Transparent Tribe, also known as APT36, is behind a new wave of cyber attacks targeting Indian government and educational institutions. The group employs a remote access trojan (RAT) to gain long-term control over infected systems. Their latest method involves spear-phishing emails that contain a ZIP file with a Windows shortcut (LNK) disguised as a PDF. When users open this file, it executes a malicious HTML Application (HTA) script, which then loads the RAT payload into memory while presenting a legitimate-looking PDF to the user. This RAT is equipped with various features for remote control, data theft, and system manipulation. It adapts its persistence techniques based on the antivirus software present on the target machine, using tailored approaches for Kaspersky, Quick Heal, Avast, and others. The malware can alter its behavior to evade detection, such as writing payloads to specific directories or modifying the Windows Registry for persistence. In another campaign, Transparent Tribe has used a shortcut file disguised as a government advisory to deliver a .NET-based loader that sets up remote command execution and long-term access. This method also involves retrieving a malicious MSI installer from a remote server. The malware communicates with a command-and-control server, which remains inactive but can be reactivated. The RAT's DLL features advanced capabilities, including reconnaissance and command execution, making it a significant threat to Indian entities. Around the same time, the hacking group Patchwork has been linked to attacks on Pakistan's defense sector using a Python-based backdoor. Their methods involve deploying malware through ZIP files that execute MSBuild projects. This malware can harvest system information and maintain persistence similar to Transparent Tribe's tactics. The evolving techniques of both groups highlight the ongoing cyber espionage threats in the region.