Transparent Tribe Shifts Cyber Espionage Focus to India’s Startup Ecosystem
A Pakistan-linked hacking group, Transparent Tribe (APT36), has redirected its cyber espionage efforts from traditional government targets to India’s startup sector, particularly companies in cybersecurity and intelligence. Active since 2013, the group now deploys Crimson RAT, a remote access trojan, to infiltrate systems via malicious emails disguised as legitimate documents.
Researchers at Acronis uncovered the campaign after detecting suspicious files uploaded from India, containing startup-themed lures. Unlike past operations targeting defense and educational institutions, this wave zeroes in on startups providing security services to law enforcement. Attackers leveraged personal details of a real founder to craft convincing fake documents, increasing the likelihood of successful phishing.
The infection chain begins with an ISO container file (e.g., MeetBisht.iso) attached to an email. Inside, a shortcut file masquerades as an Excel document, alongside a hidden folder containing:
- A decoy document to distract victims,
- A batch script to execute the payload,
- The Crimson RAT disguised as an Excel executable.
Once opened, the shortcut triggers the batch script, which:
- Displays a fake Excel file while silently installing the malware,
- Uses PowerShell to disable security warnings,
- Creates a hard-linked executable in the user’s app data folder to evade detection.
The Crimson RAT payload employs advanced evasion tactics, including:
- Artificial file bloat (34MB, with only 80–150KB of malicious code) to bypass signature-based detection,
- Randomized function names to hinder analysis,
- Custom TCP protocols on non-standard ports (e.g., 18661, 20856) for command-and-control (C2) communications.
The malware enables attackers to monitor screens, record audio, steal files, and remotely control infected systems all without the victim’s knowledge. The shift in targeting underscores a growing threat to India’s emerging tech and security sectors, where sensitive data and intellectual property are prime targets.
Source: https://cybersecuritynews.com/transparent-tribe-hacker-group/
Acronis cybersecurity rating report: https://www.rankiteo.com/company/acronis
"id": "ACR1770407517",
"linkid": "acronis",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': ['Cybersecurity', 'Intelligence'],
'location': 'India',
'type': 'Startup'}],
'attack_vector': 'Phishing (Malicious Emails)',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive data',
'Intellectual property',
'Files',
'Audio recordings']},
'description': 'A Pakistan-linked hacking group, Transparent Tribe (APT36), '
'has redirected its cyber espionage efforts from traditional '
'government targets to India’s startup sector, particularly '
'companies in cybersecurity and intelligence. The group '
'deploys Crimson RAT, a remote access trojan, to infiltrate '
'systems via malicious emails disguised as legitimate '
'documents.',
'impact': {'data_compromised': 'Sensitive data, intellectual property, files, '
'audio recordings, screen monitoring'},
'initial_access_broker': {'backdoors_established': 'Crimson RAT',
'entry_point': 'Phishing emails with malicious ISO '
'attachments',
'high_value_targets': 'Startups in cybersecurity '
'and intelligence'},
'motivation': 'Cyber Espionage, Intellectual Property Theft',
'post_incident_analysis': {'root_causes': 'Phishing attack leveraging social '
'engineering and malicious ISO '
'files'},
'references': [{'source': 'Acronis'}],
'response': {'third_party_assistance': 'Acronis (Researchers)'},
'threat_actor': 'Transparent Tribe (APT36)',
'title': 'Transparent Tribe Shifts Cyber Espionage Focus to India’s Startup '
'Ecosystem',
'type': 'Cyber Espionage'}