20260102-thehackernews.com-3b06e | Perceptive Security

< Back to index

Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

Published:

2 January 2026 at 13:52:00

Alert date:

2 January 2026 at 14:02:21

Source:

thehackernews.com

Ransomware & Malware, Data Breach & Exfiltration, Email & Messaging

Transparent Tribe threat actor has launched new remote access trojan (RAT) attacks targeting Indian governmental, academic, and strategic entities. The campaign uses deceptive delivery techniques including weaponized Windows shortcut (LNK) files masquerading as legitimate PDF documents. The RAT provides persistent control over compromised hosts, allowing the attackers to maintain long-term access to targeted systems.

Technical details

Transparent Tribe APT36 launches attacks using spear-phishing emails with ZIP archives containing weaponized LNK files disguised as PDFs. The LNK file triggers remote HTA script execution via mshta.exe, which decrypts and loads RAT payloads directly into memory while displaying decoy PDF documents. The malware adapts persistence methods based on detected antivirus solutions (Kaspersky, Quick Heal, Avast, AVG, Avira). The RAT includes DLL 'iinneldc.dll' with capabilities for remote system control, file management, data exfiltration, screenshot capture, and clipboard manipulation. Additional campaign uses MSI installer 'nikmights.msi' that deploys executables and DLLs, establishes Registry-based persistence, and communicates with C2 infrastructure using reversed endpoint strings. Patchwork group linked to StreamSpy trojan using WebSocket and HTTP protocols for C2 communication.

Mitigation steps:

Monitor for suspicious LNK files disguised as PDF documents, track mshta.exe execution with remote HTA scripts, implement behavioral detection for memory-loaded payloads, monitor Registry modifications for persistence mechanisms, watch for communication to identified C2 infrastructure, scan for specific file hashes and file paths mentioned in IOCs, implement endpoint detection for the specific DLL names and executable files, monitor WebSocket and HTTP traffic patterns indicative of StreamSpy trojan communication, establish monitoring for reversed endpoint strings in network traffic.

Affected products:

Windows systems
mshta.exe
cmd.exe
WScript.Shell
MSBuild
Windows Registry
Windows Startup folder
Kaspersky antivirus
Quick Heal antivirus
Avast antivirus
AVG antivirus
Avira antivirus

Related links:

Related CVE's:

Related threat actors:

IOC's:

NCERT-Whatsapp-Advisory.pdf.lnk, nikmights.msi, aeroclubofindia.co[.]in, C:\ProgramData\PcDirvs\pdf.dll, C:\ProgramData\PcDirvs\wininet.dll, PcDirvs.exe, PcDirvs.hta, dns.wmiprovider[.]com, iinneldc.dll, C:\Users\Public\core\, /retsiger, /taebtraeh, /dnammoc_teg, /dnammocmvitna, firebasescloudemail[.]com, OPS-VII-SIR.zip, Annexure.exe, 3a4f47c60edf1e00adb3ca60a7643062657fe2c6dd85ace9dfd8fdec47078d4e

This article was created with the assistance of AI technology by Perceptive.