The Adaptive Spy: Transparent Tribe’s New RAT Outsmarts Antivirus to Target India
The hacking group known as Transparent Tribe has launched a new wave of cyber-espionage operations targeting government bodies, research institutions, and strategically important organizations in India. The attackers’ primary weapon is yet another variant of a remote access trojan (RAT), designed to maintain a persistent foothold within compromised systems.
According to Cyfirma, the current campaign begins with phishing emails carrying an attached archive that contains a Windows shortcut disguised as a PDF document. When the file is opened on a victim’s machine, an HTA script is executed via mshta.exe. This script decrypts and loads a malicious payload directly into memory, while simultaneously opening a decoy PDF file to avoid arousing suspicion.
During execution, the script interacts with the operating system through ActiveX objects, allowing it to profile system parameters and dynamically adapt its behavior to the specific environment. This adaptive logic significantly increases the reliability of malicious code execution.
Of particular interest is the persistence mechanism. The malware inspects the installed antivirus software and selects different techniques accordingly. If a Kaspersky Lab product is detected, a hidden directory is created and an encrypted file is stored there, launched via a startup shortcut. In the case of Quick Heal, the trojan generates a batch file that invokes the same HTA script. When Avast, AVG, or Avira solutions are present, the malicious file is copied directly into the startup folder. If no antivirus software is found, the malware employs a combination of scripts and registry modifications.
The core malicious component—a library named iinneldc.dll—performs full-scale espionage functions. It can control the system, manipulate files, intercept data, capture screenshots, and execute commands through the command line.
Beyond this campaign, the group has also been linked to another recent operation involving a shortcut masquerading as an official government document. The malicious file, titled NCERT-Whatsapp-Advisory.pdf.lnk, downloads an installer from a website associated with the domain aeroclubofindia.co[.]in. Once executed, malicious libraries and a delayed executable are extracted and written to the victim’s device. Persistence is established via a VBScript that alters registry entries to ensure the primary executable runs at every system startup.
Notably, the displayed PDF document is in fact a legitimate advisory published in Pakistan in 2024, warning about the distribution of malware via WhatsApp. This tactic is used to enhance the credibility of the attachment and increase the likelihood that victims will open it.
One of the deployed libraries establishes communication with a command-and-control server whose domain was registered in the spring of 2025. Although the server is currently inactive, the persistence mechanisms embedded in the system make it trivial for the attackers to regain control of infected devices.
The library communicates with the server via GET requests, handling system registration, periodic beaconing, and the retrieval of new commands. To evade signature-based detection, all requests are obfuscated by reversing character sequences within the URL. The malware also checks for the presence of antivirus solutions, further expanding its reconnaissance capabilities and allowing it to fine-tune its behavior to the surrounding environment.
Taken together, these activities demonstrate that Transparent Tribe remains a resilient and methodical adversary, consistently focused on harvesting intelligence from Indian government and research targets.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
