Threat Actor Profile

Mythic Leopard

Mythic Leopard, also known as Transparent Tribe or APT36, is a Pakistan-linked advanced persistent threat (APT) group active since at least 2013. This state-sponsored actor primarily targets Indian government, military, and defense sectors, employing spear-phishing, malware, and deceptive infrastructure to conduct cyber-espionage operations.

Threat Actor Profile

Mythic Leopard

Country of Origin

Mythic Leopard is widely attributed to Pakistan, with evidence such as time zone settings and network providers linking their operations to the region.

Members

The exact size and composition of the group are unclear. They operate under aliases such as Transparent Tribe, Earth Karkaddan, and ProjectM, indicating a coordinated and state-aligned structure.

Leadership

The leadership of Mythic Leopard remains unknown. However, their activities suggest alignment with Pakistan's military or intelligence services.

Mythic Leopard TTPs

Tactics

The group focuses on cyber-espionage, targeting Indian defense, government, and critical infrastructure sectors to gather intelligence.

Techniques

Spear-phishing emails with malicious attachments.
Use of fake government portals and malvertising campaigns.
Deployment of malware such as Crimson RAT, ObliqueRAT, and CapraRAT.

Procedures

Leveraging cross-platform programming languages like Python and Golang.
Utilizing cloud services like Telegram, Slack, and Google Drive for command-and-control (C2) operations.

Employing USB-based malware for air-gapped systems.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Spear-phishing campaigns targeting the Indian Department of Defense Production (DDP) and aerospace sector.
Distribution of malicious ISO images targeting the Indian Air Force.

Law Enforcement & Arrests

No arrests have been reported. However, the group's activities are closely monitored by cybersecurity organizations and law enforcement agencies.

How to Defend Against Mythic Leopard

Implement email filtering and block macro-enabled Office files.

Monitor DNS queries for typosquatted domains.

Deploy endpoint detection and response (EDR) tools.

Enforce phishing-resistant multi-factor authentication (MFA).

Harden cloud services and educate employees on phishing tactics.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Fancy Bear threats withenterprise-grade technology.

Try Huntress for Free

Schedule a Demo

References

https://industrialcyber.co/threats-attacks/blackberry-exposes-cyber-espionage-by-transparent-tribe-targeting-indian-government-defense-sectors/

https://socradar.io/dark-web-profile-apt36/

https://www.broadcom.com/support/security-center/protection-bulletin/transparent-tribe-apt-with-new-a-campaign-targeting-indian-government-officials-and-military

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free