Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

The latest Transparent Tribe operation underscores a shift toward highly modular malware delivery. By embedding malicious HTA scripts within seemingly innocuous PDF shortcuts, the group bypasses traditional email filters and exploits the trusted mshta.exe binary. This approach not only streamlines initial infection but also enables in‑memory execution, reducing forensic footprints and complicating detection for security teams monitoring file‑based indicators.

A distinctive feature of the campaign is its adaptive persistence logic. The malware probes the host for specific antivirus solutions—Kaspersky, Quick Heal, Avast, AVG, or Avira—and tailors its startup mechanisms accordingly, ranging from LNK shortcuts in the Startup folder to batch scripts and direct registry modifications. Such environment‑aware behavior reflects an advanced threat‑hunting mindset, forcing defenders to broaden their monitoring scope beyond static signatures to include process‑level anomalies and AV‑specific artifacts.

The broader context reveals an ecosystem of overlapping toolsets among South Asian APTs. Transparent Tribe’s iinneldc.dll RAT shares functional traits with Patchwork’s StreamSpy and the DoNot Team’s ShadowAgent, suggesting collaborative development or shared code repositories. This convergence amplifies the risk landscape for Indian institutions, as innovations in one group quickly propagate across others, raising the bar for detection, response, and attribution efforts across the region.