IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Solutions

AndyC 9 November 2024

Nov 08, 2024Ravie LakshmananCyber Espionage / Threat Intelligence

High-profile entities in India have been targeted by malicious activities carried out by the Pakistan-based Transparent Tribe threat actor and a previously unidentified China-affil

IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools

Nov 08, 2024Ravie LakshmananCyber Espionage / Threat Intelligence

IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools

High-profile entities in India have been targeted by malicious activities carried out by the Pakistan-based Transparent Tribe threat actor and a previously unidentified China-affiliated cyber espionage group known as IcePeony.

The incursions associated with Transparent Tribe involve the utilization of a malware named ElizaRAT and a new information-stealing payload known as ApoloStealer on specific targets, as detailed in a technical briefing released this week by Check Point.

“ElizaRAT samples indicate an organized misuse of cloud-centric services, including Telegram, Google Drive, and Slack, to aid command-and-control communications,” mentioned the Israeli organization stated.

ElizaRAT, a Windows remote access tool (RAT), was initially employed by Transparent Tribe in July 2023 during cyber assaults on Indian governmental sectors. The group has been active since at least 2013 and is also known by various aliases such as APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.

Cybersecurity

Their malware collection includes tools for compromising Windows, Android, and Linux systems. The shift towards targeting Linux machines has been catalyzed by the Indian government’s adoption of a custom version of Ubuntu called Maya OS last year.

Infection chains are initiated through Control Panel (CPL) files probably distributed via targeted phishing tactics. Three distinct campaigns using the RAT have been identified between December 2023 and August 2024, with each employing Slack, Google Drive, and a virtual private server (VPS) for command-and-control (C2) purposes.

ApoloStealer is crafted to collect files with specific extensions (e.g., DOC, XLS, PPT, TXT, RTF, ZIP, RAR, JPG, and PNG) from the compromised host and transmit them to a remote server.

In January 2024, the threat actor reportedly modified their approach by including a dropper component to ensure the seamless operation of ElizaRAT. Recent attacks have also revealed an additional data-stealing module known as ConnectX, designed to scour files on external drives like USBs.

Cloud-Based Solutions

The exploitation of legitimate services commonly utilized in corporate settings intensifies the risk by complicating detection efforts and enabling threat actors to merge with genuine activities on the system.

“The evolution of ElizaRAT showcases APT36’s intentional steps to improve their malware to elude detection and target Indian organizations effectively,” Check Point remarked. “The introduction of new payloads like ApolloStealer signifies a notable enhancement of APT36’s malware repertoire, hinting at the group’s adoption of a more adaptable, modular approach to payload distribution.”

IcePeony Targets India, Mauritius, and Vietnam

The disclosure follows the recent revelation by the nao_sec research team of IcePeony, an advanced persistent threat (APT) group that has aimed at governmental bodies, educational institutions, and political entities in nations such as India, Mauritius, and Vietnam since at least 2023.

“Their attacks typically commence with SQL Injection, succeeded by infiltration through web shells and backdoors,” stated security researchers Rintaro Koike and Shota Nakajima. “Their primary objective is credential theft.”

Cybersecurity

One of the key tools in their malware arsenal is IceCache, tailored to target Microsoft Internet Information Services (IIS) platforms. An ELF binary coded in the Go programming language, it represents a customized edition of the unique version of the reGeorg web shell, incorporating additional functionalities for file transfer and command execution.

Cloud-Based Solutions

The attacks also feature the deployment of a distinctive passive-mode backdoor known as IceEvent, offering capabilities for file upload/download and command execution.

“It is evident that the attackers follow a six-day workweek schedule,” as noted by the researchers pertained. “While their activity reduces on Fridays and Saturdays, they take a complete break only on Sundays. This examination suggests that the attackers are not conducting these attacks as personal endeavors but rather as part of structured, professional operations.”

Found this article intriguing? Follow us on Twitter and LinkedIn for more exclusive content updates.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025

You may have missed

Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts

Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

AndyC 20 December 2025
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.