Like fraud or espionage? Transparent Tribe lured Indian and Pakistani officials


Key points from the blog post:

  • The Transparent Tribes Campaign primarily targets Indian and Pakistani nationals, perhaps those with a military or political background.
  • It distributes the Android backdoor CapraRAT via trojanized secure calling and messaging applications under the MeetsApp and MeetUp brandings; backdoor can extract any sensitive information from its victim’s device.
  • This trojan application is available for download from a website posing as an official distribution center. We believe romance scams are used to lure targets to this website.
  • Poor operational security around this app exposed users’ PII, allowing us to geolocate 150 victims.
  • CapraRAT is hosted on a domain that resolves to an IP address previously used by Transparent Tribe.

Campaign overview

In addition to the built-in work chat functionality of the original, legitimate app, the trojan version includes malicious code that we have identified as the CapraRAT backdoor. Transparent Tribe, also known as APT36, is a cyber espionage group known to use CapraRAT; we have also seen similar decoys deployed against its targets in the past. The backdoor is capable of taking screenshots and photos, recording phone calls and surrounding audio, and extracting other sensitive information. Backdoors can also receive commands to download files, make calls, and send SMS messages. The campaign is narrowly targeted, and there’s nothing to indicate that this app was ever made available on Google Play.

We identified these campaigns when analyzing posted samples Twitter which is interesting because of the matching snort rules for CrimsonRAT and AndroRAT. Snort rules identify and warn of malicious network traffic and can be written to detect certain types of attacks or malware.

CrimsonRAT is Windows malware, only known to be used by Transparent Tribe. In 2021, the group started targeting the Android platform, using a modified version of the open source RAT called AndroRAT. It bears a resemblance to CrimsonRAT, and is named CapraRAT by Trend Micro at his research.


Based on the Android Package Kit (APK) name, the first malicious application was branded MeetsApp and claimed to provide secure chat communication. We were able to find a website where this sample can be downloaded (meetapp(.) org); see Figure 1.

Figure 1. The website of the CapraRAT distribution masquerading as MeetsApp

That page’s download button leads to an Android app of the same name; Unfortunately, the download link is no longer active (https://phone-drive(.)online/download.php?file=MeetsApp.apk). At the time of this research, phone-drive(.)online resolved for 198.37.123(.)126which is the same IP address as phone-drive. online. geo-news(.) tvused in the past by Transparent Tribe to contain the spyware.


Analysis of the MeetsApp distribution website shows that some of its resources are hosted on other servers with similar domain names – meet-up-chat(.) com – use a similar service name. The site also provides an Android messaging app, MeetUp, for download under the same package name ( whereas for MeetsApp, and has the same website logo, as can be seen in Figure 2.

Figure 2. The distribution site CapraRAT masquerading as MeetUp

Attribution to the Transparent Tribe

Both apps – from tweets and from samples downloaded from meet-up-chat(.) com – include the same CapraRAT code, communicate with the same C&C server (66.235.175(.)91:4098), and the APK file is signed using the same developer certificate.

Therefore, we firmly believe that both websites are created by the same threat actor; both domains were registered at almost the same time – July 9thth and July 25th2022.

Both apps are based on the same legitimate code trojaned with the CapraRAT backdoor code. The messaging function appears to have been developed by a threat actor or discovered (possibly purchased) online, as we were unable to identify its origin. Before using the app, victims need to create an account that is linked to their phone number and requires SMS verification. Once this account is created, the app requests further permissions that allow full backdoor functionality to work, such as accessing contacts, call logs, SMS messages, external storage, and recording audio.

Domain phone-drive(.)online where a malicious MeetsApp APK was placed started resolving to the same IP address around the same time as the domain phone-drive. online. geo-news(.) tv which was used in past campaigns controlled by the Transparent Tribe, as reported by Cisco. In addition, the malicious code from the analyzed samples was seen in the previous campaigns reported by Micro Trends where CapraRAT is used. In Figure 3 you can see a comparison of the dangerous class names of CapraRAT available from 2022-01 on the left side, and the latest variants have the same class names and functions.

Figure 3. Comparison of dangerous class names of old CapraRAT (left) and newer versions (right)


During our investigation, weak operational security resulted in the disclosure of some victim data. This information allowed us to geolocate more than 150 victims in India, Pakistan, Russia, Oman and Egypt, as seen in Figure 4.

Figure 4. Distribution of victims

Based on our research, potential victims were persuaded to install the app via a honey trap romance scam operation, where they were likely first contacted on a different platform and then coaxed into using a “safer” one. MeetApp or Meet application. We have previously seen such decoys used by Transparent Tribe operators against their targets. Finding a cell phone number or email address they can use to make their first contact is usually not difficult.

Technical analysis

Early access

As described above, which is dangerous Meet application is available at meet-up-chat(.) comand we believe with high confidence that it is dangerous MeetApp available in meetapp(.) org. No apps will be installed automatically from this location; victims must choose to download and install the application manually. Considering that only a handful of individuals were compromised, we believe that potential victims are highly targeted and cajoled into using romance schemes, with the operator Transparent Tribe most likely establishing first contact via another messaging platform. After gaining the victims’ trust, they suggest moving to another – supposedly more secure – chat application available on one of the malicious distribution websites.

There’s no subterfuge to suggest the app is available on Google Play.


Once the victim logs into the app, the CapraRAT then starts interacting with its C&C server by sending basic device info and waiting to receive commands to execute. Based on this command, CapraRAT is capable of exfiltrating:

  • call logs,
  • contact list,
  • message,
  • recorded phone calls,
  • ambient audio recording,
  • Screenshot taken by CapraRAT,
  • Photo taken by CapraRAT,
  • list of files on device,
  • specific files from the device,
  • device location,
  • list of running applications, and
  • text all notifications from other apps.

It can also receive commands to download files, launch any installed application, kill any running application, make calls, send SMS messages, intercept received SMS messages, and download updates and ask the victim to install them.


The mobile campaign operated by Transparent Tribe is still active, presenting itself as two messaging apps, used as cover to distribute its Android CapraRAT backdoor. Both applications are distributed via two similar websites which, by their description, provide secure messaging and calling services.

Transparent Tribe might use the bait of an amorous scam to lure victims into installing the app and continue to communicate with them using the malicious app to keep them on the platform and make their devices accessible to attackers. CapraRAT is controlled remotely and based on commands from the C&C server, CapraRAT can extract any sensitive information from its victim’s device.

The operator of this application has poor operational security, so the victim’s PII is exposed to our researchers, on the open internet. Because of this, it was possible to get some information about the victims.

ESET Research offers personalized APT intelligence reports and data feeds. For any questions about this service, please visit ESET Threat Intelligence page.



SHA-1 Package name ESET detection name Information
4C6741660AFED4A0E68EF622AA1598D903C10A01 com. meetup. chat Android/Spy.CapraRAT.A The back door of the CapraRAT.
542A2BC469E617252F60925AE1F3D3AB0C1F53B6 com. meetup. chat Android/Spy.CapraRAT.A The back door of the CapraRAT.


I P giver First time seeing Details
66.235.175(.)91 N/A 23-09-2022 C&C.
34.102.136(.)180 Come on dad 27-07-2022 meetapp(.) org – distribution website.
194.233.70(.)54 123-Reg Limited 19-07-2022 meet-up-chat(.) com – distribution website.
198.37.123(.)126 Come on dad 20-01-2022 phone-drive(.)online – Websites hosted APK files.
194.233.70(.)54 Limited Digital Network 23-09-2022 share-lienk(.)info – Website hosting APK files.

MITER ATT&CK technique

This table was created using version 12 MITER ATT&CK framework.

Tactics identifier Name Information
Persistence T1398 Boot or Logon Initialization Script CapraRAT accepts BOOT_COMPLETE broadcast intent to activate at device startup.
T1624.001 Event Triggered Execution: Broadcast Receiver CapraRAT functionality is triggered when one of these events occurs: PHONE_STATE, NEW_OUTGOING_CALL, BATTERY_CHANGEDor CONNECTIVITY_CHANGE.
Invention T1420 File and Directory Discovery CapraRAT can list files available on external storage.
T1424 Process Discovery CapraRAT can get a list of running apps.
T1422 System Network Configuration Discovery CapraRAT can extract IMEI, IMSI, IP address, phone number and country.
T1426 System Information Discovery CapraRAT can extract information about the device including SIM serial number, device ID and general system information.
Collection T1533 Data from Local System CapraRAT can extract files from the device.
T1517 Access Notifications CapraRAT may collect notification messages from other applications.
T1512 Video Capture CapraRAT can take photos and extract them.
T1430 Location Tracking CapraRAT tracks device location.
T1429 Capture Audio CapraRAT can record phone calls and surrounding audio.
T1513 Screenshot CapraRAT can record device screen using MediaProjectionManager FIRE.
T1636.002 Protected User Data: Call Logs CapraRAT can extract call logs.
T1636.003 Protected User Data: Contact List CapraRAT can extract device contact list.
T1636.004 Protected User Data: SMS Messages CapraRAT can extract SMS messages.
Command and Control T1616 Call Control CapraRAT can make phone calls.
T1509 Non-Standard Port CapraRAT communicates with C&C via TCP port 4098.
Impact T1582 SMS control CapraRAT can send SMS messages.


Source link

Related Articles

Back to top button