This research paper investigates a campaign by the Transparent Tribe (APT36) threat group targeting the Indian Army and educational institutions. The attackers use malicious PowerPoint add-in (PPAM) files containing embedded OLE objects to deploy Crimson RAT payloads. The paper provides a step-by-step breakdown of the infection chain, macro execution, payload extraction, persistence mechanisms, and command execution capabilities. It highlights infrastructure overlaps, malware reuse, and historical patterns linking the campaign to APT36. The study underscores the group’s persistent focus on Indian defense and education sectors and recommends layered defenses against macro-based attacks.

Join for free to read