![Startup surge sparks spy interest. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F58ecf2d8-2f77-11f1-bd05-3fa25a054fdd%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
Episode Overview
Podcast: CyberWire Daily – Research Saturday
Episode Title: Startup surge sparks spy interest
Host: Dave Bittner (N2K Networks)
Guest: Santiago Ponteroli, Threat Intelligence Research Lead, Acronis True Team
Date: April 4, 2026
Theme:
This episode delves into fresh research on a cyber espionage campaign targeting India’s burgeoning startup ecosystem. The investigation centers around APT36 (aka Transparent Tribe) and their evolving tactics to compromise organizations, highlighting new delivery techniques and the broader implications for cyber defense.
Key Discussion Points & Insights
1. How the Research Began
- Initial Trigger:
- Santiago explains their team started examining a remote access tool (RAT) called GetRAT. Their investigation expanded as new malware samples and suspicious IP addresses surfaced.
- “We were tracking a RAT...known as GetRAT. And we started with that, found some interesting samples, then we got more interesting samples, IPs, and...developed into a full-length investigation.” (C, 01:30)
- Santiago explains their team started examining a remote access tool (RAT) called GetRAT. Their investigation expanded as new malware samples and suspicious IP addresses surfaced.
2. Shift in APT36’s Targeting
- New Target: Startups
- APT36 has historically focused on governments and financial institutions in South Asia, prioritizing intelligence gathering over financial gain.
- This campaign represents a strategic move to target Indian startups, likely due to their weaker security and indirect access to government systems.
- “In this case they were targeting startups in India...they are connected to the broader ecosystem of the government. So instead of going directly to the target, they kind of go around it.” (C, 02:39)
- Supply Chain Dynamics:
- Startups serve as an ‘indirect supply chain’ for attacks on government infrastructure.
3. The Attack Chain Breakdown
- Stage 1: Spearphishing Email
- Victims receive an email with an attachment.
- Stage 2: Use of ISO Files
- Innovation: The attachment is an ISO file, which Windows mounts as a virtual DVD drive.
- Contents: The ISO contains a PowerShell script, document file, and a Windows shortcut (LNK file).
- Execution: The victim opens the LNK file, triggering the malware in the background, while only seeing the decoy document.
- “In this case, when you open this container...Windows will try to open it as a virtual CD or DVD ROM drive. And this is an important detail...a deliberate decision." (C, 04:02)
- “They are using this file to open...a Word document. And in the background, they are actually deploying the malware.” (C, 05:51)
- Evasion: The display of a legitimate-looking document hides malicious activity.
4. Why ISO Files?
- SmartScreen Bypass:
- Santiago details how ISO files evade Windows security prompts (SmartScreen), as the OS treats them as trusted, local media instead of internet downloads.
- “In the case of ISO files...Windows by default tries to mount a DVD drive, it considers ISO files as local archives, so it will bypass Windows protection.” (C, 06:56)
- Santiago details how ISO files evade Windows security prompts (SmartScreen), as the OS treats them as trusted, local media instead of internet downloads.
5. Crimson RAT: Capabilities & Evolution
- Longstanding Tool: APT36 (Transparent Tribe) relies on widely-used RATs such as Crimson RAT, tweaking delivery rather than developing new payloads.
- Features:
- Screenshot capture (even continuous, like a video)
- Credential harvesting
- Upload/download files, run commands, kill processes
- Fully remote, invisible control
- “You can do anything with this RAT...even more powerful because...it takes a continuous one screenshot after the other...” (C, 13:12)
- Features:
- New Delivery Methods:
- Novel combinations of ISO files and LNK shortcuts to avoid detection.
6. Evasion Tactics: File Padding
- Inflating File Size:
- Samples padded up to 34MB with junk data to hinder static antivirus scanning.
- “That usually gets a bunch of analysts really angry...it will scan just a portion of the file...So in this case they are padding the file...to bypass that type of detection.” (C, 11:37)
- Samples padded up to 34MB with junk data to hinder static antivirus scanning.
7. Attribution Confidence
- Reused Infrastructure:
- Overlap with previous infrastructure (domains, IPs) linked to APT36.
- Combined with targeting patterns and toolkit, attribution is strong but, as always, not absolute.
- “There is a high degree of confidence...Combine that with the usage of Crimson RAT, the targets...everything points to APT36's TTPs.” (C, 14:29)
8. Evolving Espionage Strategies
- Human Element/Evolving Tradecraft:
- Focus shift from building new technical tools to advanced social engineering and lateral targeting (via supply chain).
- “I think the shift...is not so much technical, but...in regards to social engineering...APTs evolve targets and tradecraft more than tools.” (C, 15:47)
- Focus shift from building new technical tools to advanced social engineering and lateral targeting (via supply chain).
9. Defense Recommendations
- Blocking Exfiltration:
- While user training is helpful, the most reliable detection is at the network egress point: monitoring for suspicious outbound traffic.
- Direct quote referencing Rob Joyce (NSA):
- “If you want to know if we are in your network, just monitor everything that is going out. And I think this is the way...that’s where EDR, XDR comes into play. You need...visibility over the network as well.” (C, 16:40)
- Direct quote referencing Rob Joyce (NSA):
- While user training is helpful, the most reliable detection is at the network egress point: monitoring for suspicious outbound traffic.
Notable Quotes & Memorable Moments
-
On the ease of falling for such attacks:
- “I think we will click in the link, maybe we will open that attachment. Because these guys actually know what they are doing and they will craft it so the chances...are higher.” (C, 16:40)
-
On the long-term strategy of APT36:
- “They are using the same remote access tools...but they are shifting the way they try to infect their victims.” (C, 15:47)
-
Summing up the sophistication:
- “This is a completely different ball game here. We are talking about espionage.” (C, 06:10)
Timestamps of Important Segments
- How the research started: 01:30 – 01:59
- APT36’s shift to targeting startups: 02:39 – 03:55
- In-depth technical walkthrough of the attack chain: 04:02 – 06:05
- ISO file evasion explanation: 06:45 – 07:52
- Crimson RAT and payload evolution: 08:01 – 09:14
- File padding for evasion: 11:37 – 13:06
- Core RAT capabilities described: 13:12 – 14:16
- Attribution logic: 14:29 – 15:33
- Evolving strategies and defense advice: 15:47 – 18:25
Conclusion
This episode provides a thorough examination of APT36’s campaign against the Indian startup ecosystem, highlighted by the novel use of ISO file delivery and LNK shortcuts, dynamic file padding, and supply chain-style targeting. The conversation emphasizes the growing sophistication in social engineering and lateral targeting over technical novelty, urging defenders to focus on network monitoring and layered security strategies.
For actionable defense:
- Monitor outbound traffic for exfiltration
- Implement EDR/XDR solutions
- Regularly train users but recognize limits of human vigilance
Research referenced:
- "New Year New Sector: Transparent Tribe Targets India's Startup Ecosystem" by Acronis True Team
Quotes are marked by speaker initial (C = Santiago Ponteroli, B = Dave Bittner) and timestamp (MM:SS).