A hacking group associated with Pakistan, referred to as Transparent Tribe or APT36, is reportedly targeting Indian organizations using a progressively advanced malware known as ElizaRAT, as detailed by Checkpoint Research. Initially revealed in September 2023, this malware has undergone significant enhancements, incorporating improved evasion strategies and sophisticated command and control functionalities.
The report indicates that the threat actor executed three separate campaigns from late 2023 to early 2024, each utilizing various versions of ElizaRAT to extract information from the compromised systems. Notably, all variants were designed to verify the settings for the India Standard Time zone, underscoring a distinct emphasis on Indian targets.
The working of Pakistani hackers
In the initial campaign, the attackers employed Slack channels for their command and control communications and introduced a novel payload known as ApoloStealer, which was specifically designed to gather and exfiltrate files from desktops. The subsequent campaign, referred to as “Circle,” commenced in January 2024 and featured enhanced capabilities for evading detection, utilizing virtual private servers for communication rather than relying on cloud services.
The third campaign utilized Google Drive for its command and control functions while deploying specialized payloads aimed at information theft. The malware typically propagates through executable files disseminated via Google Storage links, likely as a result of phishing attacks.
Transparent Tribe, which has a history of targeting Indian governmental entities, diplomatic staff, and military installations, exhibits a growing sophistication in its cyber espionage activities. The group has modified its strategies to incorporate widely used cloud services such as Google, Telegram, and Slack, thereby concealing its malicious operations within regular network traffic.