Skip to main content
Mallory
Back to threat actors
Pakistan🇵🇰 PK39 malware familiesExploits CVEs in the wild

Transparent Tribe

Also known asAPT36COPPER FIELDSTONEEarth KarkaddanMYTHIC LEOPARDOperation C-MajorProjectMTransparent Tribe

Transparent Tribe is a Pakistan-associated threat actor also tracked as APT36, Copper Fieldstone, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM. The reporting also describes SideCopy as a Pakistan-linked cluster operating under the broader Transparent Tribe/APT36 umbrella. Transparent Tribe has a documented history of targeting South Asian government institutions and has been reported targeting entities in Afghanistan, India, Pakistan, and Saudi Arabia. Recent reporting tied umbrella-related activity to espionage campaigns against Afghanistan’s Ministry of Finance and provincial finance bodies using Pashto-language spearphishing lures and Xeno RAT, while other reporting noted targeting of Indian entities and sectors including defense, government, railways, and oil. Observed tradecraft in the provided content includes spearphishing emails with malicious attachments, including ZIP archives containing LNK files disguised as PDFs, weaponized documents, and other malicious email attachments sent to targets such as students in India. Transparent Tribe activity in the content includes abuse of mshta.exe to retrieve HTA payloads, in-memory decoding and loader chains, registry-based persistence, scheduled-task persistence, masquerading as legitimate software such as Microsoft Edge, use of encoded executables, and mimicry of legitimate Windows directories by reusing names and icons. Malware and tooling associated in the content include CrimsonRAT, MeshAgent, Xeno RAT, CurlBack RAT, Spark RAT, and the Linux-targeting DeskRAT implant. The content also associates Transparent Tribe with phishing using weaponized Linux .desktop files and with detections for malicious file execution and UDL-file-based spearphishing attachment activity. The content explicitly describes Transparent Tribe/APT36 as Pakistan-based or Pakistan-associated, and separately describes SideCopy as Pakistan-linked and believed to be an element of the Pakistani government, but only as a subgroup or cluster under the broader Transparent Tribe umbrella.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • PK
MITRE ATT&CK

Tradecraft

46 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics61 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589
Gather Victim Identity Information
T1598
Phishing for Information
TA0042
Resource Development
3 techniques
T1583
Acquire Infrastructure
T1583.001×2
Domains
T1584
Compromise Infrastructure
T1584.001
Domains
T1608
Stage Capabilities
TA0001
Initial Access
2 techniques
T1189
Drive-by Compromise
T1566×5
Phishing
T1566.001×13
Spearphishing Attachment
T1566.002×3
Spearphishing Link
TA0002
Execution
5 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059×3
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.004×2
Unix Shell
T1059.005×2
Visual Basic
T1059.006
Python
T1059.007×2
JavaScript
T1129
Shared Modules
T1203×2
Exploitation for Client Execution
T1204
User Execution
T1204.002×10
Malicious File
TA0003
Persistence
2 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×4
Registry Run Keys / Startup Folder
T1547.013
XDG Autostart Entries
TA0004
Privilege Escalation
3 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1068
Exploitation for Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1547.001×4
Registry Run Keys / Startup Folder
T1547.013
XDG Autostart Entries
TA0005
Stealth
7 techniques
T1027×6
Obfuscated Files or Information
T1036×4
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1218
System Binary Proxy Execution
T1218.005×3
Mshta
T1480
Execution Guardrails
T1480.002
Mutual Exclusion
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1564
Hide Artifacts
T1564.001×2
Hidden Files and Directories
T1564.006
Run Virtual Instance
T1620×2
Reflective Code Loading
TA0007
Discovery
3 techniques
T1082
System Information Discovery
T1083
File and Directory Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0009
Collection
4 techniques
T1074
Data Staged
T1113
Screen Capture
T1125
Video Capture
T1213
Data from Information Repositories
TA0011
Command and Control
4 techniques
T1071×2
Application Layer Protocol
T1071.001×3
Web Protocols
T1105×3
Ingress Tool Transfer
T1219
Remote Access Tools
T1573
Encrypted Channel
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

39 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Crimson RAT"...Transparent Tribe (aka APT36)... deliver Crimson RAT..."6Mar 18, 2026
DeskRATOnce executed, the malicious .desktop launcher initiates a heavily obfuscated shell-based infection chain involving staged payload retrieval, inline decoding routines, and deployment of a Golang-based ELF implant tracked in this report as DeskRAT.5Jun 2, 2026
Ares RATThis operation used a Go-based downloader to install ARES RAT, a Python-based remote access tool historically associated with APT36 activity. Once deployed, ARES RAT performed automated system profiling, recursive file enumeration, and structured data exfiltration.3Mar 18, 2026
Crimson"The actors have access to a sizeable toolset of Trojans that they use in their attack campaigns, including custom developed tools called Crimson and Peppy..."3Mar 18, 2026
PoseidonTied together with six months of passive DNS, this is the fourth Linux-oriented RAT family APT36 has rotated through since mid-2024 (Poseidon → AresRAT → DeskRAT, alongside the parallel Windows CrimsonRAT track).3Apr 25, 2026

34 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.

CVE-2010-3333RTF Stack Buffer Overflow Vulnerability in Microsoft OfficeIn the wildEvidence4

...has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.

CVE-2012-0158MSCOMCTL.OCX ListView/TreeView ActiveX Remote Code ExecutionIn the wildEvidence4

...has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158...

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

117 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

117 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
dark readingNews
Jun 4, 2026
Pakistan Spies on Afghan Finance Ministry With Xeno RAT

Pakistan-linked threat actor referenced as the broader group associated with SideCopy and known for targeting neighboring countries.

Read more
security online infoNews
Jun 3, 2026
SideCopy XenoRAT Malware Attack Targets Afghanistan

Broader threat umbrella associated in the content with the Pakistan-linked SideCopy cluster behind a cyber espionage operation targeting Afghan government entities.

Read more
scworldNews
Jun 2, 2026
SideCopy group targets Afghanistan’s Ministry of Finance with Xeno RAT | brief | SC Media

Broader threat cluster associated in the content with SideCopy and prior targeting of Indian entities using similar malware.

Read more
the hacker newsNews
Jun 2, 2026
Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT

Pakistan-linked threat actor umbrella associated with SideCopy and assessed behind a phishing campaign targeting Indian military and defense infrastructure using WhatsApp-based social engineering and weaponized Linux .desktop files.

Read more
+184 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping46

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal39

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs3

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables117

Domains, IPs, and hashes tied to this actor, refreshed continuously.