Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Transparent Tribe

🇵🇰Transparent Tribe

🇵🇰 Transparent Tribe is a tracked threat actor in the Clankerusecase corpus. PK-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 14 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0134) ↗
14Use cases
0Articles
14Techniques
0IOCs

About this actor (MITRE)

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)

Known aliases

Transparent TribeCOPPER FIELDSTONEAPT36Mythic LeopardProjectM

Top techniques

T1027.013 · Encrypted/Encoded FileT1036.005 · Match Legitimate Resource Name or LocationT1059.005 · Visual Basic

All other tracked techniques

T1189 · Drive-by CompromiseT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1564.001 · Hidden Files and DirectoriesT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1568 · Dynamic ResolutionT1583.001 · DomainsT1584.001 · DomainsT1608.004 · Drive-by Target

Detection use cases (14)

APT36 Crimson RAT loader chain — Office macro spawns script host that drops .NET dropper beaconing on non-standard high TCP port AI · profile S APT36 Indian-government lookalike domain in inbound email — typosquatted gov.in/nic.in/mod.gov.in delivery AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Abnormal Security: malicious email opened MITRE match Click on URL whose host doesn't match the sender domain MITRE match Email attachment opened from external sender MITRE match Office app spawning script/LOLBin child process MITRE match Phishing-link click correlated to endpoint execution MITRE match