A hacking group associated with the Pakistani government has repeatedly targeted high-profile entities in India with cyber espionage campaigns throughout 2024, according to cybersecurity provider Check Point.
Researchers at Check Point Research are closely tracking the persistent use of ElizaRAT, a custom implant deployed by Transparent Tribe, a cyber espionage group attributed to Pakistan, also known as APT36.
They observed several campaigns using the remote access trojan (RAT) in 2024, with many likely successful.
Background on ElizaRAT
The malicious group has been using ElizaRAT since at least September 2023.
ElizaRAT infections are often initiated by Windows Control Panel (CPL) files distributed through Google Storage links, likely distributed by phishing. ElizaRAT uses cloud services such as Google, Telegram and Slack for distribution and command and control (C2) communication.
Some of ElizaRAT’s features also include the following:
- The malware is written in .NET and uses Costura to embed .NET and assembly modules
- It drops lure documents or videos as decoys
- In most samples, it uses IWSHshell to create a Windows shortcut to the malware
- In most samples, it uses SQLite as a resource to store files from the victim’s machine in a local database before exfiltration
- It generates and stores a unique victim ID in a separate file on the machine
APT36’s ElizaRAT Improvements
However, it became apparent towards the end of 2023 that ElizaRAT’s execution methods, detection evasion and C2 communication have all evolved.
Check Point Research noticed that in three campaigns spanning the end of 2023 to early 2024, the attacker used a different variant of ElizaRAT to download specific second-stage payloads that automatically collect information.
The researchers shared a technical analysis of each of these campaigns, which they called the Slack, the Circle and the Google Drive campaigns, in their latest blog post, published on November 4.
Their analysis revealed continuous enhancements in the malware’s evasion techniques, leading to an improved version called Circle ElizaRAT and introducing a new stealer payload, ApoloStealer, on specific targets.
“The progression of ElizaRAT reflects APT36’s deliberate efforts to enhance their malware to better evade detection and effectively target Indian entities,” the Check Point researchers concluded. “Introducing new payloads such as ApoloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment. These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.”