CyberWire Daily - Startup surge sparks spy interest. [Research Saturday]
Episode Date: April 4, 2026This week, we are joined by Santiago Pontiroli, Threat Intelligence Research Lead from Acronis TRU team, discussing their work on "New year, new sector: Transparent Tribe targets India’s startup eco...system." The Acronis Threat Research Unit uncovered a new campaign by Transparent Tribe showing the group has expanded beyond traditional government and defense targets to India’s startup ecosystem, especially cybersecurity and OSINT-focused firms. The attackers use startup-themed lures delivered via ISO files and malicious shortcuts to deploy Crimson RAT, a highly obfuscated tool capable of surveillance, data theft, and system control. Despite this shift, the campaign closely mirrors the group’s long-standing espionage tactics, suggesting startups are being targeted for their connections to government, law enforcement, and sensitive intelligence networks. The research and executive brief can be found here: New year, new sector: Transparent Tribe targets India’s startup ecosystem Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back.
from automatically dismantling cross-channel attacks to building team resilience and more.
Doppel.
Outpacing what's next in social engineering.
Learn more at doppel.com.
That's D-O-P-P-E-L.com.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting our students.
in our rapidly evolving cyberspace.
Thanks for joining us.
So what brought this particular group to our attention
was that we were tracking a RAT,
that's a remote access tool, known as Get a RAT.
And we started with that and we found some interesting samples,
then we got more interesting samples, IPs,
and then we started with that to develop
into a full-length investigation.
That's Santiago Ponteiroli,
threat intelligence research lead from the Akronis True Team.
The research we're discussing today is titled
New Year, New Sector.
Transparent Tribe targets India's startup ecosystem.
But usually it starts that way,
with just a single indicator of compromise
or maybe an indicator of the group
using infrastructure from the past.
And what was it about this latest campaign from them that stood out compared to some of the things they've done in the past?
So usually this group in particular is targeting South Asia and in particular India.
So in previous campaigns we saw them mainly doing spearfishing to ministries, governments,
financial institutions, things that were of, let's say, that were relevant to them in the sense of intelligence gathering,
not so much of, let's say, getting a financial gain. So in this case, there were targeting startups in India,
and this is my assumption or my hypothesis in this case, that given that startups don't have
as mature security as other companies,
but nevertheless, they are connected
to the broader ecosystem of the government.
They are targeting kind of in an indirect supply chain attack.
So they target the startups,
they get information that they want from the startups
because they are linked to the government.
So instead of going directly to the target,
they kind of go around it.
Well, walk us through the attack chain here.
Where do things begin and take us through what happens?
Yeah, sure.
So initially, the victim or the target receives a spearfishing email.
And in this email, they get an attachment.
So far so good.
I mean, there is nothing unusual about that.
In this case, the attachment is what is different from other APTE actors or other campaigns.
they are using an ISO file.
So that's a container file in which you can,
you can consider it as, for example,
as an archive as a zip file or 7-SIP or RAR file.
But in this case, when you open this container in Windows,
by default, Windows will try to open it
as a virtual CD or DVD ROM drive.
And this is an important detail that can,
I can explain to you later why, but this was a deliberated decision by the APT group to use this particular type of file.
So within this container, they have a bunch of other files, they have a PowerShell script, they have a document file, and also an LNK file.
LNK is a Windows shortcut file.
So, for example, when you create a direct link in your desktop to, I know, whatever file you want to open quickly,
Windows creates a file that is between like 10 to 12 kilobytes, so a very, very small file that just says where to open, you know, the real file.
In this case, Transparent Drive, they are using this file to open a spreadsheet, a Word document,
and in the background, they are actually deploying the malware.
So if you're the victim, you only see the document.
You were intended to open.
You intended to see.
But in the background, a whole bunch of operations are happening.
So is that opening of the document?
Is that just misdirection?
Yeah, exactly.
I mean, in this case, since we're talking about intelligence gathering,
they don't want you to be suspicious about anything.
It's not like in the past, you would see like a, you know, hacker groups or script kid.
It's like, I don't know if you remember Michael Angelo, Byros or things like that.
This is a completely different ballgame.
Here we are talking about espionage.
So these guys want you to think that you actually opened a legitimate document
and in the background everything is happening.
Well, you mentioned the use of ISO files, and as you say, I mean, that's a bit of a trip down memory lane when it comes to things like DVDs.
What made them choose that?
So there is a particular feature in Windows.
When you download a file from the Internet, Windows marks it as not safe.
Let's say something that you download from the Internet, and it should be checked.
You know, when you double-click a file that you just download it, you get the prompt from smart screen.
So you get like, are you sure you want to open this file?
But in the case of ISO files, since these are containers or archives, and Windows by default tries to mount a DVD drive,
it considers ISO files as local archives.
So it will bypass Windows protection.
It will not prompt the smart screen.
It will just tell you like, hey, yeah, you have your DVD ready to use.
Come on, use it.
And then you can just go and double-click on the shortcut files.
I see.
Well, the research talks about a crimson rat and how they're using that.
Can you describe to us what that is?
Yeah, sure.
So APG-36 have been using a wide array of remote access tools,
not only cranesome rat, but they all share some commonalities.
The main feature is taking screenshots, harvesting credentials,
exfiltrating this information using customized TCP protocol.
But I would say that beyond the rat that this particular group is using
is that they change the way they are delivering the final.
payload. What I mean by this is they used Crimson Ratt in the past, but they never use it in this way.
And they never use it in combination with an ISO file, in combination with a Windows shortcut.
So it's like they, and I see this in many IPT groups. They think like, why reinvent the wheel?
Let's just reuse whatever we have right now and see if it works.
We'll be right back.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker, DAC, defense against configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you're not.
meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CSO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware
at the source, and regain control over their environments.
your demo at Threatlocker.com slash N2K today.
Ever wished you could rebuild your network from scratch to make it more secure, scalable,
and simple? Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together. The result? Fast, reliable, and secure.
connectivity without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs
and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
You mentioned that the sample that you analyzed was padded.
They brought it up to about 34 megabytes, just filling it with junk data.
What's the practical purpose?
of inflating a file that way?
Oh, that's a lovely question that usually gets a bunch of analysts really angry.
Because you would see, and this doesn't happen only with APT groups.
It happens with traditional cybercrime.
So, for example, like banking trojans, usually do the same.
And this is mainly to bypass quick detection.
So any antivirus will scan some files, or actually will scan all the files,
but it will scan just a portion of the file initially.
And this is because your computer doesn't have infinite resources,
so it will scan maybe the first 2 megabytes or it will scan, like,
properties.
It will try to use as little resources as possible.
So in this case, they are padding the file with a bunch of dummy, zeroes, whatever, information.
So initially we'll bypass that type of detection.
And this is what we call static detection, but there are other types of detection.
For example, heuristics, which is detecting by the behavior of the file or what it's actually trying to do.
You know, cybercriminals and APT groups, they try to get or to avoid detection for as long as possible.
I mean, the further down the chain they can go, the more, you know, chances of success they have.
And what are the core surveillance and system control capabilities that are built into Crimson Rad?
I mean, you can do anything with this rod, to be honest.
It's like any remote control tool that you can think of, like legitimate control tools.
Like, for example, I know team viewer or any desk, things like that, but actually even more powerful.
because you can set it up, so it takes like a continuous, you know,
one screenshot after the other, kind of a video, but just screenshots.
So actually it's doing that to reduce the bandwidth usage.
You can upload or download files, you can execute commands.
You can, for example, kill processes.
If you see like there is, for example, any detection suite or anything that you don't want to be there
while you're doing the infection,
APT-36, they can just kill the process and, you know,
basically manage your computer remotely without even you noticing.
There is no visible windows.
There is no trace of anything wrong happening.
You mentioned in the research that some of the infrastructure
overlaps with previous campaigns.
How confident are you in attributing this to transfer?
transparent tribe.
So in the past, there was a campaign from this same IPT.
They were using one of the domains for a while.
Then they stopped.
It was taken down.
And after a couple of years, we are seeing the same domain again used by these guys.
Actually, I think it was the IP address that resolved to a bunch of domains affiliated
actually that we associate with APT-36.
So there is a high degree of confidence there
in which we can, you know, assess that this is APT-36.
When you combine that with, you know,
the usage of Crimson RAD, the targets,
because you are targeting startups in India,
when you combine the different, you know,
tactics, techniques, and procedures,
it's like you can never be 100% sure,
but you can say like, hey, everything points to IPT36 TTPs.
Yeah.
When we're looking at the broader implications here,
is there anything that this campaign tells us
about how these espionage groups are adapting their targeting strategies?
I, you know, I think it's really interesting
because APT36 actually has, again,
has been in the game for more than a decade.
They are using the same remote access tools that they have been using for over a decade.
But they are shifting the way that they try to infect their victims.
So I think the shift that we are seeing is not so much technical,
but I think it's in regards to social engineering and actually bypassing the human element.
I think like APTs evolve targets and tradecraft more than tools.
So I think that's a common takeaway between what we're seeing in the cyber espionage landscape.
For the defenders in our audience, what are your recommendations?
How would you suggest that someone best protect themselves against this sort of thing?
Do not open ISO files?
Just kidding, of course.
You know, it's very difficult to defend against this type of attacks,
because again, we are dealing with a targeted attack.
I would say there are many layers in which you can stop this attack.
We always talk about, you know, designs in depth, thinking about security like an onion.
But there are so many layers right now when it comes to endpoint security.
And I think at the end of the day, you can tell any user, including me, I think you, we will
click in the link.
Maybe we will open that attachment because these guys actually know what they are doing and
they will craft it so the chances of you opening it are higher.
So I would say that you need not only training for the users,
but I would say trying to stop the chain at the point where it tries to get out.
And what I mean by this is the exultration phase.
And I think it was Rob Joyce from the NSA that said,
If you want to know if we are in your network, just monitor everything that it's going out.
And I think this is the way.
I mean, it comes from someone that knows what's talking about.
And I think that's where EDRXDR comes into play.
You need not only detection by static signatures, by heuristics.
You need to have visibility over the network as well.
Our thanks to Santiago Pontooli, threat intelligence research lead from Akronis True Team.
The research is titled New Year, New Sector, Transparent Tribe, targets India's startup ecosystem.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what do you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.