One Country, One Obsession
Country and victim-surface distribution
India
The theater stays concentrated. What changes over time is not the rival but who inside India is being approached and through what social surface.
Afghanistan
A secondary line. Afghanistan appears beside India rather than as an equally developed theater with its own long reporting arc.
Phones and campuses
The record gets wider by victim surface, not by country count. University lures and Android surveillance matter more than a new map pin.
Concentration can still imply strategic seriousness.
A narrow theater should not be mistaken for a shallow one. Repeated attention to the same rival often means the operators know exactly what they want.
The map stays narrow, but the narrowness is the point. Most of the published cases point back to India, and the difference between 2021 and 2024 is less about new geography than about how far into civilian and semi-civilian space the lures travel. Talos 2021 Education Celestial Force
Afghanistan appears once, in the A.R. Bunse case, and even there the campaign is paired with India rather than opened as a second major theater. Two other sources do different work: the shared-VBA reporting helps explain operator adjacency, and the Unit 42 registry helps frame one branch of the naming problem. A.R. Bunse Shared VBA
A Narrow Map, A Long Runway
Publication timeline by year
ObliqueRAT, Armor Piercer, and A.R. Bunse make the access pattern visible.
Government targeting, education lures, shared code, and XLL delivery broaden the record.
No core publication that year, but the later record does not suggest dormancy.
Celestial Force exposes a campaign running since at least 2018.
Unit 42 adds a naming lens for part of the Pakistan-linked ecosystem.
By late 2021 the reporting already shows three distinct access models: Transparent Tribe's bespoke Windows implants, SideCopy-adjacent use of commercial RATs, and a noisier commodity chain hitting India and Afghanistan with dcRAT, QuasarRAT, and Android tooling. Armor Piercer Commodity RATs
What changes in 2022 is the victim surface, not the campaign logic. The later reporting does not announce a sudden surge so much as it reveals how long some operations have been running in the background. Celestial Force is the clearest example: disclosed in 2024, active since at least 2018. TT 2022 2018
Cheap Tools, Long Campaigns
Technique sequence that keeps returning
Client execution
Malicious documents, archives, and staged downloaders open the chain.
Script execution
PowerShell and command-shell stages keep the payload path cheap.
Web-based C2
Control rides through ordinary web protocols in most of the published cases.
Cleanup and tampering
Defense evasion shows up as maintenance work rather than theatrical stealth.
Exfiltration
Collection tends to go back over already-established command routes.
Personal collection
Keylogging, screenshots, and device discovery become more important as campaigns move closer to people and phones.
Once execution lands, the chain gets cheaper rather than fancier. Web-based command channels appear again and again, script execution is routine, and cleanup behavior is steady. That is the grammar of this record: small loaders, staged payloads, common remote-access families, and just enough evasion to keep the foothold alive. Downloaders Overlap
The most socially important move comes later. The target is no longer just a workstation inside a ministry but a person carrying a phone or opening a university-themed lure. That shift matters more than another malware-family name would. CrimsonRAT GravityRAT
One Cluster, Several Shadows
Operational lanes visible in the reporting
Transparent Tribe / APT36
The dominant espionage lane in the record: government, military, research-adjacent, and later education lures delivered through staged downloaders and long-lived Windows access tooling.
Cosmic Leopard
Extends the same collection logic onto Android devices and paired desktop infrastructure, with GravityAdmin managing multiple campaigns at once.
SideCopy / Mocking Draco
Overlap in lures, fake domains, and infection chains makes this lane analytically important even when vendor labels do not settle into one clean alias path.
A.R. Bunse
A rougher campaign shape built on political and government-themed domains, a fake Pakistan-based IT firm persona, and a stack of commodity Windows and Android RATs.
Transparent Tribe accounts for most of the clearest India-facing collection reporting. Cosmic Leopard widens the picture without changing its politics. Armor Piercer borrows tactics associated with Transparent Tribe and SideCopy, while Unit 42's registry places Mocking Draco inside its Pakistan-focused Draco grouping. TT Registry
The practical reading is simple even if the aliasing is not: one mature espionage cluster dominates, several neighboring labels blur around it, and the boundaries matter most when they change defensive scoping or overstate precision.
The Tool Stack Tells the Same Story
Bespoke, mobile, and commodity families
CrimsonRAT
Transparent Tribe's recurring foothold for long-term access.
ObliqueRAT
Selective Windows implant used in targeted operations.
CapraRAT
Android implant kept inside the broader Transparent Tribe arsenal.
GravityRAT
Android surveillance malware at the center of Celestial Force.
GravityAdmin
Admin layer used to manage GravityRAT and HeavyLift infections.
dcRAT
Off-the-shelf Windows access in the A.R. Bunse case.
QuasarRAT
Commodity Windows remote access paired with political lures.
WarzoneRAT / Ave Maria
Commercial remote access delivered through Armor Piercer.
NetWireRAT
Another commercial family inside the same delivery stack.
AndroRAT
Mobile access in the A.R. Bunse campaign.
The inventory is varied without being extravagant. Bespoke implants exist, but the reporting keeps returning to replaceable access families and commercial remote-admin tooling. In this picture, persistence is the more expensive resource. The tools are not. Commercial RATs Commodity stack
Three Decisions, Then the Record
Kill the document chain early.
Patch legacy Office execution paths, keep macro and XLL controls strict, and treat government-themed attachments as a primary intrusion surface.
Treat phones as part of the same intrusion.
Celestial Force and the CapraRAT / AndroRAT thread make mobile-device governance part of the core defensive posture.
Investigate the hosting layer.
Lookalike domains, fake portals, and staged download sites recur across the reporting. Hunting only by malware family misses the delivery infrastructure.
Pakistan does not sit outside other actors' collection maps. Mandiant's 2018 TEMP.Zagros case and Talos's 2022 MuddyWater overview both place Pakistan inside Iran-linked regional targeting. In 2024 CoralRaider includes Pakistan in a broad credential-theft victim set. In 2025 Unit 42's postal phishing and Phantom Taurus reporting place Pakistan inside two very different China-linked collection stories. The outward-facing record is smaller than the Iran feature's, but it does not feel minor. Mandiant 2018 CoralRaider Phantom Taurus
Transparent Tribe APT expands its Windows malware arsenal
Defense-focused targeting in the Indian subcontinent; ObliqueRAT expands a long-running Transparent Tribe line.
Operation "Armor Piercer:" Targeted attacks in the Indian subcontinent using commercial RATs
Commercial RAT chain with fake domains and APT36 / SideCopy-adjacent lure style aimed at Indian government personnel.
Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India
A.R. Bunse case against India and Afghanistan using dcRAT, QuasarRAT, and Android tooling.
What's with the shared VBA code between Transparent Tribe and other threat actors?
Code reuse across Transparent Tribe and neighboring South Asian operators; useful for overlap, not simplistic alias merges.
Transparent Tribe campaign uses new bespoke malware to target Indian government officials
Indian government and military targeting with new stagers, established Windows implants, and mobile-implant context.
Transparent Tribe begins targeting education sector in latest campaign
Education-sector pivot with CrimsonRAT, student-focused lures, and a clearer link between long-term access and civilian surfaces.
Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins
Useful mainly for the user-execution surface and the Donot caveat, not as a clean Pakistan-origin campaign centerpiece.
Operation Celestial Force employs mobile and desktop malware to target Indian entities
Pakistan-linked mobile-plus-desktop campaign against Indian entities, disclosed in 2024 but active since at least 2018.
Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)
Registry-style naming layer that places Mocking Draco inside Unit 42's Pakistan-focused Draco grouping.
Pakistan as target
Context articles used here: TEMP.Zagros 2018, MuddyWater 2022, CoralRaider (2), postal phishing 2025, and Phantom Taurus 2025.
Methodological Note
This feature is built from nine core publications on Pakistan-linked activity and six additional articles where Pakistan appears primarily as a target. Source names and aliases disagree on how to separate Transparent Tribe, APT36, SideCopy, and Mocking Draco. The page keeps those disagreements visible instead of forcing a single lineage that the reporting itself does not cleanly support.
All charts and primary claims use the same nine-source reporting base; context articles are used to position Pakistan inside the wider regional picture.
Transparent Tribe is used as the preferred label for the recurring Talos cluster, while SideCopy and Mocking Draco remain adjacent rather than silently merged.
Technique counts are rolled up into sequence-level behaviors so the reader can see the intrusion pattern rather than a wall of ATT&CK identifiers.
The argument here is about concentration, persistence, and widening victim surfaces. It is not a claim that every Pakistan-linked label belongs to one operator.