Skip to main content
Mallory
Back to threat actors
5 malware families

TransparentTribe

Also known astransparenttribe

TransparentTribe is a Pakistan-linked APT group, also referred to in the provided content as APT36 and Mythic Leopard. The group is described as one of the most active APT groups observed in South Asia, including in December 2025. Reported targeting includes Indian military organizations, Indian government departments, and Indian financial institutions, as well as government and military agencies in Pakistan and Bangladesh. The content specifically states that TransparentTribe targeted Indian military organizations with DeskRAT, a Go-based remote access trojan capable of running in BOSS Linux environments, and separately describes the group as deploying an AI-assisted variant of DeskRAT against India’s BOSS Linux systems. Additional tooling mentioned includes CrimsonRAT and a module named USBWorm. The content also notes use of spear-phishing as the primary tactic in South Asia, including decoy emails targeting the Indian Ministry of Defense, and references decoys resembling those used by TransparentTribe. Sidecopy is mentioned alongside TransparentTribe in one context, but the content does not establish it as a subgroup.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • military
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AhMyth“a modified version of the AhMyth Android RAT which is open source malware available on GitHub.”1Mar 18, 2026
CrimsonRAT“improving its custom .NET tool named CrimsonRAT.”1Mar 18, 2026
DeskRATPakistan-Linked TransparentTribe APT Deploys AI-Assisted DeskRAT Malware Against India’s BOSS Linux Systems1Mar 18, 2026
Peppy RAT“Office documents armed with malicious VBA and open-source malware like Peppy RAT and CrimsonRAT.”1Mar 18, 2026
USBWorm“TransparentTribe started using a new module named USBWorm at the beginning of 2019…”1Mar 18, 2026
IOCS

Observables

9 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

9 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
nsfocus globalNews
Feb 2, 2026
NSFOCUS Monthly APT Insights - December 2025 - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

Active in South Asia during Dec 2025, primarily conducting spear-phishing email campaigns targeting government and military entities (notably India; also Pakistan, Bangladesh, and Romania mentioned).

Read more
risky biz rssNews
Oct 27, 2025
Risky Bulletin: Russian bill would require researchers to report bugs to the FSB

TransparentTribe is a Pakistani APT group known for targeting Indian military organizations using custom malware such as DeskRAT.

Read more
security online infoNews
Oct 24, 2025
Pakistan-Linked TransparentTribe APT Deploys AI-Assisted DeskRAT Malware Against India’s BOSS Linux Systems

Described as a Pakistan-linked APT deploying the DeskRAT malware in an AI-assisted manner to target India’s BOSS Linux systems.

Read more
securelistNews
Apr 27, 2022
APT trends report Q1 2022

Mentioned as a comparative reference for decoy/document themes overlapping with Sidecopy-related campaigns; no specific new operation detailed here.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables9

Domains, IPs, and hashes tied to this actor, refreshed continuously.

TransparentTribe | Mallory