Explained: How Pakistani hackers are using ElizaRAT ‘virus’ to target India

A Pakistan-affiliated hacking group, known as Transparent Tribe or APT36, is targeting Indian entities with an increasingly sophisticated malware called ElizaRAT, as reported by Checkpoint Research. The malware, first disclosed in September 2023, has evolved to include enhanced evasion techniques and advanced command and control capabilities.
According to the report, the threat actor conducted three distinct campaigns between late 2023 and early 2024, each employing different variants of ElizaRAT to gather information from targeted systems. All variants specifically checked for India Standard Time zone settings, indicating a clear focus on Indian targets.

The working of Pakistani hackers

In the first campaign, the attackers utilised Slack channels for command and control communication and introduced a new payload called ApoloStealer, designed to collect and exfiltrate desktop files. The second campaign, dubbed “Circle,” launched in January 2024 with improved detection evasion capabilities and relied on virtual private servers for communication instead of cloud services.
The third campaign leveraged Google Drive for command and control operations while deploying specialised information-stealing payloads. The malware typically spreads through executable files shared via Google Storage links, likely distributed through phishing attacks.
Transparent Tribe, which has previously targeted Indian government organisations, diplomatic personnel, and military facilities, demonstrates increasing sophistication in its cyber espionage efforts. The group has adapted its tactics to use popular cloud services like Google, Telegram, and Slack to disguise its malicious activities within normal network traffic.