S0115: Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
Analyst context for executives and security teams
Crimson is a Windows remote access Trojan in ATT&CK associated with Transparent Tribe reporting. Its ATT&CK relationships show a broad post-compromise profile: discovery of users, processes, registry, files, network settings, peripherals and time; collection from local systems, removable media, email, keystrokes, screen, audio and video; command execution; C2 over web and non-application protocols; ingress tool transfer; registry modification; file deletion; removable-media replication; and exfiltration over C2. For leaders, the practical issue is not just “malware detection,” but whether Windows endpoint, network, removable-media, and sensitive-data monitoring can prove what was accessed and what may have left the environment.
Executive priority
Prioritize Crimson as a validation case for Windows endpoint resilience, data-loss visibility, and incident response readiness. The behavior set touches confidentiality-heavy assets such as local files, email stores, credentials entered by users, screenshots, audio/video, and removable media. Executives should ask whether the organization can rapidly answer: which hosts were affected, what data sources were queried or collected, whether C2/exfiltration occurred, whether removable media was involved, and whether registry or file-deletion activity impaired evidence. This is especially relevant for organizations with diplomatic, defense, research, or similar sensitive missions, based on the supplied Transparent Tribe targeting context.
Technical view
ATT&CK does not provide a detection section for Crimson, so SOC and IR teams should validate coverage through its related techniques rather than a single signature. On Windows, confirm visibility for command shell execution, registry query/modify activity, process and system discovery, file and directory enumeration, local email file access, removable-media access, keylogging-like input capture indicators where available, screen/audio/video capture API or process behavior, file deletion, tool transfer, and outbound C2/exfiltration over web or other protocols. Relationship-driven detections should correlate discovery followed by collection and outbound communications rather than relying only on malware name matches.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and discovery utilities
- Windows Registry query and modification events
- File system access, enumeration, creation, deletion, and staging activity
- Removable media insertion, file access, and execution telemetry
- Local email data file access telemetry, such as Outlook cache or storage file access where collected
Detection direction
- Build detections around behavior chains: discovery commands or API activity followed by file/email/removable-media collection and outbound communications.
- Tune Windows command-shell detections to reduce administrative false positives by baselining common IT scripts, software inventory tools, and helpdesk activity.
- Monitor Registry query and modification activity in context; many registry reads are normal, but suspicious value changes combined with execution or persistence-like behavior should be escalated.
- Validate visibility into removable media because Crimson’s related techniques include both collection from and replication through removable media; this is a common blind spot in endpoint-only programs.
- Correlate C2 and exfiltration possibilities across web protocols and non-application-layer protocols; proxy-only monitoring may miss some communications.
Mitigation priorities
- Harden Windows endpoints with least privilege, endpoint protection, controlled script/command execution, and monitoring of administrative utilities.
- Restrict and monitor removable media use, especially in sensitive or segmented environments.
- Limit unnecessary local storage of sensitive files and email caches; apply data handling controls where business processes allow.
- Use network egress controls and logging for web and non-standard protocols, with alerting for unusual destinations or transfer patterns.
- Apply application control or allowlisting where feasible to reduce unauthorized tool transfer and execution.
Analyst notes and limits
The supplied ATT&CK object identifies Crimson as a Windows remote access Trojan used by Transparent Tribe since at least 2016, with external references from Proofpoint and Kaspersky. ATT&CK provides no official detection text for the malware, so this take derives defensive priorities from the supplied technique relationships and Windows platform field. The related Transparent Tribe description provides sector and geography context for intelligence scoping, not a basis to claim current targeting or exposure.
This assessment is limited to the supplied ATT&CK STIX fields, references, and relationships. It does not include indicators of compromise, malware configuration details, C2 infrastructure, prevalence, current campaign activity, or validated detection logic. Local environment telemetry, asset criticality, endpoint tooling, network architecture, and data-handling practices are required to determine actual risk and coverage.
Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1125 | Video Capture | Crimson can capture webcam video on targeted systems.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Crimson contains a command to collect information about anti-virus software on the victim.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Crimson can add Registry run keys for persistence.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Crimson has the ability to delete files from a compromised host.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1124 | System Time Discovery | Crimson has the ability to determine the date and time on a compromised host.CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1082 | System Information Discovery | Crimson contains a command to collect the victim PC name and operating system.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Crimson can decode its encoded PE file prior to execution.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Crimson can use a module to perform keylogging on compromised hosts.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Crimson can use a HTTP GET request to download its final payload.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1005 | Data from Local System | Crimson can collect information from a compromised host.CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Crimson can identify the user on a targeted system.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1113 | Screen Capture | Crimson contains a command to perform screen captures.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1123 | Audio Capture | Crimson can perform audio surveillance using microphones.CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Crimson can exfiltrate stolen information over its C2.CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1057 | Process Discovery | Crimson contains a command to list processes.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Crimson contains a command to collect and exfiltrate emails from Outlook.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1112 | Modify Registry | Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.CitationProofpoint Operation Transparent Tribe March 2016 |
| Enterprise | T1016 | System Network Configuration Discovery | Crimson contains a command to collect the victim MAC address and LAN IP.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | Crimson has the ability to discover pluggable/removable drives to extract files from.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1025 | Data from Removable Media | Crimson contains a module to collect data from removable drives.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1091 | Replication Through Removable Media | Crimson can spread across systems by infecting removable media.CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1614 | System Location Discovery | Crimson can identify the geographical location of a victim host.CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Crimson contains a command to retrieve files from its C2 server.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Crimson has the ability to execute commands with the COMSPEC environment variable.CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | Crimson uses a custom TCP protocol for C2.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1012 | Query Registry | Crimson can check the Registry for the presence of |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Crimson contains a module to steal credentials from Web browsers on the victim machine.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020 |
| Enterprise | T1680 | Local Storage Discovery | Crimson contains a command to collect disk drive information.CitationProofpoint Operation Transparent Tribe March 2016CitationKaspersky Transparent Tribe August 2020CitationCisco Talos Transparent Tribe Education Campaign July 2022 |
Groups, software, and campaigns
G0134: Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
C0011: C0011
C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | d9a111ce51d1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint Operation Transparent Tribe March 2016
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
Open source URL -
[2]
Kaspersky Transparent Tribe August 2020
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
Open source URL -
[3]
MSIL/Crimson
(Citation: Proofpoint Operation Transparent Tribe March 2016)
-
[4]
mitre-attack S0115Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.