APT36 (also known as Transparent Tribe) is continuously updating its arsenal while adding new tools and new TTPs. Throughout 2022, it has been active with CrimsonRAT, ObliqueRAT, and some custom malware. Recently, it is observed launching a new malicious campaign involving a new data exfiltration tool, named Limepad.

The new campaign

According to Zscaler researchers, the Pakistan-linked adversary is targeting employees of Indian government organizations.
  • Transparent Tribe threat actors abuse Google advertisements for the purpose of malvertising to distribute trojanized versions of a two-factor authentication solution called Kavach.
  • They control certain third-party application stores and use these as a gateway to redirect unsuspecting users to attacker-registered domains hosting the latest backdoored variants of Indian government-related applications.
  • The group uses Limepad tool that is designed to steal and upload data from the infected host to the attacker's server. It is modular and contains many custom Python libraries developed by the attacker to assist the main functionality.

Consistent attack techniques

APT-36 has registered several domains spoofing Indian government organization sites to launch credential harvesting and phishing attacks.
  • These domains impersonate Kavach NIC (National Informatics Center) login page or other government entities. However, it redirects victims to the malicious domains only when accessed from an Indian IP address, else it is redirected to legitimate sites.
  • These well-crafted phishing pages sent the stolen credentials to a remote server for carrying out further attacks against government-related infrastructure.


Although Limepad is in the very early stages of development, analysis of its key functionalities shows it can become the malware of choice for establishing long-term access to victim networks. Its consistency with malvertising, credential harvesting, and phishing attacks hints towards its heightened motive.
Cyware Publisher