Pakistani Transparent Tribe APT Aims for Cross-Platform Impact

Targeting Indias government, defense, and aerospace sectors, the cyber-threat group now attacks Linux as well as Windows in its quest to compromise the Indian militarys homegrown MayaOS Linux systems.

A Pakistan-linked cyber-espionage group has pivoted to a wider variety of legitimate software techniques in an attempt to bypass cybersecurity defenses, including targeting Linux as much as Windows and incorporating into its attacks legitimate cloud services, including Google Drive and Telegram.
The group, dubbed Transparent Tribe, historically has targeted government agencies and defense firms in India with cyberattacks that attempt to compromise Windows systems and Android devices. In its latest campaign, however, the group has favored Linux systems over Windows computers, with 65% of attacks using Linux Executable and Linkable Format (ELF) binaries that target Indias homegrown MayaOS distribution.
The latest campaigns are not a departure in targeting, since the group in the past has been laser-focused on compromising Indias government, military, and private industry, says Ismael Valenzuela, vice president of threat intelligence and research at cybersecurity firm BlackBerry.
Over the years, the group has targeted other nations [and] regions beyond India — namely the US, Europe, and Australia — however, its primary target seemingly remains as India, he says. The group has heavily leveraged lures associated to target the Indian government or its various governing bodies of the nation.
The South Asia region has an active cyber-threat landscape. The
India-linked Sidewinder group
has targeted Pakistan in the past, but also Turkey and China, while
the Patchwork group
has targeted Pakistanis through seeding the Google Play store with malicious Android apps. The
China-linked Evasive Panda group
has targeted Tibetan nationals in India and the United States, while another group,
dubbed ToddyCat
, has targeted groups in Vietnam and Taiwan.
Transparent Tribe, also known as APT36 and Earth Karkaddan, has previously used romance scams to
distribute the CapraRAT Android malware
against target Indian government officials with information on the Kashmir region. Meanwhile, Pakistan has strived to improve its cybersecurity posture, steering $18 million in funding for cybersecurity research and
adding $36 million to its budget
to develop better cybersecurity technical capabilities.
Overall, Transparent Tribe is not considered to be very sophisticated, but has had good success by mixing up its tactics. The latest attacks include multiple cross-platform programming languages, the abuse of legitimate services, a variety of payloads and infection vectors, and the use of new delivery mechanisms, Valenzuela says.
The groups use of cross-platform programming languages — including Python, Golang, and Rust — allows it to create programs for both Windows and Linux, an important capability since Indias military widely uses its MayaOS Linux distribution. The latest attack uses ELF binaries to distribute a Python-based downloader, which leads to a Linux-based exfiltration utility, BlackBerry stated in its analysis.
These ELF binaries had minimal detections on VirusTotal likely due to their lightweight nature and dependency on Python,
the analysis stated
.
Transparent Tribe has played with Linux compromises for at least a year, according to other security firms. In certain situations, Transparent Tribe appears to target Linux systems using a desktop entry file that appears to be a Microsoft Office document, Zscaler stated in a September 2023 analysis.
Desktop entry files
provide information and commands that Linux desktop systems use to take actions after a user selects a menu item.
The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before,
Zscaler stated in the 2023 analysis
. This attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has discovered three samples — all of which have [zero] detection on VirusTotal.
Past samples have included Android malware, but BlackBerry has not seen any sign of Android targets in the latest campaigns.
Transparent Tribe uses legitimate tools and services as part of its attack infrastructure, extending the living-off-the-land trend. The group uses email and compromised websites to host files, but also employs Google Drive to bypass checks of compromised domains. The use of VoIP and instant messenger apps like Discord and Telegram appears to be a new approach, BlackBerrys Valenzuela says.
If a service, tool, [or] software can be misused, it could become a vector of compromise or part of the attack chain — this could enable an APT group to seemingly fly under the radar and, from a networking perspective, hide in plain sight, he says. The weaponization of legitimate tooling is not a new phenomenon, with many commodity TAs [threat actors] and APT groups leveraging seemingly benign and legitimate tools illicitly for their own gain and goals.
While other groups have targeted Windows systems using ISO images — which typically appear as disks to the operating system — Transparent Tribe only started using ISO images toward the end of 2023, according to BlackBerry.
The ISO images discovered by BlackBerry used one of two PDF lures: a document discussing staff changes to the militarys pension system and another discussing a loan application for army personnel. Both ISOs, however, delivered a Python-based Telegram bot that attempted to compromise targets using Windows portable executable (PE) files.
While this is a common technique in the wider threat landscape, Valenzuela says, it appears to be the first time this group has adopted [ISO images] as part of their attack chain.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Pakistani Transparent Tribe APT Aims for Cross-Platform Impact