top of page

Threat Actor Profile - APT36



Threat Actor: APT 36; AKA "Mythic Leopard"


Date of Activity: ~2013-Present


Overview: APT 36 is a sophisticated cyber espionage group that is known to operate in South Asia, primarily targeting India’s military and government organizations. This group has been active since at least 2013, and its tactics and techniques have evolved over the years. It is assessed to be a state-sponsored group from Pakistan.


APT 36 has been linked to various attacks on India’s military and government, as well as on Bangladeshi targets. The group's primary targets are military and government organizations, and they have also targeted journalists and human rights activists.


The group has been known to use spear-phishing attacks to gain access to their targets' systems. Spear-phishing is a type of social engineering attack in which the attacker sends a personalized email or message to the target, tricking them into clicking on a malicious link or downloading a malicious attachment. Once the target has been compromised, APT 36 uses a range of tools and techniques to maintain persistence on the system, exfiltrate data, and move laterally through the network.


APT 36 has also been known to use custom malware, such as Crimson RAT (Remote Access Trojan), to gain access to their targets' systems. Crimson RAT is a powerful tool that allows the attacker to remotely control the compromised system and steal sensitive information.


To avoid detection, APT 36 uses various techniques such as encrypting their communications, using legitimate software to avoid suspicion and covering their tracks by deleting logs and other evidence of their activities.


In 2020, researchers from cybersecurity firm Check Point discovered a new campaign by APT 36, targeting Indian military and government organizations with a new variant of the Crimson RAT malware. The new variant was designed to evade detection by anti-virus software and was spread via fake job offers on LinkedIn.


TTPs:

  • Nation-state tool set; to include implants and RATs

  • Intelligence collection against militaries and governments

  • Sophisticated social engineering

  • Implementing encrypted communications

  • Long-term access to networks with deep access

1 view0 comments

Recent Posts

The Latest

Get the daily newsletter that intelligence professionals rely on to stay informed.

Want Even More Content?