ElizaRAT: APT36 Targets Windows, Linux, and Android Systems in 2024

ElizaRAT, a sophisticated Remote Access Trojan (RAT) for Windows developed by the APT36 group, also referred to as Transparent Tribe, is making waves in the cybersecurity community. This notorious Pakistani threat actor group, known for targeting Indian government agencies, diplomatic personnel, and military installations, has now expanded its reach to major platforms including Windows, Linux, and Android systems.

Advanced Capabilities of ElizaRAT

First discovered in 2023, ElizaRAT showcases various advanced capabilities indicative of its high-level design and dangerous potential. Written in .NET with embedded .NET and assembly modules, it uses .CPL files for execution evasion and leverages cloud services such as Google, Telegram, and Slack for distribution and command-and-control (C2) communication. Among its other features, ElizaRAT deploys decoy documents or videos, utilizes IWSHshell for persistence, implements SQLite for temporary file storage, and generates and stores unique victim IDs.

Key Campaigns Involving ElizaRAT

Three key campaigns have been identified involving ElizaRAT: Slack, Circle, and Google Drive.

Slack Campaign

The Slack campaign employs SlackAPI.dll for its core functions and delivers malware using CPL files. This malware checks for new instructions every 60 seconds and sends and receives messages via specific Slack channels. The use of Slack’s infrastructure allows the malware to blend in with legitimate traffic, making detection more challenging.

Circle Campaign

Launched in January 2024, the Circle campaign introduces improved evasion techniques with a dropper component. Instead of cloud services, it uses a Virtual Private Server (VPS) and checks for the Indian Standard Time zone to ensure it targets the intended region. It registers victim information in specific files and communicates with a dedicated server for data exfiltration. This method enhances its stealth capabilities and effectiveness in data theft operations.

Google Drive Campaign

In the Google Drive campaign, ElizaRAT uses Google Cloud for C2 communication, downloading payloads from multiple VPS. The Trojan utilizes extensionhelper_64.dll and ConnectX.dll payloads, which are renamed to mimic legitimate software, such as SpotifyAB.dll. This tactic further obfuscates its presence, making it harder for security systems to detect and respond to the threat.

Infrastructure Analysis

The analysis of ElizaRAT’s infrastructure uncovered several IP addresses associated with its operations. Among these, some have been flagged as malicious or suspicious, including:

  • 84.247.135.235
  • 143.110.179.176
  • 64.227.134.248
  • 38.54.84.83
  • 83.171.248.67

Conclusion: An Evolving Cyberthreat

ElizaRAT is a sophisticated and highly advanced Remote Access Trojan (RAT) developed by the notorious APT36 group, also known as Transparent Tribe. This Pakistani threat actor group has been making significant waves within the cybersecurity community. Known for its high-profile cyber espionage activities, APT36 has primarily targeted Indian government agencies, diplomatic personnel, and military installations. With the development and deployment of ElizaRAT, their capability to infiltrate and gather intelligence has become even more formidable. Originally focusing on Windows systems, APT36’s malicious activities have now expanded their reach to major platforms, including Linux and Android systems. This cross-platform versatility makes ElizaRAT a potent tool for APT36’s cyber espionage missions, posing a significant and evolving threat to cybersecurity worldwide. The group’s ability to develop and adapt such sophisticated tools underscores the persistent and growing challenge that cybersecurity professionals must address.

Explore more

Apple iPhone 18 Leak Reveals RAM Upgrades for Advanced AI

Dominic Jainy brings a wealth of knowledge to the table regarding the hardware-software symbiosis required for modern artificial intelligence. As an IT professional deeply embedded in the evolution of silicon architecture and machine learning, he offers a unique perspective on why seemingly incremental hardware shifts often dictate the entire user experience. This discussion explores the technical nuances of Apple’s transition

Why Are Investors Choosing Pepeto Over Stagnant Ethereum?

The global cryptocurrency landscape is currently undergoing a fundamental reorganization as capital increasingly migrates from established legacy protocols toward nimble, utility-driven newcomers that offer significant growth potential. For years, Ethereum remained the undisputed leader in smart contract functionality, yet its recent price stagnation has left many market participants searching for more dynamic opportunities. This transition is not merely a product

AI Becomes the Core Infrastructure of Global Banking

The global financial sector has officially moved past the phase of speculative experimentation, cementing artificial intelligence as the definitive architectural foundation upon which all modern banking services now operate. This structural metamorphosis represents a pivot from peripheral innovation toward a state of full-scale operational maturity, where algorithms are no longer viewed as external additions but as the very core of

Will the Vivo X500 Series Set New Flagship Standards?

The swift evolution of mobile technology often leaves consumers wondering if the next major release will truly redefine the experience or simply polish existing features. Currently, the industry looks toward the X500 series as a potential catalyst for change. The pace of innovation has accelerated to a point where a yearly cycle no longer satisfies the hunger for cutting-edge hardware

AI and Supply Chain Risks Reshape the Cyber Threat Landscape

The speed at which a software vulnerability transforms from a quiet discovery into a weaponized global threat has reached a breaking point, redefining the very concept of digital defense. This phenomenon, frequently described as the compression of time, characterizes a modern landscape where the gap between the identification of a flaw and its active exploitation by malicious actors has essentially