Transparent Tribe APT36: Weaponized Shortcuts and Adaptive Persistence Target Indian Government Entities

Can a weaponized shortcut file that looks like an exam document steal government secrets? Yes—and Transparent Tribe (APT36) is doing exactly that. A fresh campaign targeting Indian governmental and academic entities uses LNK files embedded with full PDF content, disguised as legitimate documents, to deliver a multi-stage RAT with sophisticated antivirus evasion. The malware adapts its persistence strategy based on which antivirus software is installed, giving the attacker operational flexibility across diverse defensive environments.

APT36’s latest operational shift centers on weaponized Windows LNK files—technically shortcut files—that exceed 2 MB in size, compared to typical shortcuts of 10–12 KB. This unusual size inflation is deliberate: attackers embed a complete PDF document within the LNK file itself to mask its true nature. When a user receives a ZIP archive labeled “Online JLPT Exam Dec 2025.zip” and extracts it, the enclosed file appears as “Online JLPT Exam Dec 2025.pdf” because Windows hides the .lnk extension by default. Opening the file executes mshta.exe with a remotely hosted HTA script URL, bypassing traditional file-based malware signatures.

The HTA script performs multi-stage decryption in memory using Base64 decoding and XOR routines. It loads two critical payloads: ReadOnly, a serialized .NET object that disables deserialization safeguards, and WriteOnly, a 359 KB DLL that functions as the fully featured RAT (iinneldc.dll). All execution occurs in memory; no primary malware binary touches disk, dramatically reducing forensic evidence and evading endpoint detection and response (EDR) tools scanning for dropped files. The encrypted C2 communication uses AES encryption with a hardcoded key (“ZAEDF_98768_@$#%_QCHF”), creating a secure tunnel for attacker commands.

APT36’s evolution reflects a maturation in tradecraft targeting the human layer and the trust boundary between legitimate activity and malicious execution. First, the campaign exploits document-centric workflows: exam materials, government advisories, WhatsApp security warnings—all legitimate artifacts that trigger trust instinctively. Second, the antivirus-aware persistence mechanism means the malware survives in heterogeneous corporate environments where different endpoints run Kaspersky, Quick Heal, Avast, AVG, or Avira. Third, the fileless in-memory execution evades signature-based and even behavioral detections that rely on disk artifacts.

For Indian government and academic institutions, the operational risk is severe. The malware captures screenshots in near real-time, monitors clipboard contents (critical for stolen credentials and cryptocurrency wallet addresses), harvests sensitive documents (Office files, PDFs, databases), and executes arbitrary shell commands. The attacker gains remote desktop viewing, process termination capability, and the ability to brute-force kill security processes. Data exfiltration occurs via encrypted C2 channels, leaving minimal network indicators. A compromised official at a ministry or university can have months of intelligence stolen before detection—if detection occurs at all.

Attack Chain Anatomy: Initial delivery via spear-phishing email → ZIP archive extraction → LNK file opened with mshta.exe → HTA script executes remotely and downloads from innlive[.]in or similar hosting → Base64/XOR decryption of ReadOnly payload in memory → ReadOnly disables .NET deserialization checks → HTA loads WriteOnly DLL (iinneldc.dll) into memory → RAT establishes C2 to 2.56.10.86:8621 → Attacker sends encrypted commands → Malware responds with system information, files, screenshots, or command output.

Antivirus-Aware Persistence: Upon initial execution, the malware queries Windows Management Instrumentation (WMI) root\SecurityCenter2 namespace to detect installed antivirus products. Based on detection:
• Kaspersky: Creates C:\Users\Public\core\, drops obfuscated HTA payload, creates LNK in Startup folder, launches via mshta.exe
• Quick Heal: Creates batch file + malicious LNK in Startup, executes HTA indirectly
• Avast/AVG/Avira: Direct payload copy to Startup, direct execution
• No AV detected: Batch file execution + Registry persistence + payload deployment combo

RAT Capabilities: System profiling, remote command execution via cmd.exe, file upload/download/rename/delete/move, remote desktop viewing via screenshot capture (resized to attacker-specified dimensions, JPEG compressed, Base64 encoded), clipboard data theft and manipulation, process enumeration and termination, antivirus product enumeration, data exfiltration of Office documents (.doc, .docx, .xls, .xlsx, .ppt, .pptx), PDFs, text files, and databases (.mdb, .accdb). All data is Base64 encoded and AES encrypted before transmission.

Detection and Mitigation: Block .lnk files in email with attachment sandboxing. Configure Windows to display full file extensions by default. Apply attack surface reduction (ASR) rules restricting LNK execution from user-writable directories (Downloads, Temp, Desktop). Deploy EDR tools monitoring process chains involving mshta.exe, PowerShell, and cmd.exe. Monitor outbound traffic to known C2 IPs (2.56.10.86) and domains (innlive[.]in, drjagrutichavan[.]com). Hunt for abnormal registry modifications, Startup folder persistence, and scheduled tasks. Implement application control preventing script execution from archive extraction directories. Conduct regular user awareness training on document masquerading and phishing indicators.

APT36 (Transparent Tribe) has maintained active cyber-espionage operations against Indian targets since at least 2013. The group is assessed to be Pakistan-aligned but of Indian origin—a strategic positioning that provides plausible deniability and regional intelligence advantage. Their historical RAT arsenal includes CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT; the current LNK-based campaign represents continuous toolkit modernization, not a fundamental shift in objectives. The group’s focus on government, academic, and “strategically relevant sectors” confirms intelligence collection over financial gain or disruption.

The campaign observed in December 2025 demonstrates a methodical evolution in delivery and evasion. Rather than rely on email-borne executables (easily detected), APT36 weaponized Windows shortcut files—a native OS feature rarely subject to execution controls. The embedding of full PDF content within the LNK file mimics legitimate archive content, exploiting user trust in document workflows. The fileless, in-memory payload execution with encrypted C2 communication represents an acknowledgment of modern EDR capabilities; the attacker assumes disk-based detection will occur and designs around it. The antivirus-aware persistence mechanism is particularly telling: APT36 understands that Indian enterprises run diverse security products, and a one-size-fits-all persistence method fails. Adaptive evasion ensures the malware survives across environments.

CYFIRMA’s technical analysis, published December 30, 2025, provides IOCs (Indicators of Compromise) and YARA rules for detection, including file hashes, C2 infrastructure, and hardcoded encryption keys. This coordinated disclosure enables defensive action, but the operational dwell time—campaigns likely active since mid-December—may have already yielded months of intelligence for APT36. The follow-on campaign using government advisory PDFs (NCERT-WhatsApp-Advisory.pdf.lnk) and MSI-based payloads confirms that APT36 is not a one-technique operator but continuously iterates delivery methods to maintain operational effectiveness.

Primary Analysis and Reporting:

IOCs and Detection Resources:

Malware SHA-256 hashes (LNK files, HTA payloads, DLL components)
C2 IP: 2.56.10.86:8621
C2 Domains: innlive[.]in, drjagrutichavan[.]com, dns.wmiprovider[.]com
Hardcoded AES Key: ZAEDF_98768_@$#%_QCHF
YARA detection rules available in CYFIRMA report