Transparent Tribe Expands Espionage Campaign to Target India’s Startup Ecosystem
The Pakistan-linked threat group Transparent Tribe (APT36), known for cyberespionage against Indian government and defense sectors since 2013, has shifted tactics to infiltrate India’s startup ecosystem. Researchers at Acronis uncovered a new campaign leveraging spear-phishing emails to deploy the Crimson RAT malware, specifically targeting startups in OSINT (Open Source Intelligence) and cybersecurity sectors with ties to government and law enforcement agencies.
The attack begins with a malicious ISO file ("MeetBisht.iso") disguised as a legitimate meeting request, referencing Voldebug, a real Indian startup, and its founder. When opened, the file displays a decoy Excel shortcut (LNK file), which executes a hidden batch script while showing a fake document to distract the victim. This triggers the installation of Crimson RAT, a 34MB Remote Access Trojan artificially inflated with "garbage data" to evade antivirus detection by exploiting size-based scanning limitations.
Once active, the malware grants attackers full control over the infected system, including:
- Surveillance: Screen recording, webcam/microphone activation.
- Data theft: File enumeration, exfiltration of sensitive documents.
- System manipulation: Process termination, command execution.
The RAT communicates with its command-and-control (C2) server via a custom TCP protocol, making network traffic harder to detect. Acronis researchers attributed the attack to Transparent Tribe with high confidence, citing reused infrastructure (including U.S.-hosted servers) and code overlaps with past campaigns. A notable misspelling ("Evidance" instead of "Evidence") in file names further linked the operation to the group’s previous activities.
This campaign highlights a supply-chain-style espionage strategy: by compromising startups with government connections, Transparent Tribe gains indirect access to sensitive state data. The shift underscores the growing threat to private-sector entities collaborating with public institutions, positioning them as high-value targets in state-sponsored cyber operations.
Source: https://gbhackers.com/transparent-tribe-hacker/
Voldebug Innovations PVT. LTD. cybersecurity rating report: https://www.rankiteo.com/company/voldebug
"id": "VOL1770408203",
"linkid": "voldebug",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'OSINT, Cybersecurity',
'location': 'India',
'name': 'Voldebug',
'type': 'Startup'}],
'attack_vector': 'Spear-phishing emails',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely (surveillance '
'data includes '
'screen/webcam/microphone '
'feeds)',
'sensitivity_of_data': 'High (government/law enforcement '
'ties)',
'type_of_data_compromised': 'Sensitive documents, '
'surveillance data, system '
'information'},
'description': 'The Pakistan-linked threat group Transparent Tribe (APT36) '
'has shifted tactics to infiltrate India’s startup ecosystem, '
'targeting startups in OSINT and cybersecurity sectors with '
'ties to government and law enforcement agencies. The campaign '
'leverages spear-phishing emails to deploy the Crimson RAT '
'malware, using a malicious ISO file disguised as a legitimate '
'meeting request.',
'impact': {'data_compromised': 'Sensitive documents, surveillance data '
'(screen recordings, webcam/microphone feeds)',
'identity_theft_risk': 'High (personally identifiable information '
'at risk)',
'operational_impact': 'Full system control by attackers, data '
'exfiltration, process manipulation',
'systems_affected': 'Infected systems of targeted startups'},
'initial_access_broker': {'backdoors_established': 'Crimson RAT',
'entry_point': 'Spear-phishing emails with '
'malicious ISO files',
'high_value_targets': 'Startups in '
'OSINT/cybersecurity with '
'government/law enforcement '
'ties'},
'investigation_status': 'Attributed with high confidence',
'lessons_learned': 'Startups with government connections are high-value '
'targets for state-sponsored cyberespionage. '
'Supply-chain-style attacks can provide indirect access to '
'sensitive state data.',
'motivation': 'Espionage, state-sponsored cyber operations',
'post_incident_analysis': {'corrective_actions': 'Implement advanced threat '
'detection, enhance employee '
'training, and adopt '
'behavioral analysis for '
'malware detection',
'root_causes': 'Lack of phishing awareness, '
'reliance on size-based antivirus '
'scanning, weak network traffic '
'monitoring'},
'recommendations': 'Enhance phishing awareness training, implement size-based '
'malware detection bypass protections, monitor for unusual '
'TCP traffic patterns, and conduct regular security audits '
'for startups collaborating with public institutions.',
'references': [{'source': 'Acronis'}],
'response': {'third_party_assistance': 'Acronis (researchers)'},
'threat_actor': 'Transparent Tribe (APT36)',
'title': 'Transparent Tribe Expands Espionage Campaign to Target India’s '
'Startup Ecosystem',
'type': 'Cyberespionage'}