The threat landscape for India\u2019s technology sector has taken an unexpected turn. <\/p>\n
A Pakistan-based hacking group called Transparent Tribe has shifted its focus from traditional government targets to the country\u2019s vibrant startup ecosystem, particularly companies working in cybersecurity and intelligence domains. <\/p>\n
The group, also tracked as APT36, has been active since 2013 and now uses dangerous malware called Crimson RAT to infiltrate Indian startups through carefully crafted fake emails<\/a> containing malicious files disguised as legitimate documents.<\/p>\n The attack campaign was discovered after researchers found suspicious files uploaded from India containing startup-themed material. <\/p>\n Unlike previous operations that targeted defense organizations and educational institutions, this campaign specifically focuses on individuals connected to startups offering security services to law enforcement agencies. <\/p>\n The hackers used personal information about a real startup founder to create convincing fake documents that appear legitimate to unsuspecting victims.<\/p>\n After analyzing the threat, Acronis researchers identified<\/a> that the group delivers its malware through ISO container files sent via email. <\/p>\n When someone opens what appears to be an Excel spreadsheet, they unknowingly activate a chain of hidden commands that install Crimson<\/a> RAT on their computer. <\/p>\n This remote access trojan allows hackers to monitor screens, record audio, steal files, and control infected systems without the victim\u2019s knowledge.<\/p>\n The infection process begins when victims receive an email containing a file called MeetBisht.iso. <\/p>\n Inside this container sits a shortcut file masquerading as an Excel document alongside a hidden folder containing three components: a decoy document to distract the victim, a batch script that handles execution, and the actual Crimson RAT payload disguised as an excel executable.<\/p>\n Once activated, the malicious shortcut launches a batch script<\/a> that simultaneously displays a fake Excel file while secretly copying the malware to the computer\u2019s system folders. <\/p>\n The script uses PowerShell commands to remove security warnings that would normally alert users about suspicious files. <\/p>\n It then creates a hard-linked executable with a random name in the user\u2019s application data folder and launches the malware from this trusted location.<\/p>\n The Crimson RAT payload employs sophisticated evasion tactics. The malware<\/a> file appears artificially inflated to 34 megabytes through embedded junk data, though the actual malicious code measures only 80 to 150 kilobytes. <\/p>\n This bloating technique helps bypass signature-based detection systems. The malware uses completely randomized function names throughout its code, making analysis extremely difficult. <\/p>\n It communicates with command-and-control servers using custom TCP protocols on non-standard ports including 18661, 20856, 26868, 29261, and 36628.<\/p>\n Organizations should implement email filtering to block ISO and container-based attachments from unknown sources. <\/p>\n Regular security awareness training helps employees recognize social engineering<\/a> tactics. Deploying endpoint detection solutions can identify suspicious PowerShell activity and unauthorized file modifications. <\/p>\n Network monitoring should flag unusual outbound connections to non-standard ports used by Crimson RAT. <\/p>\n Maintaining updated threat intelligence feeds ensures protection against known command-and-control servers associated with Transparent Tribe campaigns.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Transparent Tribe Hacker Group Attacking India\u2019s Startup Ecosystem<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2Tz0NIGXa4jBCAhbxBQFhwl5d72ykCD1v30-mIdpjlKtGCQ7GayT1yg-BiYsjx63n8yamQRxIzMFCjWZSDIO7fzBQBJr4EHBQLmbqjpEnyiCxLL118QT_Ts6bIE_10J83dJXbb02L-KGofioUiFVMV6iWKEbyQd_22rfu9YoMjOuFcGe6fmZOVacHkB8\/s16000\/Attack%2520chain%2520demonstration%2520of%2520the%2520payload%2520execution%2520%28Source%2520-%2520Acronis%29.webp?ssl=1\")
Attack Execution and Stealth Mechanisms<\/strong><\/h2>\n
![\"Contents](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDre1fp-2kEX2KgESN2qnB9JqlHu-o9_eEeA5cySyqo7CR0v3yGo8Q0uKnaH-G-w66wOlFfb6icrR0Q66w6fiMcrPicyy5DeP8Mbh7Ji0QN2UX-Xgl-l0zzanGy_1KlltbHPOxr4oANBCwPamQ2WpQuGHF_kswvKJN_4pb0VwvA3fHoHFuMTBJwsEoVDE\/s16000\/Contents%2520inside%2520the%2520malicious%2520container-based%2520payload%2520%28Source%2520-%2520Acronis%29.webp?ssl=1\")
![\"Hardcoded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgcAjZ4axGSNt0-JLj9L8umJwJiP5Yj4Vk8VIx0uGckfo5KaeFHfGvEdHdm48BIf9Sz2Z4yYvtpKaeSA-5CCR6IgQkGquXPiOfs2Vacujvh9RPpHj2eT4TLScH5DnY7wPn1DRqy1KTN_EPKLIxO60BuS8MzdbjGQ5vcmC4KNHnwQ-ER8JtdSQnjvPH1T20\/s16000\/Hardcoded%2520C%26C%2520servers%2520%28Source%2520-%2520Acronis%29.webp?ssl=1\")
![\"Decoys'](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhzJSkVDg6emvvcxXWA5wEUie042otlD_C_9grTWGSxJTRUMdn0H58eoBg3sjuFwuDP5KHFChPSyglHivQCMo433N9NZ9cJme8Sp1ltTPbcidGzlj1HKK3Qd7unPj-oJNxyG1gp6u1HnAzghIGDmwzY9OkE2isd_mhKp1-uI_Bd7B3fOykWF11wo7k2cLM\/s16000\/Decoys%27%2520images%2520%28Source%2520-%2520Acronis%29.webp?ssl=1\")