#apt36

A sprawling phishing campaign weaponises over 16,800 spoofed domains to impersonate government portals and quietly harvest credentials and payment data on a global scale. Attackers exploit subtle URL tricks like subdomain manipulation and typosquatting to fool users into trusting fake DMV and tax-related services hosted on cloud infrastructure.

Source: Cyble

APT36 spreads Linux malware using .desktop files disguised as PDF documents, downloading hidden Go binaries from Google Drive and maintaining stealthy WebSocket connections for remote control.

Source: CloudSEK

Social engineering and domain spoofing are two of the techniques phishing campaigns rely on to lure in victims, with the latter being a prevalent starting point. Cyble Research and Intelligence Labs (CRIL) has published a breakdown of the latest surge in domain spoofing impersonating government services, which they’ve dubbed ‘Operation TrustTrap’. They’ve found over 16K instances that follow a distinct pattern since the beginning of this year.

It begins with an abuse of trust in URLs that contain .gov. That’s the spoof. Upon initial detection of this campaign, Cyble found that many of the domains were registered in bulk and did not contain malware until they were activated with the wave of attacks. They are, in essence, a dormant reserve, ready and waiting for a payload. Once deployed, the campaign harvests credential and payment card data. While the majority of the attacks are aimed at the US, India, Vietnam and UK adjacent targets have also been found. The pattern of behavior is consistent with APT36 (also known as Transparent Tribe), with infrastructure that resolves to Tencent Cloud and Alibaba Cloud APAC nodes. The impersonation of government services include things like national or state portals, toll systems, and vehicle registration services. Victim contact is often through SMS – which these services do not use for communication – and emails.

With so many domains at the attackers’ disposal, finding and blocking them is challenging. Cyble notes that the life cycle of the campaign follows a pattern of domains being activated for a narrow operational window and then abandoned or rotated, deliberately narrowing the time available for detection, blocklist addition, and takedown. The technique of ‘disposable’ codes is a growing trend in malware attacks, and phishing in particular. By the time a victim is aware of any compromise, the domain has gone dead, leaving no trail to follow for forensic purposes. I’ve talked about the use of disposable codes before, in my report on vibeware. Which has also been used by APT36, incidentally.

Cyble has tracked three basic techniques the campaign is using to impersonate legitimate URLs. Subdomain trust injection, the most commonly seen, where the spoofed domain appears in place of the real one. And the embedded fake is quite subtle. Instead of the genuine .gov, it appears as just gov. The second is hyphen-based semantic manipulation, which substitutes a hyphen in place of a period in strategic instances. For instance, gov-in instead of gov[.]in. The third is a combination of these two, a combined obfuscation that may also include a benign looking word insertion like ‘verify’ or ‘update’.

Given the large number of domains, it’s likely the harvesting of data is automated. Active phishing URLs observed across the infrastructure consistently use a double-query-string parameter pattern, which serves as a session-tracking mechanism for individual victims. This use supports the assessment of an organized, kit-driven operation rather than manually managed individual campaigns. Which also tracks for how APT36 has been evolving their tactics.

This sort of exploitation of visual and cognitive trust mechanisms instead of technical vulnerabilities denotes a shift in how these campaigns are focused and carried out, and makes traditional detection nearly useless. Phishing relies on user interaction, meaning that the victim must click on the fake link themselves; it’s not something that can necessarily be caught beforehand. But that’s why awareness is so important. Cyble lists some other recommendations for security teams as well in their article. They, and I, will keeping an eye on further developments.

Consider a scenario of a small group of defenders beset by overwhelming numbers. The cause looks hopeless, the attackers’ objective being to either starve them out or break through the defenses just one time to open the way for all out assault. It’s the setup of numerous action movies and fantasy stories. And in those stories, some fateful twist or last minute ingenuity saves the day and the defenders will win (or stalemate) somehow. Maybe reinforcements arrive. Maybe the walls hold and attrition whittles down the numbers. Maybe there’s mutually assured destruction. It’s a popular trope, and off the top of my head I can think of half a dozen movies that use it, with varying degrees of victory or lack thereof, for the hapless defenders.

We often say that art imitates life. But more often lately, life is imitating art. APT36, the Pakistan based threat actor also known as Transparent Tribe, has been using a campaign of AI-generated, middling to low quality but enormous quantity of malware attacks. Dubbed as ‘vibeware’, the emerging new family utilizes niche code languages like Nim, Zig, or Crystal to in essence copy the logic of more known languages like C and Go. And then a target is flooded with ‘disposable’ attacks in the hopes that one will slip past security simply through sheer volume. It’s less of an assault on defense as it is a tactic to overwhelm analysts trying to keep up with the noise. Bitedefender’s Radu Tudorica describes it as a distributed denial-of-detection.

The tactic takes advantage of something I’ve been concerned about for a while: the difference between human and machine speed. The trouble with AI-generated malware isn’t that it’s particularly sophisticated or innovative (although some of them are), it’s that it can evolve and shift at a rate that’s just impossible to keep up with for the real people trying to hold it at bay. Automation doesn’t suffer from fatigue or need lunch and bathroom breaks. In the hours when analysts are clocked out, the machine is still churning at scale. Regardless of my personal feelings on LLM’s, AI security is probably the best tool we have to fight against AI malware.

Vibeware often dead ends itself. Many versions of the generated code simply collapse under their own misconfigured or poorly written commands. But that isn’t the point of the attack strategy. Those sloppy, disposable bits are a feint. They make a lot of noise, filling up the logs with more traffic than one can reasonably be expected to sift through, and distract from the piece actually carrying a payload that’s now slipped by an exhausted triage analyst while they were busy tracking everything else. And even if the payload carrying malware is caught, there’s another one somewhere else also carrying a payload to another endpoint. All it takes is one successful incursion to become compromised; vibeware usually has several options, all aimed at a different aspect of the target, whether that’s the cloud services, the messaging apps, or the productivity ones.

So how do we stop it? ReversingLabs has also published a summary of vibeware, and quoted many experts in the security industry. Among them, Jason Soroko, a senior fellow at Sectigo, says that defending against automated malware is less about reacting to how it’s constructed and more about what it’s doing. Strictly enforcing zero-trust compliance to contain unauthorized outbound communication will cut down on the amount of ‘noise’ in the first place. Martin Zugec of Bitedefender says that organizations that have neglected their security hygiene are now going to have to play catch-up. Employing network segmentation, the principle of least privilege, and active endpoint monitoring, and making the environment hostile and unpredictable to attackers, he adds.

Ya know, the basics. I don’t what’s more astounding to me, that someone has figured out how to create digital siege engines or that we’re still having this conversation about baseline security in 2026. Either way, I expect this isn’t the only time I’ll be reporting on it.

Cyber espionage never sleeps. Two notorious advanced persistent threat (APT) groups — Transparent Tribe (APT36) and Patchwork (aka Dropping Elephant / Maha Grass) — have launched fresh waves of remote access trojan (RAT) attacks across South Asia, targeting government, academia, and strategic sectors. Their evolving toolkits and deceptive delivery methods highlight how state‑linked adversaries…

Read the full report on -

Read the full report on -