Transparent Tribe AI-assisted implant campaign targeting India
Campaign
Summary
Hide ▲
Show ▼
Transparent Tribe (APT36) is using AI-powered coding tools to mass-produce disposable implants in an active campaign targeting the Indian government, its embassies, and other government and private entities across Afghanistan and beyond, increasing the scale and persistence of the operation. The group is pairing that with phishing and PDF lures that deliver LNK files in ZIP/ISO containers and launch PowerShell in memory. It also relies on trusted services such as Slack, Discord, Supabase, and Google Sheets to hide command-and-control traffic. The result is an industrialized operation that floods defenders with many low-cost binaries and makes detection harder.
Related Happenings
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityAbout this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignAbout this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
Lotus Wiper destructive activity against Venezuelan energy systems
Malware Activity
First: 22.04.2026 13:55
Last: 22.04.2026 13:55
Sources 1
About this happening:
Researchers uncovered **Lotus Wiper**, a **previously undocumented data wiper**, in **destructive attacks** against **Venezuela**. The operation targeted the **energy and utilitie...
Lotus Wiper destructive activity against Venezuelan energy systems
Malware ActivityAbout this happening: Researchers uncovered **Lotus Wiper**, a **previously undocumented data wiper**, in **destructive attacks** against **Venezuela**. The operation targeted the **energy and utilitie...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware Activity
First: 22.04.2026 10:58
Last: 22.04.2026 10:58
Sources 1
About this happening:
An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware ActivityAbout this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
Campaign
First: 16.04.2026 14:02
Last: 16.04.2026 14:02
Sources 1
About this happening:
The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
CampaignAbout this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
Timeline
-
06.03.2026 17:11 2 articles · 2mo ago
Transparent Tribe AI-assisted implant campaign targeting Indian and Afghan government entities
Initial DisclosureTransparent Tribe (APT36) is using AI-powered coding tools to mass-produce disposable malware implants against the Indian government, its embassies in multiple foreign countries, the Afghan government, and some private businesses, while using LinkedIn to identify high-value targets and relying on phishing-delivered LNK files in ZIP or ISO archives, PDF lures, in-memory PowerShell execution, and post-compromise tooling such as Cobalt Strike and Havoc. The reported malware set includes Warcode, NimShellcodeLoader, CreepDropper, SupaServ, LuminousStealer, CrystalShell, ZigShell, CrystalFile, LuminousCookies, BackupSpy, ZigLoader, and Gate Sentinel Beacon, with trusted services such as Slack, Discord, Supabase, Google Sheets, Firebase, and Google Drive used to blend command-and-control and exfiltration traffic into legitimate network activity.
Show sources
- Transparent Tribe Uses AI to Mass-Produce Malware Implants in Campaign Targeting India — thehackernews.com — 06.03.2026 17:11
- Transparent Tribe Uses AI to Mass-Produce Malware Implants in Campaign Targeting India — thehackernews.com — 06.03.2026 17:11