A Pakistan-aligned hacker group has launched a new cyber-espionage campaign targeting Indian government, academic and strategic institutions, researchers have found.
The campaign has been attributed to APT36, also known as Transparent Tribe, a long-running threat actor accused of spying on Indian government bodies, military-linked organizations and universities.
Researchers at cybersecurity firm Cyfirma said the latest operation begins with spear-phishing emails carrying a ZIP archive containing a malicious file disguised as a PDF. Once opened, the file delivers two malware components, dubbed ReadOnly and WriteOnly.
The malware is designed to quietly embed itself on victims’ systems, adjusting its behavior based on which antivirus software is installed. According to Cyfirma, it can remotely control infected machines, exfiltrate data and carry out persistent surveillance — including taking screenshots, monitoring clipboard activity and enabling remote desktop access.
Researchers said the clipboard monitoring feature could also be used to steal or overwrite copied data, potentially allowing attackers to hijack cryptocurrency transactions.
“The analysed campaign reinforces the group’s long-term surveillance objectives rather than short-term financial or disruptive goals,” the researchers said, adding that the activity aligns with state-linked intelligence-gathering priorities.
While researchers have previously characterized Transparent Tribe as less technically advanced than some rival espionage groups, they have also noted its persistence and ability to adapt tactics over time.
Cyfirma said the latest campaign showed an evolution in APT36’s technical capabilities, including the abuse of trusted Windows components, deception through common file formats and multi-stage, fileless execution techniques.
APT36 has been active since at least 2013 and has been linked to cyber-espionage campaigns targeting government and military organizations in India and Afghanistan, as well as institutions in roughly 30 countries.
The group also overlaps with another Pakistan-linked threat actor, Cosmic Leopard, which carried out a years-long espionage campaign against Indian government agencies and defence- and technology-related companies detected last year.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
