Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact - Dark Reading

CYBERATTACKS & DATA BREACHES CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact Targeting India's government, defense, and aerospace sectors, the cyber-threat group now attacks Linux as well as Windows in its quest to compromise the Indian military's homegrown MayaOS Linux systems. Robert Lemos,Contributing Writer May 28, 2024 4 Min Read SOURCE: MUHAMMAD TOQEER VIA ALAMY STOCK PHOTO A Pakistan-linked cyber-espionage group has pivoted to a wider variety of legitimate software techniques in an attempt to bypass cybersecurity defenses, including targeting Linux as much as Windows and incorporating into its attacks legitimate cloud services, including Google Drive and Telegram. The group, dubbed Transparent Tribe, historically has targeted government agencies and defense firms in India with cyberattacks that attempt to compromise Windows systems and Android devices. In its latest campaign, however, the group has favored Linux systems over Windows computers, with 65% of attacks using Linux Executable and Linkable Format (ELF) binaries that target India's homegrown MayaOS distribution. The latest campaigns are not a departure in targeting, since the group in the past has been laser-focused on compromising India's government, military, and private industry, says Ismael Valenzuela, vice president of threat intelligence and research at cybersecurity firm BlackBerry. "Over the years, the group has targeted other nations [and] regions beyond India — namely the US, Europe, and Australia — however, its primary target seemingly remains as India," he says. "The group has heavily leveraged lures associated to target the Indian government or its various governing bodies of the nation." The South Asia region has an active cyber-threat landscape. The India-linked Sidewinder group has targeted Pakistan in the past, but also Turkey and China, while the Patchwork group has targeted Pakistanis through seeding the Google Play store with malicious Android apps. The China-linked Evasive Panda group has targeted Tibetan nationals in India and the United States, while another group, dubbed ToddyCat, has targeted groups in Vietnam and Taiwan. Transparent Tribe, also known as APT36 and Earth Karkaddan, has previously used romance scams to distribute the CapraRAT Android malware against target Indian government officials with information on the Kashmir region. Meanwhile, Pakistan has strived to improve its cybersecurity posture, steering $18 million in funding for cybersecurity research and adding $36 million to its budget to develop better cybersecurity technical capabilities. The Tribe Adds Linux to Its Targets Overall, Transparent Tribe is not considered to be very sophisticated, but has had good success by mixing up its tactics. The latest attacks include multiple cross-platform programming languages, the abuse of legitimate services, a variety of payloads and infection vectors, and the use of new delivery mechanisms, Valenzuela says. The group's use of cross-platform programming languages — including Python, Golang, and Rust — allows it to create programs for both Windows and Linux, an important capability since India's military widely uses its MayaOS Linux distribution. The latest attack uses ELF binaries to distribute a Python-based downloader, which leads to a Linux-based exfiltration utility, BlackBerry stated in its analysis. "These ELF binaries had minimal detections on VirusTotal likely due to their lightweight nature and dependency on Python," the analysis stated. Transparent Tribe has played with Linux compromises for at least a year, according to other security firms. In certain situations, Transparent Tribe appears to target Linux systems using a "desktop entry file" that appears to be a Microsoft Office document, Zscaler stated in a September 2023 analysis. Desktop entry files provide information and commands that Linux desktop systems use to take actions after a user selects a menu item. "The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before," Zscaler stated in the 2023 analysis. "This attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has discovered three samples — all of which have [zero] detection on VirusTotal." Past samples have included Android malware, but BlackBerry has not seen any sign of Android targets in the latest campaigns. Dressing Malware in Legitimate Trappings Transparent Tribe uses legitimate tools and services as part of its attack infrastructure, extending the living-off-the-land trend. The group uses email and compromised websites to host files, but also employs Google Drive to bypass checks of compromised domains. The use of VoIP and instant messenger apps like Discord and Telegram appears to be a new approach, BlackBerry's Valenzuela says. "If a service, tool, [or] software can be misused, it could become a vector of compromise or part of the attack chain — this could enable an APT group to seemingly fly under the radar and, from a networking perspective, hide in plain sight," he says. "The weaponization of legitimate tooling is not a new phenomenon, with many commodity TAs [threat actors] and APT groups leveraging seemingly benign and legitimate tools illicitly for their own gain and goals." While other groups have targeted Windows systems using ISO images — which typically appear as disks to the operating system — Transparent Tribe only started using ISO images toward the end of 2023, according to BlackBerry. The ISO images discovered by BlackBerry used one of two PDF lures: a document discussing staff changes to the military's pension system and another discussing a loan application for army personnel. Both ISOs, however, delivered a Python-based Telegram bot that attempted to compromise targets using Windows portable executable (PE) files. "While this is a common technique in the wider threat landscape," Valenzuela says, "it appears to be the first time this group has adopted [ISO images] as part of their attack chain." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES What Should the US Do About Salt Typhoon? by Alexander Culafi, Senior News Writer, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE