G0134: Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
Analyst context for executives and security teams
Transparent Tribe is an ATT&CK group entry for a suspected Pakistan-based threat group active since at least 2013, with reported targeting of diplomatic, defense, and research organizations in India and Afghanistan, plus a related campaign against students in India. The decision value is not a single indicator list; it is a reminder that organizations with regional, government, defense, research, or academic exposure should validate resilience against phishing-led access, malicious links/files, drive-by activity, and Windows remote access trojans associated through ATT&CK relationships.
Executive priority
Prioritize this as a targeted-threat readiness issue where the organization has relevant geographic, sector, partner, academic, or research exposure. Leaders should ask whether email security, endpoint monitoring, DNS/web telemetry, vulnerability management for client applications, and incident response playbooks can produce evidence quickly when a user clicks a link, opens a file, or a RAT-like implant appears. This object also supports compliance and audit conversations around phishing controls, endpoint visibility, and documented response capability, but ATT&CK does not provide a native detection section for this group.
Technical view
ATT&CK relationships associate Transparent Tribe with Windows RATs/backdoors including Crimson, DarkComet, njRAT, Peppy, and ObliqueRAT, and with techniques covering spearphishing attachments and links, malicious files/links, drive-by compromise, exploitation for client execution, obfuscated or encoded files, hidden files/directories, masquerading via legitimate-looking names/locations, dynamic resolution for command and control, and domain acquisition or hijacking for infrastructure. SOC and IR teams should validate end-to-end visibility across the access chain: email delivery, user click/open events, browser/client exploitation signals, file creation and execution, process and script activity including Visual Basic, suspicious persistence or hidden artifacts, and DNS/network patterns consistent with dynamic infrastructure.
Likely telemetry
- Email security logs for spearphishing attachments and links, including sender, URL, attachment, and delivery metadata
- Web proxy, secure web gateway, browser, and DNS logs for malicious links, drive-by activity, domain lookups, redirects, and newly observed infrastructure
- Endpoint detection and operating system logs for file creation, process execution, hidden file or directory attributes, suspicious naming/location patterns, and Visual Basic execution
- Malware prevention/EDR alerts and forensic artifacts related to RAT-like behavior on Windows systems, where applicable to Crimson, DarkComet, njRAT, Peppy, or ObliqueRAT relationships
- Vulnerability and patch management evidence for client applications exposed to document, browser, or user-driven exploitation paths
Detection direction
- Because ATT&CK provides no official detection text for this group, build coverage from the related techniques and software rather than from the group name alone.
- Validate phishing detections for both attachment and link delivery; tune for targeted lures while accounting for business-valid external collaboration, academic communications, and research sharing where false positives may be common.
- Correlate user click/open events with endpoint execution, script activity, file writes, hidden artifacts, and outbound DNS or web traffic instead of relying only on email gateway verdicts.
- Hunt for suspicious files using legitimate-looking names or trusted locations, encoded or encrypted content, and hidden attributes; treat these as context signals that require process, signer, parent-child, and user behavior review.
- Monitor DNS and web telemetry for dynamic resolution patterns and recently used or unusual domains, while recognizing that ATT&CK does not supply specific indicators in the provided object.
Mitigation priorities
- Start with phishing risk reduction: attachment and URL inspection, user reporting workflows, and response procedures for clicked links or opened files.
- Maintain vulnerability management for browsers, document readers, Office-like applications, and other client software that could support exploitation for client execution or drive-by compromise.
- Ensure endpoint controls can block or alert on suspicious script execution, RAT-like behavior, hidden files/directories, and masquerading through legitimate-looking names or locations.
- Strengthen DNS and web controls for domain reputation, newly observed domains, redirect chains, and command-and-control investigation workflows.
- Prepare IR playbooks that connect email, endpoint, DNS, and proxy evidence quickly, including containment of suspected RAT infections and scoping of similar messages or domains.
Analyst notes and limits
The most useful defensive reading of this object is relationship-driven: the group description establishes suspected origin, activity timeframe, and historical targeting, while the related software and techniques point defenders toward phishing, client execution, stealth, and command-and-control validation. The C0011 relationship expands the targeting context to students at universities and colleges in India and notes a shift from historic government, military, and think tank targeting.
The supplied ATT&CK group object has no official detection text, no tactics, and no platforms specified at the group level. Platform and behavior observations here come from supplied relationships to software and techniques. No claim is made that any organization is currently targeted or that controls will guarantee detection; local telemetry, asset exposure, geography, sector, and incident evidence are required.
Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1189 | Drive-by Compromise | Transparent Tribe has used websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.CitationProofpoint Operation Transparent Tribe March 2016CitationUnit 42 ProjectM March 2016CitationTalos Transparent Tribe May 2021 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.CitationProofpoint Operation Transparent Tribe March 2016CitationUnit 42 ProjectM March 2016CitationTalos Transparent Tribe May 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationTalos Oblique RAT March 2021CitationTalos Transparent Tribe May 2021CitationUnit 42 ProjectM March 2016 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Transparent Tribe has dropped encoded executables on compromised hosts.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1568 | Dynamic Resolution | Transparent Tribe has used dynamic DNS services to set up C2.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1584.001 | Domains Sub-technique | Transparent Tribe has compromised domains for use in targeted malicious campaigns.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Transparent Tribe has crafted VBS-based malicious documents.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Transparent Tribe has embedded links to malicious downloads in e-mails.CitationTalos Oblique RAT March 2021CitationTalos Transparent Tribe May 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1583.001 | Domains Sub-technique | Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.CitationProofpoint Operation Transparent Tribe March 2016CitationTalos Transparent Tribe May 2021 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1203 | Exploitation for Client Execution | Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationTalos Oblique RAT March 2021CitationTalos Transparent Tribe May 2021CitationUnit 42 ProjectM March 2016 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Transparent Tribe has directed users to open URLs hosting malicious content.CitationTalos Oblique RAT March 2021CitationTalos Transparent Tribe May 2021 |
Groups, software, and campaigns
S0334: DarkComet
S0644: ObliqueRAT
ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[1][2]
S0385: njRAT
S0115: Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
S0643: Peppy
C0011: C0011
C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 910a17358cd8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint Operation Transparent Tribe March 2016
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
Open source URL -
[2]
Kaspersky Transparent Tribe August 2020
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
Open source URL -
[3]
Talos Transparent Tribe May 2021
Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
Open source URL -
[4]
APT36
(Citation: Talos Transparent Tribe May 2021)
-
[5]
COPPER FIELDSTONE
(Citation: Secureworks COPPER FIELDSTONE Profile)
-
[6]
Crowdstrike Mythic Leopard Profile
Crowdstrike. (n.d.). Mythic Leopard. Retrieved October 6, 2021.
Open source URL -
[7]
Mythic Leopard
(Citation: Crowdstrike Mythic Leopard Profile)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)
-
[8]
ProjectM
(Citation: Unit 42 ProjectM March 2016)(Citation: Kaspersky Transparent Tribe August 2020)
-
[9]
Secureworks COPPER FIELDSTONE Profile
Secureworks. (n.d.). COPPER FIELDSTONE. Retrieved October 6, 2021.
Open source URL -
[10]
Unit 42 ProjectM March 2016
Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
Open source URL -
[11]
mitre-attack G0134Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.