Transparent Tribe Is Using AI to Scale Spear-Phishing Attacks Against Military and Government Targets

Pakistan-linked APT group Transparent Tribe is using generative AI to mass-produce convincing spear-phishing emails targeting Indian military and government personnel, dramatically improving their social engineering quality while continuing to deploy CrimsonRAT malware through refined infection chains.
Transparent Tribe Is Using AI to Scale Spear-Phishing Attacks Against Military and Government Targets
Written by Maya Perez

Pakistan-linked threat group Transparent Tribe has added generative AI to its operations, using large language models to craft convincing spear-phishing emails at a scale that wasn’t previously possible for the group. The development marks a significant escalation in the APT group’s capabilities — and a concrete example of what security researchers have long warned about: AI-assisted cyberattacks moving from theoretical risk to operational reality.

The findings, reported by The Hacker News, detail how the group — also tracked as APT36, Earth Karkaddan, and Mythic Leopard — has been deploying AI-generated phishing lures primarily targeting Indian military personnel, defense contractors, and government officials. The campaign represents a sharp departure from the group’s historically sloppy social engineering attempts, which were often riddled with grammatical errors and formatting inconsistencies that made them easier to spot.

Not anymore.

Researchers at SentinelOne and BlackBerry first flagged anomalies in Transparent Tribe’s phishing infrastructure in early 2026. The emails showed a marked improvement in language quality, contextual relevance, and personalization — hallmarks of LLM-assisted content generation. Some messages referenced specific military procurement programs, recent policy changes, and even personnel rotations that suggested the group was feeding real intelligence into AI models to produce targeted lures. The volume of unique phishing templates also surged, with analysts estimating a threefold increase compared to the group’s 2025 output.

So how exactly is the group using AI? According to the reporting, Transparent Tribe appears to be employing commercially available LLMs — likely accessed through jailbroken interfaces or underground API resellers — to generate phishing email text, craft fake document content, and produce social media personas for initial contact with targets. There’s no indication the group has built custom models. They don’t need to. Off-the-shelf tools, when stripped of their safety guardrails, are more than sufficient for this kind of work.

The payload delivery mechanism hasn’t changed dramatically. Transparent Tribe still relies heavily on its signature CrimsonRAT malware, a remote access trojan that’s been a staple of the group’s toolkit since at least 2020. But the infection chain has been refined. Victims receive emails with attached documents — often disguised as official defense ministry correspondence or procurement forms — that contain embedded macros or exploit known vulnerabilities in Microsoft Office. Once executed, CrimsonRAT establishes persistence on the target machine, enabling keylogging, screenshot capture, file exfiltration, and webcam access.

What’s new is the wrapper, not the weapon.

The AI-generated content makes the initial social engineering far more effective. Researchers noted that some phishing emails included region-specific Hindi and English code-switching patterns that would be natural for the intended recipients. Others mimicked the bureaucratic tone of Indian government communications with surprising fidelity. This level of linguistic precision was previously beyond Transparent Tribe’s demonstrated capability, strongly suggesting automated assistance.

Industry reaction has been measured but concerned. “We’ve been anticipating this shift for over a year,” said Tom Hegel, principal threat researcher at SentinelOne, in comments shared with The Hacker News. “The barrier to producing high-quality social engineering content has effectively collapsed. Groups that were previously limited by language skills or operational bandwidth can now scale their campaigns dramatically.”

And Transparent Tribe isn’t operating in isolation. The group has long been attributed to Pakistani state interests, with a primary focus on Indian defense and diplomatic targets. SentinelOne and BlackBerry’s threat intelligence team have both published extensive research linking the group to Pakistan’s Inter-Services Intelligence directorate, though direct attribution to a specific government unit remains difficult to confirm publicly.

The broader implications here matter. Transparent Tribe is a mid-tier APT group — capable but not elite. If they’re successfully integrating AI into their operations, it’s reasonable to assume more sophisticated groups have already done so. Microsoft’s Threat Intelligence team flagged similar AI adoption by Russian and Chinese state-sponsored actors in a February 2025 report, and the trend has only accelerated since then.

For defenders, the practical takeaway is straightforward but uncomfortable. Traditional email security filters that rely on detecting poor grammar, known malicious templates, or static indicators of compromise are increasingly insufficient. AI-generated phishing content is polymorphic by nature — every email can be unique, contextually appropriate, and linguistically clean. Organizations targeting high-value sectors need to prioritize behavioral analysis, anomaly detection at the endpoint level, and continuous security awareness training that accounts for AI-enhanced threats.

There’s also a supply-side problem. Despite efforts by OpenAI, Google, and Anthropic to prevent misuse of their models, underground markets for jailbroken LLM access are thriving. Researchers at The Hacker News noted that Transparent Tribe likely accessed these capabilities through third-party services that strip safety filters from commercial models and resell API access at a premium. Shutting down these services is a game of whack-a-mole that no single company can win alone.

The Indian government’s Computer Emergency Response Team (CERT-In) has issued an advisory acknowledging the campaign, urging defense sector organizations to implement additional email authentication protocols including DMARC, DKIM, and SPF, and to restrict macro execution in Office documents. Standard advice. But when the phishing lure is good enough, even trained users click.

That’s the real shift here. Not a new malware family or a novel exploit chain. Just better lies, told faster, at scale. And for groups like Transparent Tribe, that’s more than enough to be dangerous.

Subscribe for Updates

AISecurityPro Newsletter

A focused newsletter covering the security, risk, and governance challenges emerging from the rapid adoption of artificial intelligence.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us