Stealth and Deception: Transparent Tribe’s Multi-Stage Assault on Indian Government Entities

Cybersecurity researchers at CYFIRMA have unmasked a sophisticated new campaign by the Pakistan-aligned threat actor Transparent Tribe (also known as APT36). This latest operation targets Indian government-associated entities and defense organizations, utilizing a complex, multi-stage infection chain designed for long-term espionage and covert data exfiltration.

The attack begins with a classic social engineering lure: a malicious ZIP archive disguised as important examination-related documents. To lower the victim’s guard, the archive contains a shortcut file with a deceptive double extension, “Approved Documents 2026.pdf.lnk”.

By concealing the actual .lnk extension, the attackers make the file appear as a legitimate PDF. As the CYFIRMA report notes, “This technique disguises malicious content as legitimate documents to trick users into executing it”.

Once a user interacts with the files, the campaign deploys a redundant, “multi-vector” execution strategy to ensure the infection sticks.

• The Shortcut (LNK): Triggers a hidden batch script (myscsd.bat) that stages malicious components in a secret folder named ~.
• The PowerPoint Add-in (PPAM): The archive also includes “Brief.ppam,” which contains embedded VBA macros that execute automatically via the Auto_Open() function.

The macro is particularly advanced, performing what researchers call “macro-based payload reconstruction”. It detects the victim’s operating system to deploy the most compatible variant, then extracts and reassembles a malicious executable from embedded OLE objects.

Transparent Tribe’s focus for this campaign is clearly on staying hidden. To distract the user, the malware displays a password-protected decoy PDF that appears legitimate but contains no meaningful content. “The simultaneous presentation of decoy content alongside background payload execution highlights the actor’s emphasis on user deception and concealment of malicious activity,” the report explains.

To maintain a long-term presence, the malware:

• Establishes Persistence: Modifies the Windows Startup Registry to run whenever the user logs on.
• Evades Detection: Uses PowerShell to remove the “Mark-of-the-Web” security flag from its files and employs “junk code” to confuse analysts.
• Self-Deletes: A secondary tool named fimsrwvar.exe is programmed to delete all traces of the malicious executables after the final payload is running.

The end result of this elaborate chain is the silent execution of hsuzoiaisaacrhy.exe, a powerful Remote Access Trojan (RAT). This RAT connects to a hardcoded command-and-control (C2) IP address—93.127.130.89—with a fallback domain to ensure operational continuity.

Once active, the RAT grants the attackers full “situational awareness” and control, enabling them to capture screenshots, stream live screen monitoring, browse files, and exfiltrate sensitive data in chunks to avoid detection.

CYFIRMA concludes that this campaign “illustrates a carefully coordinated and multi-stage intrusion designed to achieve covert system compromise while reducing the probability of detection”. For organizations in the region, the report is a stark reminder of the importance of layered defenses and continuous monitoring to detect such high-level persistent threats.