C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.
|Enterprise||T1583||.001||Acquire Infrastructure: Domains||
For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.
|Enterprise||T1059||.005||Command and Scripting Interpreter: Visual Basic||
For C0011, Transparent Tribe used malicious VBA macros within a lure document as part of the Crimson malware installation process onto a compromised host.
|Enterprise||T1587||.003||Develop Capabilities: Digital Certificates||
For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
During C0011, Transparent Tribe sent malicious attachments via email to student targets in India.
|.002||Phishing: Spearphishing Link||
During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.
|Enterprise||T1608||.001||Stage Capabilities: Upload Malware||
For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.
|Enterprise||T1204||.001||User Execution: Malicious Link||
During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.
|.002||User Execution: Malicious File||
During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email.
For C0011, Transparent Tribe used an updated version of Crimson.