Transparent Tribe, an APT group, is now expanding its malware arsenal and victimology aimed at Windows devices. The APT group has been active since 2013 and is known to target Indian military and defense personnel with CrimsonRAT. However, the group is now deploying ObliqueRAT.

What has happened?

New research by Cisco Talos disclosed that the group is evolving several parts of its attack vector and making its lures more targeted. In early 2020, the group started using ObliqueRAT.
  • Researchers identified several malicious documents spreading the malware as part of Transparent Tribe campaigns.
  • These maldocs are believed to be sent as attachments via phishing emails.
  • In recent campaigns, the attackers took extra measures to ensure that their attack chain looks more legitimate by hosting the malicious payloads on compromised websites.
  • For initial compromise, the group uses fake domains impersonating genuine Indian military and defense organizations, along with malicious domains mimicking file-sharing and content-hosting websites.

Victimology and malware arsenal

  • The APT group is heavily reliant on social engineering as a core attack method and is invested in making its operation look legitimate. 
  • Although Transparent Tribe primarily targets military/defense personnel, it has now started targeting defense contractors, diplomatic entities, conference attendees, and research organizations.
  • In addition, since 2020 the APT group has focused on diversifying its malware arsenal and infection tactics. It now uses ObliqueRAT, along with CrimsonRAT to steal various information.


Transparent Tribe is expected to continue targeting military and government entities for strategic and political advantages. Furthermore, the group is continuously evolving its social engineering techniques to target high-value victims. Therefore, organizations are recommended to stay vigilant and implement adequate security measures proactively.

Cyware Publisher