YARA rules for Transparent Tribe
6 rules · scoped to actor · back to Transparent Tribe
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25 {
meta:
description = "Detects ELF obfuscation technique used by Sindoor dropper related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 70
reference = "Internal Research"
hash = "6879a2b730e391964afe4dbbc29667844ba0c29239be5503b7c86e59e7052443"
strings:
$s1 = "UPX!"
condition:
filesize < 10MB
and uint16(0) == 0
and uint16(4) > 0
and $s1 in (0xc0..0x100)
}
rule SUSP_LNX_Sindoor_DesktopFile_Aug25 {
meta:
description = "Detects ELF obfuscation technique used by Sindoor dropper related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 70
reference = "Internal Research"
hash = "9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59"
strings:
$hdr = "[Desktop Entry]"
$s1 = "printf '\\\\x7FELF' | dd of"
$s2 = "Future_Note_Warfare_OpSindoor.pdf"
condition:
filesize < 100KB
and $hdr
and any of ($s*)
}
rule MAL_Sindoor_Decryptor_Aug25 {
meta:
description = "Detects AES decryptor used by Sindoor dropper related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 80
reference = "Internal Research"
hash = "9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b"
strings:
$s1 = "Go build"
$s2 = "main.rc4EncryptDecrypt"
$s3 = "main.processFile"
$s4 = "main.deriveKeyAES"
$s5 = "use RC4 instead of AES"
condition:
filesize < 100MB
and (
uint16(0) == 0x5a4d // Windows
or uint32be(0) == 0x7f454c46 // Linux
or (uint32be(0) == 0xcafebabe and uint32be(4) < 0x20) // Universal mach-O App with dont-match-java-class-file hack
or uint32(0) == 0xfeedface // 32-bit mach-O
or uint32(0) == 0xfeedfacf // 64-bit mach-O
)
and all of them
}
rule MAL_Sindoor_Downloader_Aug25 {
meta:
description = "Detects Sindoor downloader related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 80
reference = "Internal Research"
hash = "38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4"
strings:
$s1 = "Go build"
$s2 = "main.downloadFile.deferwrap"
$s3 = "main.decrypt"
$s4 = "main.HiddenHome"
$s5 = "main.RealCheck"
condition:
filesize < 100MB
and (
uint16(0) == 0x5a4d // Windows
or uint32be(0) == 0x7f454c46 // Linux
or (uint32be(0) == 0xcafebabe and uint32be(4) < 0x20) // Universal mach-O App with dont-match-java-class-file hack
or uint32(0) == 0xfeedface // 32-bit mach-O
or uint32(0) == 0xfeedfacf // 64-bit mach-O
)
and all of them
}
rule ProjectM_DarkComet_1 {
meta:
description = "Detects ProjectM Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/"
date = "2016-03-26"
modified = "2023-01-27"
hash = "cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157"
id = "6de74d73-f9b2-5e7f-b15e-f850425d849c"
strings:
$x1 = "DarkO\\_2" fullword ascii
$a1 = "AVICAP32.DLL" fullword ascii
$a2 = "IDispatch4" fullword ascii
$a3 = "FLOOD/" fullword ascii
$a4 = "T<-/HTTP://" ascii
$a5 = "infoes" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and 4 of them ) or ( all of them )
}
rule ProjectM_CrimsonDownloader {
meta:
description = "Detects ProjectM Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/"
date = "2016-03-26"
hash = "dc8bd60695070152c94cbeb5f61eca6e4309b8966f1aa9fdc2dd0ab754ad3e4c"
id = "2e0658c9-a93d-5eef-93a2-eb1ab29acaee"
strings:
$x1 = "E:\\Projects\\m_project\\main\\mj shoaib"
$s1 = "\\obj\\x86\\Debug\\secure_scan.pdb" ascii
$s2 = "secure_scan.exe" fullword wide
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|mswall" fullword wide
$s4 = "secure_scan|mswall" fullword wide
$s5 = "[Microsoft-Security-Essentials]" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and $x1 ) or ( all of them )
}