAT, CrimsonRAT, ElizaRAT, GLOBSHELL, LimePad, ObliqueRAT, Poseidon, PYSHELLFOX, Stealth Mango, and Tangelo. The group has been observed deploying various versions of GLOBSHELL, a Python-based information-gathering utility, along with PYSHELLFOX, designed to exfiltrate data from Mozilla Firefox.

BlackBerry’s research also revealed the use of bash scripts and Python-based binaries served from domains controlled by the threat actors. These scripts and binaries facilitate various malicious activities, from gathering files from USB drives to deploying remote access trojans that use Telegram for command-and-control purposes.