S0115: Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
Analyst context for executives and security teams
Crimson is a Windows remote access Trojan in ATT&CK associated with Transparent Tribe reporting. Its ATT&CK relationships show a broad post-compromise profile: discovery of users, processes, registry, files, network settings, peripherals and time; collection from local systems, removable media, email, keystrokes, screen, audio and video; command execution; C2 over web and non-application protocols; ingress tool transfer; registry modification; file deletion; removable-media replication; and exfiltration over C2. For leaders, the practical issue is not just “malware detection,” but whether Windows endpoint, network, removable-media, and sensitive-data monitoring can prove what was accessed and what may have left the environment.
Executive priority
Prioritize Crimson as a validation case for Windows endpoint resilience, data-loss visibility, and incident response readiness. The behavior set touches confidentiality-heavy assets such as local files, email stores, credentials entered by users, screenshots, audio/video, and removable media. Executives should ask whether the organization can rapidly answer: which hosts were affected, what data sources were queried or collected, whether C2/exfiltration occurred, whether removable media was involved, and whether registry or file-deletion activity impaired evidence. This is especially relevant for organizations with diplomatic, defense, research, or similar sensitive missions, based on the supplied Transparent Tribe targeting context.
Technical view
ATT&CK does not provide a detection section for Crimson, so SOC and IR teams should validate coverage through its related techniques rather than a single signature. On Windows, confirm visibility for command shell execution, registry query/modify activity, process and system discovery, file and directory enumeration, local email file access, removable-media access, keylogging-like input capture indicators where available, screen/audio/video capture API or process behavior, file deletion, tool transfer, and outbound C2/exfiltration over web or other protocols. Relationship-driven detections should correlate discovery followed by collection and outbound communications rather than relying only on malware name matches.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and discovery utilities
- Windows Registry query and modification events
- File system access, enumeration, creation, deletion, and staging activity
- Removable media insertion, file access, and execution telemetry
- Local email data file access telemetry, such as Outlook cache or storage file access where collected
Detection direction
- Build detections around behavior chains: discovery commands or API activity followed by file/email/removable-media collection and outbound communications.
- Tune Windows command-shell detections to reduce administrative false positives by baselining common IT scripts, software inventory tools, and helpdesk activity.
- Monitor Registry query and modification activity in context; many registry reads are normal, but suspicious value changes combined with execution or persistence-like behavior should be escalated.
- Validate visibility into removable media because Crimson’s related techniques include both collection from and replication through removable media; this is a common blind spot in endpoint-only programs.
- Correlate C2 and exfiltration possibilities across web protocols and non-application-layer protocols; proxy-only monitoring may miss some communications.
Mitigation priorities
- Harden Windows endpoints with least privilege, endpoint protection, controlled script/command execution, and monitoring of administrative utilities.
- Restrict and monitor removable media use, especially in sensitive or segmented environments.
- Limit unnecessary local storage of sensitive files and email caches; apply data handling controls where business processes allow.
- Use network egress controls and logging for web and non-standard protocols, with alerting for unusual destinations or transfer patterns.
- Apply application control or allowlisting where feasible to reduce unauthorized tool transfer and execution.
Analyst notes and limits
The supplied ATT&CK object identifies Crimson as a Windows remote access Trojan used by Transparent Tribe since at least 2016, with external references from Proofpoint and Kaspersky. ATT&CK provides no official detection text for the malware, so this take derives defensive priorities from the supplied technique relationships and Windows platform field. The related Transparent Tribe description provides sector and geography context for intelligence scoping, not a basis to claim current targeting or exposure.
This assessment is limited to the supplied ATT&CK STIX fields, references, and relationships. It does not include indicators of compromise, malware configuration details, C2 infrastructure, prevalence, current campaign activity, or validated detection logic. Local environment telemetry, asset criticality, endpoint tooling, network architecture, and data-handling practices are required to determine actual risk and coverage.
Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0134: Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.[1][2][3]
C0011: C0011
C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | d9a111ce51d1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint Operation Transparent Tribe March 2016
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
Open source URL -
[2]
Kaspersky Transparent Tribe August 2020
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
Open source URL -
[3]
MSIL/Crimson
(Citation: Proofpoint Operation Transparent Tribe March 2016)
-
[4]
mitre-attack S0115Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.