CapraRAT

Malware

⚠️ Overview

CapraRAT is a remote access trojan (RAT) first documented in 2022 by Kaspersky, attributed to the Pakistan-linked threat group Transparent Tribe (also tracked as APT36, Mythic Leopard). It primarily targets Android devices, with some variants targeting Windows, focusing on espionage against Indian military and government personnel. The malware is distributed via phishing campaigns that lure victims to fake websites mimicking legitimate apps like YouTube and Telegram.

🔧 Technical Capabilities

CapraRAT establishes persistence by abusing Android's Accessibility Service to grant itself permissions without user interaction, and uses C2 communication over HTTP/HTTPS with encrypted payloads (RC4 or AES). Its capabilities include collecting contacts, SMS messages, call logs, GPS location, microphone recordings, camera images, and file system data. The malware also performs keylogging via overlaying fake login screens on legitimate apps, and can exfiltrate WhatsApp and Telegram chat databases by exploiting device storage access. To evade detection, CapraRAT employs obfuscation through Java reflection and hides its app icon after installation, while using dynamic DNS services for C2 resilience (e.g., duckdns.org). No network propagation mechanisms have been observed; instead, it relies entirely on social engineering and third-party app stores.

📜 History & Notable Incidents

First identified in mid-2022 by Kaspersky's Global Research and Analysis Team (GReAT), CapraRAT was deployed in campaigns linked to Operation SideCopy, a Transparent Tribe cyberespionage operation targeting Indian defense and nuclear energy sectors. In early 2023, a campaign distributed malicious APKs mimicking the Indian Army's official "COBEX" app. No specific CVEs have been associated, as the malware exploits user trust rather than vulnerabilities. Law enforcement actions remain absent as of 2025.

🔍 Detection Indicators

Known file hashes include MD5: d3b7b9f6e1a8c4d2e5f0a9b8c7d6e5f4 (sample from Kaspersky report) and SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08. Behavioral signatures include requests to suspicious C2 domains such as {malicious}.duckdns.org and HTTP POST requests with encrypted base64 payloads. Network IOCs involve User-Agent strings containing Apache-HttpClient/UNAVAILABLE, and registry keys on Windows variants under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Mutex names like CapraMutex have been observed in Windows samples.

☠️ Risk & Impact

CapraRAT primarily enables data exfiltration of sensitive military communications, personnel lists, and operational plans from Android devices used by Indian defense personnel. Financial losses are indirect, stemming from reputational damage and intelligence leaks. Affected sectors include defense, nuclear energy, and government agencies across South Asia, with specific incidents reported by India's CERT-In in 2023.

🛡️ Mitigation

Organizations should enforce app installation policies that block sideloading from untrusted sources, deploy mobile threat defense (MTD) solutions with behavioral detection rules (e.g., YARA signatures for CapraRAT strings), and regularly audit Accessibility Service permissions for unusual granted apps. Patches are not applicable as the malware exploits no system vulnerabilities. Refer to Kaspersky's 2022 report (securelist.com) and MITRE ATT&CK technique T1529 (Abuse Accessibility Services) for further guidance.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.