Startup surge sparks spy interest. [Research Saturday] - CyberWire Daily

Summary5 min read

Episode Overview

Podcast: CyberWire Daily – Research Saturday
Episode Title: Startup surge sparks spy interest
Host: Dave Bittner (N2K Networks)
Guest: Santiago Ponteroli, Threat Intelligence Research Lead, Acronis True Team
Date: April 4, 2026

Theme:
This episode delves into fresh research on a cyber espionage campaign targeting India’s burgeoning startup ecosystem. The investigation centers around APT36 (aka Transparent Tribe) and their evolving tactics to compromise organizations, highlighting new delivery techniques and the broader implications for cyber defense.

Key Discussion Points & Insights

1. How the Research Began

Initial Trigger:
- Santiago explains their team started examining a remote access tool (RAT) called GetRAT. Their investigation expanded as new malware samples and suspicious IP addresses surfaced.
  - “We were tracking a RAT...known as GetRAT. And we started with that, found some interesting samples, then we got more interesting samples, IPs, and...developed into a full-length investigation.” (C, 01:30)

2. Shift in APT36’s Targeting

New Target: Startups
- APT36 has historically focused on governments and financial institutions in South Asia, prioritizing intelligence gathering over financial gain.
- This campaign represents a strategic move to target Indian startups, likely due to their weaker security and indirect access to government systems.
  - “In this case they were targeting startups in India...they are connected to the broader ecosystem of the government. So instead of going directly to the target, they kind of go around it.” (C, 02:39)
Supply Chain Dynamics:
- Startups serve as an ‘indirect supply chain’ for attacks on government infrastructure.

3. The Attack Chain Breakdown

Stage 1: Spearphishing Email
- Victims receive an email with an attachment.
Stage 2: Use of ISO Files
- Innovation: The attachment is an ISO file, which Windows mounts as a virtual DVD drive.
- Contents: The ISO contains a PowerShell script, document file, and a Windows shortcut (LNK file).
- Execution: The victim opens the LNK file, triggering the malware in the background, while only seeing the decoy document.
  - “In this case, when you open this container...Windows will try to open it as a virtual CD or DVD ROM drive. And this is an important detail...a deliberate decision." (C, 04:02)
  - “They are using this file to open...a Word document. And in the background, they are actually deploying the malware.” (C, 05:51)
Evasion: The display of a legitimate-looking document hides malicious activity.

4. Why ISO Files?

SmartScreen Bypass:
- Santiago details how ISO files evade Windows security prompts (SmartScreen), as the OS treats them as trusted, local media instead of internet downloads.
  - “In the case of ISO files...Windows by default tries to mount a DVD drive, it considers ISO files as local archives, so it will bypass Windows protection.” (C, 06:56)

5. Crimson RAT: Capabilities & Evolution

Longstanding Tool: APT36 (Transparent Tribe) relies on widely-used RATs such as Crimson RAT, tweaking delivery rather than developing new payloads.
- Features:
  - Screenshot capture (even continuous, like a video)
  - Credential harvesting
  - Upload/download files, run commands, kill processes
  - Fully remote, invisible control
    - “You can do anything with this RAT...even more powerful because...it takes a continuous one screenshot after the other...” (C, 13:12)
New Delivery Methods:
- Novel combinations of ISO files and LNK shortcuts to avoid detection.

6. Evasion Tactics: File Padding

Inflating File Size:
- Samples padded up to 34MB with junk data to hinder static antivirus scanning.
  - “That usually gets a bunch of analysts really angry...it will scan just a portion of the file...So in this case they are padding the file...to bypass that type of detection.” (C, 11:37)

7. Attribution Confidence

Reused Infrastructure:
- Overlap with previous infrastructure (domains, IPs) linked to APT36.
- Combined with targeting patterns and toolkit, attribution is strong but, as always, not absolute.
  - “There is a high degree of confidence...Combine that with the usage of Crimson RAT, the targets...everything points to APT36's TTPs.” (C, 14:29)

8. Evolving Espionage Strategies

Human Element/Evolving Tradecraft:
- Focus shift from building new technical tools to advanced social engineering and lateral targeting (via supply chain).
  - “I think the shift...is not so much technical, but...in regards to social engineering...APTs evolve targets and tradecraft more than tools.” (C, 15:47)

9. Defense Recommendations

Blocking Exfiltration:
- While user training is helpful, the most reliable detection is at the network egress point: monitoring for suspicious outbound traffic.
  - Direct quote referencing Rob Joyce (NSA):
    - “If you want to know if we are in your network, just monitor everything that is going out. And I think this is the way...that’s where EDR, XDR comes into play. You need...visibility over the network as well.” (C, 16:40)

Notable Quotes & Memorable Moments

On the ease of falling for such attacks:
- “I think we will click in the link, maybe we will open that attachment. Because these guys actually know what they are doing and they will craft it so the chances...are higher.” (C, 16:40)
On the long-term strategy of APT36:
- “They are using the same remote access tools...but they are shifting the way they try to infect their victims.” (C, 15:47)
Summing up the sophistication:
- “This is a completely different ball game here. We are talking about espionage.” (C, 06:10)

Timestamps of Important Segments

How the research started: 01:30 – 01:59
APT36’s shift to targeting startups: 02:39 – 03:55
In-depth technical walkthrough of the attack chain: 04:02 – 06:05
ISO file evasion explanation: 06:45 – 07:52
Crimson RAT and payload evolution: 08:01 – 09:14
File padding for evasion: 11:37 – 13:06
Core RAT capabilities described: 13:12 – 14:16
Attribution logic: 14:29 – 15:33
Evolving strategies and defense advice: 15:47 – 18:25

Conclusion

This episode provides a thorough examination of APT36’s campaign against the Indian startup ecosystem, highlighted by the novel use of ISO file delivery and LNK shortcuts, dynamic file padding, and supply chain-style targeting. The conversation emphasizes the growing sophistication in social engineering and lateral targeting over technical novelty, urging defenders to focus on network monitoring and layered security strategies.

For actionable defense:

Monitor outbound traffic for exfiltration
Implement EDR/XDR solutions
Regularly train users but recognize limits of human vigilance

Research referenced:

"New Year New Sector: Transparent Tribe Targets India's Startup Ecosystem" by Acronis True Team

Quotes are marked by speaker initial (C = Santiago Ponteroli, B = Dave Bittner) and timestamp (MM:SS).

Loading summary

Transcript28 lines

[00:02]
A
You're listening to the Cyberwire Network, powered by N2K. And now a word from our sponsor, arcova. Formerly Morgan Franklin Cyber, arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat. They work directly with enterprise teams to solve complex security challenges or building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading Global Enterprises Trust arcova@www.arcova.com that's a R C O V A.com.
[01:06]
B
Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[01:31]
C
So what brought this particular group to our attention was that we were tracking a rat that's a remote access tool known as getrat. And we started with that and we found some interesting samples, then we got more interesting samples, IPs and then we started with that to develop into a full length investigation.
[01:59]
B
That's Santiago Ponteroli, Threat intelligence research lead from the Acronis True team. The research we're discussing today is titled New Year New Transparent Tribe targets India's startup ecosystem.
[02:19]
C
But usually it starts that way with just a single indicator of compromise or maybe an indicator of the group reusing infrastructure from the past.
[02:31]
B
And what was it about this latest campaign from them that stood out compared to some of the things they've done in the past?
[02:40]
C
So usually this group in particular is targeting South Asia and in particular India. So in previous campaigns we saw them mainly doing spear phishing to ministries, governments, financial institutions, institutions, things that were of, let's say, that were relevant to them in the sense of intelligence gathering, not so much of, let's say, getting a financial gain. So in this case they were targeting startups in India. And this is my assumption, or my hypothesis in this case, that given that startups don't have as mature security as other companies, but nevertheless they are connected to the broader ecosystem of the government. They are targeting kind of in an indirect supply chain attack. So they target the startups, they get the information that they want from the startups because they are linked to the government. So instead of going directly to the target, they kind of go around it.
[03:55]
B
Well, walk us through the attack chain here. Where do things begin? And take us through what happens.
[04:02]
C
Yeah, sure. So initially the Victim or the target receives a spear phishing email. And in this email they get an attachment. So far, so good. I mean, there is nothing unusual about that. In this case, the attachment is what is different from other APT actors or other campaigns. They are using an ISO file. So that's a container file in which you can consider it as, for example, as an archive, as a zip file or 7 zip, or RAR file. But in this case, when you open this container, it in Windows, by default, Windows will try to open it as a virtual CD or DVD ROM drive. And this is an important detail that I can explain to you later why, but this was a deliberated decision by the APT group to use this particular type of file. So within this container they have a bunch of other files. They have a PowerShell script, they have a document file and also an LNK file. LNK, it's a Windows shortcut file. So, for example, when you create a direct link in your desktop to, I don't know, whatever file you want to open quickly, Windows creates a file that is between like 10 to 12 kilobytes. So a very, very small file that just says where to open the real file. In this case, transparent drive. They are using this file to open on a spreadsheet, a Word document. And in the background, they are actually deploying the malware. So if you are depicting, you only see the document you were intended to open, you intended to see. But in the background, a whole bunch of operations are happening. Hmm.
[06:06]
B
So is that opening of the document, is that just misdirection?
[06:11]
C
Yeah, exactly. I mean, in this case, since we are talking about intelligence gathering, they don't want you to be suspicious about anything. It's not like in the past you would see like, you know, hacker groups or script kitties. Like, I don't know if you remember Michelangelo Virus or things like that. This is a completely different ball game here. We are talking about espionage. So these guys want you to think that you actually opened a legitimate document and in the background, everything is happening.
[06:45]
B
Well, you mentioned the use of ISO files. And as you say, I mean, that's a bit of a trip down memory lane when it comes to things like DVDs. What made them choose that?
[06:57]
C
So there is a particular feature in Windows. When you download a file from the Internet, Windows marks it as not safe, let's say as something that you download from the Internet and it should be checked. You know, when you double click a file that you just downloaded, you get the prompt from smart screen. So you get like, are you sure you want to open this file. But in the case of ISO files, since these are containers or archives and Windows by default tries to mount a DVD drive, it considers ISO files as local archives, so it will bypass Windows protection. It will not prompt the smart screen. It will just tell you like, hey yeah, you have your DVD ready to use, Come on, use it. And then you can just go and double click on the shortcut files.
[07:53]
B
I see. Well, the research talks about Crimson Rat and how they're using that. Can you describe to us what that is?
[08:02]
C
Yeah, sure. So APK36 has been using a wide array of remote access tools. Not only Crimson Rat, but they all share some commonalities. The main feature is taking screenshots, harvesting credentials, exfiltrating this information using customized TCP protocol. But I would say that beyond the RAT that this particular group is using is that they changed the way they are delivering the final payload. What I mean by this is or they used Crimson Rut in the past, but they never use it in this way and they never use it in combination with an ISO file in combination with a Windows shortcut. So it's like they, and I see this in many IPT groups, they think like why reinvent the wheel? Let's just reuse whatever we have right now and see if it works.
[09:15]
B
We'll be right back. When it comes to mobile application security, Goodenough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn. Every layer is integrated and continuously protected in one unified platform and since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters. Helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. You mentioned that the sample that you analyzed was padded. They brought it up to about 34 megabytes. Just filling it with junk data. What's the practical purpose of inflating a file that way?
[11:37]
C
Oh, that's a lovely question. That usually gets a bunch of analysts really angry because you would see and this doesn't happen only with apt groups, it happens with traditional cybercrime. So for example, like banking Trojans usually do the same. And this is mainly to bypass quick detection. So any antivirus will scan some files or actually will scan all the files, but it will scan just a portion of the of the file initially. And this is because your computer doesn't have infinite resources. So it will scan like maybe the first two megabytes or it will scan properties. It will try to use as little resources as possible. So in this case they are padding the file with a bunch of dummy zeros, ones, whatever information. So initially we'll bypass that type of detection and this is what we call static detection. But there are other types of detection, for example heuristics, which is detecting by the behavior of the file or what it's actually trying to do. You know, cybercriminals and empty groups, they try to get or to avoid detection for as long as possible. I mean, the further down the chain they can go, the more, you know, chances of success they have.
[13:06]
B
And what are the core surveillance and system control capabilities that are built into Crimson rat?
[13:13]
C
I mean you can do anything with this rat, to be honest. It's like any remote control tool that you can think of, like legitimate control tools like for example, I know, TeamViewer or anydesk, things like that. But actually even more powerful because you can set it up so it takes a continuous one screenshot after the other kind of a video, but just screenshots. So actually it's doing that to reduce the bandwidth usage. You can upload or download files, you can execute commands, you can for example, kill processes. If you see like there is for example any detection suite or anything that you don't want to be there while you're doing the infection. Apt36 they can just kill the process and basically manage your computer remotely without even you noticing. There is no visible windows, There is no trace of anything wrong happening.
[14:16]
B
You mentioned in the research that some of the infrastructure overlaps with previous campaigns. How confident are you in attributing this to transparent Tribe.
[14:30]
C
So in the past there was a campaign from this same apt. They were using one of the domains for a while, then they stopped, it was taken down and after a couple of years we are seeing the same domain again used by these guys. Actually, I think it was the IP address that resolved to a bunch of domains affiliated or actually that we associate with apt 36. So there is a high degree of confidence there in which we can assess that this is APT36. When you combine that with the usage of CrimsonRad the targets, because you are targeting startups in India, when you combine the different tactics, techniques and procedures, it's like you can never be 100% sure, but you can say like, hey, everything points to IPT 36 TTPS.
[15:33]
B
Yeah. When we're looking at the broader implications here, is there anything that this campaign tells us about how these espionage groups are adapting their targeting strategies?
[15:47]
C
I think it's really interesting because APT36 actually has been in the game for more than a decade. They are using the same remote access tools that they have been using for over a decade, but they are shifting the way that they try to infect their victims. So I think the shift that we are seeing is not so much technical, but I think it's in regards to social engineering and actually bypassing the human element. I think APTs evolve targets and tradecraft more than tools. So I think that's a common takeaway between what we are seeing in the cyber espionage landscape.
[16:31]
B
For the defenders in our audience, what are your recommendations? How would you suggest that someone best protect themselves against this sort of thing?
[16:40]
C
Do NOT OPEN ISO files. Just kidding. Of course, you know, it's very difficult to defend against this type of attacks because again, we are dealing with a targeted attack. I would say there are many layers in which you can stop this attack. We always talk about, you know, the science in depth thinking about security like an onion. But there are so many layers right now when it comes to endpoint security. And I think at the end of the day you can tell any user, including me, I think we will click in the link, maybe we will open that attachment. Because these guys actually know what they are doing and they will craft it so the chances of you opening it are higher. So I would say that you need not only training for the users, but I would say trying to stop the chain at the point where it tries to get out. And what I mean by this is the exfiltration phase. And I think it was Rob Joyce from the NSA that said, if you want to know if we are in your network, just monitor everything that is going out. And I think this is the way, I mean it comes from someone that knows what it's talking about and I think that's where EDR XDR comes into play. You need not only detection by static signatures by heuristics, you need to have visibility over the network as well.
[18:26]
B
Our thanks to Santiago Punter, Threat Intelligence Research Lead from Acronis True Team. The research is titled New Year New Sector Transparent Tribe Targets India's Startup Ecosystem. We'll have a link in the Show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. Quick break One useful thing to share. I thought TikTok was just dances.
[19:38]
A
Turns out it's where I learned how
[19:40]
B
to save money, fix stuff and get real tips. Short videos, real people. Download TikTok now.