CapraRAT
CapraRAT is an Android remote access trojan/backdoor used in espionage campaigns attributed to Transparent Tribe, also tracked as APT36, COPPER FIELDSTONE, Operation C-Major, and related aliases. Reporting in the provided content links it to suspected Pakistan state-aligned operations primarily targeting Indian and Pakistani users, especially individuals of military, political, diplomatic, government, education, activist, and other strategic interest. The malware has also been described as based on the open-source AndroRAT framework.
CapraRAT is typically delivered through trojanized Android APKs distributed outside Google Play via attacker-controlled websites and social engineering, including spear-phishing and romance or honey-trap lures. Documented disguises include secure messaging and calling apps such as MeetsApp and MeetUp; YouTube-themed apps; a lure using the persona "Piya Sharma"; and themed apps targeting mobile gamers, weapons enthusiasts, TikTok users, and viewers of adult content, including Crazy Game, Weapons, TikTok, and Sexy Videos. Some samples preserved benign-looking functionality by embedding WebView content such as YouTube or CrazyGames while covertly enabling spyware behavior.
Capabilities directly described in the content include collection or exfiltration of SMS messages, MMS, contacts, call logs, recorded calls, ambient audio, screenshots, photos, files, file listings, notification text, running apps, and device location. CapraRAT can access the microphone and camera, including front and rear cameras, record audio and video, take screenshots, browse, download, delete, and modify files, list contacts, collect call logs, receive SMS, send SMS, block or intercept incoming SMS, initiate phone calls, launch or kill apps/processes, and in some reporting stream audio. It has also been described as able to override GPS and network settings and request installation of updates. Persistence and execution details mentioned in the content include use of the open-source Autostarter project and recurring alarms for periodic execution.
The content associates CapraRAT with multiple campaigns and infrastructure clusters. ESET-linked reporting tied MeetsApp and MeetUp samples to C2 66.235.175[.]91:4098 and domains including meetsapp[.]org, meetup-chat[.]com, phone-drive[.]online, and share-lienk[.]info. SentinelLABS reporting linked CapraRAT samples to domains including newsbizshow[.]net, ptzbubble[.]shop, and shareboxs[.]net; IPs including 95[.]111.247.73, 209[.]127.19.241, 173[.]249[.]50[.]243, and 173[.]212[.]206[.]227; and ports including 14862, 18892, 10284, and 18582. Additional sample and infrastructure details in the content include SHA-1 values 4C6741660AFED4A0E68EF622AA1598D903C10A01 and 542A2BC469E617252F60925AE1F3D3AB0C1F53B6 for Android/Spy.CapraRAT.A; yt.apk (8beab9e454b5283e892aeca6bca9afb608fa8718); YouTube_052647.apk (83412f9d757937f2719ebd7e5f509956ab43c3ce); Piya Sharma.apk (14110facecceb016c694f04814b5e504dc6cde61); Crazy Game signed.apk (c307f523a1d1aa928fe3db2c6c3ede6902f1084b); Sexy Videos signed.apk (dba9f88ba548cebfa389972cddf2bec55b71168b); TikTok signed.apk (28bc3b3d8878be4267ee08f20b7816a6ba23623e); and Weapons signed.apk (fff24e9f11651e0bdbee7c5cd1034269f40fc424).
The malware has been observed in ongoing Android-focused surveillance operations since at least 2021, with public reporting noting continued modification and compatibility updates, including successful execution on newer Android versions such as Android 13 and 14.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
It distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp; the backdoor can exfiltrate any sensitive information from its victims’ devices.
SentinelLABS has identified four new CapraRAT APKs associated with suspected Pakistan state-aligned actor Transparent Tribe. These APKs continue the group’s trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans.
在泄露数据中我们还发现了一个疑似攻击者的设备,该设备上存在一个名称为“y.apk”的文件,该文件属于透明部落组织CapraRAT家族移动端RAT样本。… 在同家族样本的某个投递地址下,我们发现了一个名称为“ynjhjhgfdt.apk”的APK文件,该文件也属于透明部落组织CapraRAT恶意家族。
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
The group relies heavily on social engineering attacks to deliver a variety of Windows and Android spyware, including spear-phishing and watering hole attacks.
Execution
3 techniques
Execution
MainActivity is responsible for driving the application’s key features. This activity sets persistence through the onCreate method... this method calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s timeForAlarm variable... the alarm and persistence launcher run once per minute.
Persistence
2 techniques
Persistence
MainActivity is responsible for driving the application’s key features. This activity sets persistence through the onCreate method... this method calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s timeForAlarm variable... the alarm and persistence launcher run once per minute.
Privilege Escalation
1 technique
Privilege Escalation
MainActivity is responsible for driving the application’s key features. This activity sets persistence through the onCreate method... this method calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s timeForAlarm variable... the alarm and persistence launcher run once per minute.
Stealth
4 techniques
Stealth
This campaign has distributed CapraRAT backdoors through at least two similar websites, while representing them as untainted versions of those secure messaging apps.
MainActivity calls the TCHPClient class... including... killFile (file deletion)
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
Collection
3 techniques
Collection
When the app first launches, the user is prompted to grant several risky permissions, including... Record audio and screen, take screenshots
When the app first launches, the user is prompted to grant several risky permissions, including... Record audio and screen, take screenshots... MainActivity calls the TCHPClient class, which contains the malicious capabilities leveraged by CapraRAT. This class drives several spyware classes and methods, including: audioStreamer ( aStreamer )
Command and Control
3 techniques
Command and Control
The sendData method is responsible for constructing the data collected by other methods and classes and sending it to the C2. The mRun method constructs the socket and sends the data to the C2 server using the variables specified in the Settings class.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android spyware/RAT capable of accessing SMS, call logs, location, microphone, and camera; delivered via malicious apps masquerading as legitimate applications.
Remote access trojan used by Transparent Tribe for persistence, surveillance, exfiltration, and remote command execution (capabilities described at the group level in the content).
A remote access trojan (RAT) used by Transparent Tribe (APT36) for persistent control, espionage, and data exfiltration on compromised hosts.
An Android remote access trojan family associated in the report with Transparent Tribe. It was found on a suspected attacker device and at a related delivery address, supporting attribution of the campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.