APT36 (Transparent Tribe)
Transparent Tribe, Mythic Leopard, COPPER FIELDSTONE, ProjectM, C-Major, Earth Karkaddan, APT-C-56, Operation C-Major
Pakistan
State-sponsored
Active
Vendor-attributed
Pakistan state-linked (attribution not tied to a named unit of record)
Attribution basis
APT36 is assessed with moderate confidence to be a Pakistan state-aligned actor, operating in support of Pakistani military or intelligence objectives. The group has no attribution of record in the form of an indictment or sanction; the Pakistan nexus rests instead on sustained vendor consensus. It was first documented publicly by Proofpoint in 2016 as "Operation Transparent Tribe," which traced source infrastructure to Pakistan during espionage activity against Indian diplomatic and military targets. Subsequent tracking by Cisco Talos, CYFIRMA, SentinelOne, CrowdStrike (as Mythic Leopard) and Secureworks (as COPPER FIELDSTONE) has reinforced the assessment. Language and build artifacts in the group's malware — including PDB path strings referencing a Pakistani software firm in Crimson RAT samples — provide a supporting, if circumstantial, attribution thread. Consistent with a vendor-attributed rather than judicially-established picture, no individual operators are named here.
Assessment
APT36 is one of the most persistent India-focused cyber-espionage actors, active since at least 2013. It is best understood not as a technically elite adversary but as a highly adaptive and relentless one: across more than a decade its tradecraft has stayed relatively simple — phishing, remote-access trojans, and deceptive infrastructure — while its targeting, delivery, and tooling have iterated continuously to stay effective.
The group's core targets are Indian government, military, defence contractors, diplomats, and research organisations. Its remit has broadened over time: analysts observed a move into the Indian education sector in 2025, and — more significantly — into endpoints running BOSS Linux (Bharat Operating System Solutions), the Debian-based distribution used across Indian government agencies. While the group casts an opportunistic net across many countries, India has remained its consistent strategic focus throughout its operational life.
The through-line is intelligence collection rather than financial gain or disruption. APT36's value to its sponsor is access to Indian state and defence information, and its long operational history reflects a patient, espionage-first posture rather than smash-and-grab monetisation.
The group's core targets are Indian government, military, defence contractors, diplomats, and research organisations. Its remit has broadened over time: analysts observed a move into the Indian education sector in 2025, and — more significantly — into endpoints running BOSS Linux (Bharat Operating System Solutions), the Debian-based distribution used across Indian government agencies. While the group casts an opportunistic net across many countries, India has remained its consistent strategic focus throughout its operational life.
The through-line is intelligence collection rather than financial gain or disruption. APT36's value to its sponsor is access to Indian state and defence information, and its long operational history reflects a patient, espionage-first posture rather than smash-and-grab monetisation.
Modus operandi
Initial access. APT36's entry technique is social engineering at volume. Its signature is the creation of fake domains impersonating Indian military, defence, and government bodies — a technique it has used consistently for years, standing up lookalike sites for organisations such as the Jammu & Kashmir Police and the Indian Air Force. Delivery is typically via spear-phishing carrying malicious documents (macro-laced Office files, OLE-embedded objects), weaponised PDFs, archive files, and ISO images. The group has also run malvertising: it abused Google Ads to promote fake versions of India's Kavach multi-factor-authentication portal, distributing backdoored Kavach applications to harvest government credentials.
Platform expansion. Historically Windows-focused, APT36 has deliberately expanded across platforms. On Android it deploys CapraRAT, a modified AndroRAT surveillance implant disguised as popular apps (Viber, TikTok, "Crazy Games") with permissions to record calls, read messages, and track location. In 2025 it began targeting Linux — specifically BOSS Linux — using malicious .desktop files masquerading as PDFs: the file's Exec= line runs hidden Bash commands that fetch and execute a hex-encoded ELF payload while displaying a decoy PDF, establishing autostart persistence.
Evasion evolution. The group has moved steadily toward stealthier execution: fileless, living-off-the-land chains that abuse trusted Windows binaries (for example, mshta.exe executing attacker-controlled HTA content), multi-stage in-memory decryption, and, by late 2025, weaponised Windows shortcut (.LNK) files disguised as PDFs. It has adopted cross-platform languages (Python, Go, Rust). Most recently, reporting in early 2026 described a shift toward high-volume, AI-assisted implants written in niche languages (Nim, Zig, Crystal) using trusted cloud services — Slack, Discord, Supabase, Google Sheets — for command and control, a model aimed squarely at defeating signature-based detection.
Infrastructure. The group has shown a long-standing preference for Contabo VPS hosting, with certain hosting ranges reused across campaigns as command-and-control infrastructure.
Platform expansion. Historically Windows-focused, APT36 has deliberately expanded across platforms. On Android it deploys CapraRAT, a modified AndroRAT surveillance implant disguised as popular apps (Viber, TikTok, "Crazy Games") with permissions to record calls, read messages, and track location. In 2025 it began targeting Linux — specifically BOSS Linux — using malicious .desktop files masquerading as PDFs: the file's Exec= line runs hidden Bash commands that fetch and execute a hex-encoded ELF payload while displaying a decoy PDF, establishing autostart persistence.
Evasion evolution. The group has moved steadily toward stealthier execution: fileless, living-off-the-land chains that abuse trusted Windows binaries (for example, mshta.exe executing attacker-controlled HTA content), multi-stage in-memory decryption, and, by late 2025, weaponised Windows shortcut (.LNK) files disguised as PDFs. It has adopted cross-platform languages (Python, Go, Rust). Most recently, reporting in early 2026 described a shift toward high-volume, AI-assisted implants written in niche languages (Nim, Zig, Crystal) using trusted cloud services — Slack, Discord, Supabase, Google Sheets — for command and control, a model aimed squarely at defeating signature-based detection.
Infrastructure. The group has shown a long-standing preference for Contabo VPS hosting, with certain hosting ranges reused across campaigns as command-and-control infrastructure.
Targeting
Government
Defence
India
South Asia
Tools used
Crimson RAT
CapraRAT
ElizaRAT
DeskRAT
Peppy