Operation C-Major  (Back to overview)

aka: C-Major, Transparent Tribe, Mythic Leopard, ProjectM, APT36, APT 36, TMP.Lapis

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.


Associated Families
apk.stealthmango win.andromeda win.beendoor win.bezigate win.bozok win.breach_rat win.crimson win.darkcomet win.luminosity_rat win.njrat win.peepy_rat win.unidentified_066

References
2019-12-24 ⋅ Github (itsKindred)Derek Kleinhen
@techreport{kleinhen:20191224:bashar:944cfdf, author = {Derek Kleinhen}, title = {{Bashar Bachir Infection Chain Analysis}}, date = {2019-12-24}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf}, language = {English}, urldate = {2020-01-10} } Bashar Bachir Infection Chain Analysis
NjRAT
2019-09-26 ⋅ ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-01-05} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
Crimson RAT
2019-08-30 ⋅ Github (threatland)ThreatLand
@online{threatland:20190830:njrat:995c281, author = {ThreatLand}, title = {{njRAT builders}}, date = {2019-08-30}, organization = {Github (threatland)}, url = {https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT}, language = {English}, urldate = {2020-01-08} } njRAT builders
NjRAT
2019-03-27 ⋅ SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-25 ⋅ 360 Core Securityzhanghao-ms
@online{zhanghaoms:20190325:patting:92fda17, author = {zhanghao-ms}, title = {{Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization}}, date = {2019-03-25}, organization = {360 Core Security}, url = {http://blogs.360.cn/post/analysis-of-apt-c-37.html}, language = {Chinese}, urldate = {2020-01-08} } Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization
Houdini NjRAT
2019-03-05 ⋅ TencentTencent
@online{tencent:20190305:transparenttribe:55798e4, author = {Tencent}, title = {{TransparentTribe APT organizes 2019 attacks on Indian government and military targets}}, date = {2019-03-05}, organization = {Tencent}, url = {https://s.tencent.com/research/report/669.html}, language = {Chinese}, urldate = {2020-01-08} } TransparentTribe APT organizes 2019 attacks on Indian government and military targets
Crimson RAT Unidentified 066 Operation C-Major
2018-08-02 ⋅ Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-07-05 ⋅ National Critical Information Infrastructure Protection CentreNational Critical Information Infrastructure Protection Centre
@techreport{centre:20180705:nciipc:2796c50, author = {National Critical Information Infrastructure Protection Centre}, title = {{NCIIPC Newsletter July 2018}}, date = {2018-07-05}, institution = {National Critical Information Infrastructure Protection Centre}, url = {https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf}, language = {English}, urldate = {2020-01-10} } NCIIPC Newsletter July 2018
Operation C-Major
2018-07 ⋅ Brian Krebs
@online{krebs:201807:luminositylink:1d9ce64, author = {Brian Krebs}, title = {{‘LuminosityLink RAT’ Author Pleads Guilty}}, date = {2018-07}, url = {https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/}, language = {English}, urldate = {2019-10-23} } ‘LuminosityLink RAT’ Author Pleads Guilty
Luminosity RAT
2018-05-18 ⋅ CrowdStrikeAdam Meyers
@online{meyers:20180518:meet:79af163, author = {Adam Meyers}, title = {{Meet CrowdStrike’s Adversary of the Month for May: MYTHIC LEOPARD}}, date = {2018-05-18}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/}, language = {English}, urldate = {2019-12-20} } Meet CrowdStrike’s Adversary of the Month for May: MYTHIC LEOPARD
Operation C-Major
2018-05-15 ⋅ Amnesty InternationalAmnesty International
@online{international:20180515:pakistan:c41a7ec, author = {Amnesty International}, title = {{PAKISTAN: HUMAN RIGHTS UNDER SURVEILLANCE}}, date = {2018-05-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/documents/asa33/8366/2018/en/}, language = {English}, urldate = {2019-11-28} } PAKISTAN: HUMAN RIGHTS UNDER SURVEILLANCE
Operation C-Major
2018-05-15 ⋅ Amnesty InternationalBrave
@techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN
StealthAgent Crimson RAT
2018-05-14 ⋅ LookoutLookout
@online{lookout:20180514:stealth:ebcc067, author = {Lookout}, title = {{Stealth Mango & Tangelo Technical Report}}, date = {2018-05-14}, organization = {Lookout}, url = {https://www.lookout.com/info/stealth-mango-report-ty}, language = {English}, urldate = {2020-01-13} } Stealth Mango & Tangelo Technical Report
Stealth Mango
2018-05 ⋅ FireEyeAnca Holban
@techreport{holban:201805:mtrends:b30aba2, author = {Anca Holban}, title = {{M-Trends May 2018: From the field}}, date = {2018-05}, institution = {FireEye}, url = {https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf}, language = {English}, urldate = {2020-01-06} } M-Trends May 2018: From the field
Operation C-Major
2018-02-08 ⋅ FortinetBahare Sabouri, He Xu
@online{sabouri:20180208:review:258f981, author = {Bahare Sabouri and He Xu}, title = {{A review of the evolution of Andromeda over the years before we say goodbye}}, date = {2018-02-08}, organization = {Fortinet}, url = {https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/}, language = {English}, urldate = {2019-10-15} } A review of the evolution of Andromeda over the years before we say goodbye
Andromeda
2018-02-07 ⋅ Palo Alto Networks Unit 42Simon Conant
@online{conant:20180207:rat:5f1eba8, author = {Simon Conant}, title = {{RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/}, language = {English}, urldate = {2019-12-20} } RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts
Luminosity RAT
2018 ⋅ FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba Ratabanka REDSHAWL WORMHOLE Lazarus Group
2017-12-04 ⋅ EuropolEuropol
@online{europol:20171204:andromeda:2024e4d, author = {Europol}, title = {{Andromeda botnet dismantled in international cyber operation}}, date = {2017-12-04}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation}, language = {English}, urldate = {2020-01-09} } Andromeda botnet dismantled in international cyber operation
Andromeda
2017-12-04 ⋅ MicrosoftMicrosoft Defender ATP Research Team, Microsoft Digital Crimes Unit
@online{team:20171204:microsoft:0cab56d, author = {Microsoft Defender ATP Research Team and Microsoft Digital Crimes Unit}, title = {{Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)}}, date = {2017-12-04}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/}, language = {English}, urldate = {2020-01-13} } Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)
Andromeda
2017-03-13 ⋅ MorphisecRoy Moshailov
@online{moshailov:20170313:moving:91556bc, author = {Roy Moshailov}, title = {{Moving Target Defense Blog}}, date = {2017-03-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/andromeda-tactics-analyzed}, language = {English}, urldate = {2020-01-13} } Moving Target Defense Blog
Andromeda
2017-01-18 ⋅ CiscoAndrea Scarfo
@online{scarfo:20170118:finding:d28d23c, author = {Andrea Scarfo}, title = {{Finding the RAT’s Nest}}, date = {2017-01-18}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/}, language = {English}, urldate = {2019-11-27} } Finding the RAT’s Nest
Luminosity RAT
2016-11-30 ⋅ FortinetLilia Elena Gonzalez Medina
@online{medina:20161130:bladabindi:22e025f, author = {Lilia Elena Gonzalez Medina}, title = {{Bladabindi Remains A Constant Threat By Using Dynamic DNS Services}}, date = {2016-11-30}, organization = {Fortinet}, url = {https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services}, language = {English}, urldate = {2020-01-09} } Bladabindi Remains A Constant Threat By Using Dynamic DNS Services
NjRAT
2016-07-30 ⋅ MalwareNailedFaisal AM Qureshi
@online{qureshi:20160730:luminosity:705e740, author = {Faisal AM Qureshi}, title = {{Luminosity RAT - Re-purposed}}, date = {2016-07-30}, organization = {MalwareNailed}, url = {http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html}, language = {English}, urldate = {2020-01-13} } Luminosity RAT - Re-purposed
Luminosity RAT
2016-07-08 ⋅ Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20160708:investigating:576bb94, author = {Josh Grunzweig}, title = {{Investigating the LuminosityLink Remote Access Trojan Configuration}}, date = {2016-07-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/}, language = {English}, urldate = {2019-12-20} } Investigating the LuminosityLink Remote Access Trojan Configuration
Luminosity RAT
2016-06-03 ⋅ FireEyeYin Hong Chang, Sudeep Singh
@online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } APT Group Sends Spear Phishing Emails to Indian Government Officials
BreachRAT DarkComet Operation C-Major
2016-04-06 ⋅ AvastThreat Intelligence Team
@online{team:20160406:andromeda:4b7f3e6, author = {Threat Intelligence Team}, title = {{Andromeda under the microscope}}, date = {2016-04-06}, organization = {Avast}, url = {https://blog.avast.com/andromeda-under-the-microscope}, language = {English}, urldate = {2020-01-13} } Andromeda under the microscope
Andromeda
2016-03-25 ⋅ Palo Alto Networks Unit 42Robert Falcone, Simon Conant
@online{falcone:20160325:projectm:afcff3a, author = {Robert Falcone and Simon Conant}, title = {{ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe}}, date = {2016-03-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe}, language = {English}, urldate = {2020-01-10} } ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
Bozok Operation C-Major
2016-03 ⋅ Trend MicroDavid Sancho, Feike Hacquebord
@techreport{sancho:201603:operation:b3de3b2, author = {David Sancho and Feike Hacquebord}, title = {{Operation C-Major: Information Theft Campaign Targets Military Personnel in India}}, date = {2016-03}, institution = {Trend Micro}, url = {http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf}, language = {English}, urldate = {2020-01-07} } Operation C-Major: Information Theft Campaign Targets Military Personnel in India
Operation C-Major
2016-03-01 ⋅ ProofpointDarien Huss
@techreport{huss:20160301:operation:65330f0, author = {Darien Huss}, title = {{Operation Transparent Tribe}}, date = {2016-03-01}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf}, language = {English}, urldate = {2019-12-02} } Operation Transparent Tribe
Andromeda beendoor Bezigate Crimson RAT Luminosity RAT Peepy RAT Operation C-Major
2016 ⋅ CysinfoMonnappa K A
@online{a:2016:cyber:140f384, author = {Monnappa K A}, title = {{CYBER ATTACK IMPERSONATING IDENTITY OF INDIAN THINK TANK TO TARGET CENTRAL BUREAU OF INVESTIGATION (CBI) AND POSSIBLY INDIAN ARMY OFFICIALS}}, date = {2016}, organization = {Cysinfo}, url = {https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials}, language = {English}, urldate = {2020-01-07} } CYBER ATTACK IMPERSONATING IDENTITY OF INDIAN THINK TANK TO TARGET CENTRAL BUREAU OF INVESTIGATION (CBI) AND POSSIBLY INDIAN ARMY OFFICIALS
Operation C-Major
2015-09-29 ⋅ InfoSec InstituteAyoub Faouzi
@online{faouzi:20150929:andromeda:543098f, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 2}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/}, language = {English}, urldate = {2020-01-07} } Andromeda Bot Analysis part 2
Andromeda
2015-09-29 ⋅ InfoSec InstituteAyoub Faouzi
@online{faouzi:20150929:andromeda:06d70c0, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 1}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis/}, language = {English}, urldate = {2020-01-13} } Andromeda Bot Analysis part 1
Andromeda
2015-06-25 ⋅ ProofpointProofpoint Staff
@online{staff:20150625:sundown:53454bc, author = {Proofpoint Staff}, title = {{Sundown EK Spreads LuminosityLink RAT: Light After Dark}}, date = {2015-06-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark}, language = {English}, urldate = {2019-12-20} } Sundown EK Spreads LuminosityLink RAT: Light After Dark
Luminosity RAT
2015-04-17 ⋅ Eternal TodoJose Miguel Esparza
@online{esparza:20150417:andromedagamarue:2330f4e, author = {Jose Miguel Esparza}, title = {{Andromeda/Gamarue bot loves JSON too (new versions details)}}, date = {2015-04-17}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/andromeda-gamarue-loves-json}, language = {English}, urldate = {2020-01-10} } Andromeda/Gamarue bot loves JSON too (new versions details)
Andromeda
2015-04-15 ⋅ ByteAtlas
@online{byteatlas:20150415:knowledge:0d028a7, author = {ByteAtlas}, title = {{Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers}}, date = {2015-04-15}, url = {https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html}, language = {English}, urldate = {2020-01-07} } Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers
Andromeda
2015-01-22 ⋅ Trend MicroMichael Marcos
@online{marcos:20150122:new:1fdb830, author = {Michael Marcos}, title = {{New RATs Emerge from Leaked Njw0rm Source Code}}, date = {2015-01-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/}, language = {English}, urldate = {2019-12-17} } New RATs Emerge from Leaked Njw0rm Source Code
NjRAT
2013-10-31 ⋅ FireEyeThoufique Haq, Ned Moran
@online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } Know Your Enemy: Tracking A Rapidly Evolving APT Actor
Bozok Poison Ivy Temper Panda
2013-09-01 ⋅ Eternal TodoJose Miguel Esparza
@online{esparza:20130901:yet:d6bf0b6, author = {Jose Miguel Esparza}, title = {{Yet another Andromeda / Gamarue analysis}}, date = {2013-09-01}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis}, language = {English}, urldate = {2020-01-10} } Yet another Andromeda / Gamarue analysis
Andromeda
2013-08-01 ⋅ Virus BulletinSuweera De Souza
@online{souza:20130801:andromeda:030b7db, author = {Suweera De Souza}, title = {{Andromeda 2.7 features}}, date = {2013-08-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features}, language = {English}, urldate = {2020-01-09} } Andromeda 2.7 features
Andromeda
2013-03-30 ⋅ 0xEBFE Blog about life0xEBFE
@online{0xebfe:20130330:fooled:88d133a, author = {0xEBFE}, title = {{Fooled by Andromeda}}, date = {2013-03-30}, organization = {0xEBFE Blog about life}, url = {http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/}, language = {English}, urldate = {2019-07-27} } Fooled by Andromeda
Andromeda
2012-10-05 ⋅ MalwarebytesAdam Kujawa
@online{kujawa:20121005:dark:192d4aa, author = {Adam Kujawa}, title = {{Dark Comet 2: Electric Boogaloo}}, date = {2012-10-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/}, language = {English}, urldate = {2019-12-20} } Dark Comet 2: Electric Boogaloo
DarkComet
2012-06-21 ⋅ Contagio DumpMila Parkour
@online{parkour:20120621:rat:2186087, author = {Mila Parkour}, title = {{RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army}}, date = {2012-06-21}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html}, language = {English}, urldate = {2019-12-20} } RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army
BlackShades DarkComet Terminator RAT
2012-06-09 ⋅ MalwarebytesAdam Kujawa
@online{kujawa:20120609:you:c8d15e0, author = {Adam Kujawa}, title = {{You dirty RAT! Part 1: DarkComet}}, date = {2012-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/}, language = {English}, urldate = {2019-12-20} } You dirty RAT! Part 1: DarkComet
DarkComet

Credits: MISP Project