CrimsonRAT

CrimsonRAT is a Windows .NET-based remote access trojan used by Transparent Tribe/APT36, a suspected Pakistan-linked threat actor, and has been described as the group’s primary malware since at least 2020 and its malware of choice for establishing long-term access in victim networks. Reported delivery has relied on spear-phishing and phishing attacks, including malicious Office documents with VBA macros that extract an embedded archive, unzip it, and execute the payload. Campaigns cited in the content targeted Indian entities, including defense, government, critical infrastructure, and educational institutions/students, and the group has historically targeted government employees, military personnel, think tanks, conferences, and also used CrimsonRAT against human rights activists in Pakistan. Documented capabilities include directory and drive listing, process listing, screenshot capture, file read/write/delete, arbitrary command execution, exfiltration to command-and-control servers, and the ability to run or manage keylogger and USB-related modules while reporting their presence or versions to C2. The content also notes overlap in maldocs and macros with ObliqueRAT campaigns, and places CrimsonRAT in Transparent Tribe’s tooling evolution as the Windows family used in parallel with later Linux-focused families such as Poseidon, AresRAT, and DeskRAT. High-confidence infrastructure and campaign details directly tied to CrimsonRAT in the content include student-themed domains such as studentsportal[.]live, studentsportal[.]website, and studentsportal[.]co; additional cloud/media-themed domains cloud-drive[.]store, user-onedrive[.]live, and drive-phone[.]online; subdomains under geo-news[.]tv including cloud-drive.geo-news.tv, drive-phone.geo-news.tv, studentsportal.geo-news.tv, and user-onedrive.geo-news.tv; shared IP 198[.]37[.]123[.]126; and related hosting/name-service links involving vebhost[.]com and zainhosting[.]net.