APT36 Phishing Campaign Exploiting the Pahalgam Terror Attack to Target Indian Government and Defense
In the aftermath of the Pahalgam terror attack, the Pakistan-based cyber-espionage group APT36, also known as Transparent Tribe, launched a highly targeted phishing campaign aimed at Indian Government and Defense personnel. Exploiting the national focus on the attack, APT36 leveraged social engineering tactics to distribute malicious documents and infiltrate sensitive systems.
The group's timing around the national crisis significantly amplified the likelihood of success, showcasing their ability to strategically manipulate high-profile events. This attack underscores APT36’s method of leveraging current events to deceive victims.
The Lure: A Fabricated Pahalgam Attack Report
APT36 used a deceptive document titled "Pahalgam Terror Attack Update Encrypted.pdf." The PDF file appeared to be an official government report, seemingly providing updates on the attack. However, it was a trojanized document with a hidden malicious payload designed to compromise systems upon opening.
The file contained a clickable image that, when interacted with, redirected victims to a fake government login page. This page was carefully crafted to resemble legitimate login portals used by Indian government websites. Once the victim entered their login credentials, these were sent directly to the Command and Control (C2C) server operated by the attackers, allowing APT36 to harvest sensitive login information.
- hxxps://jkpolice.gov[.]in[.]kashmirattack[.]exposed/service/home/
- iaf[.]nic[.]in[.]ministryofdefenceindia[.]org
Threat Actor Profile: APT36 (Transparent Tribe)
APT36, also known as Transparent Tribe, is a Pakistan-based cyber-espionage group widely believed to operate under the patronage of Pakistani intelligence agencies. Active since at least 2016, the group primarily targets Indian government, military, and diplomatic organizations. APT36 is notorious for its social engineering tactics, which involve embedding malware into seemingly innocent files, such as PDFs and PowerPoint presentations, to gain unauthorized access to sensitive systems.
APT36’s attacks are characterized by their focus on espionage. The group leverages targeted phishing campaigns that exploit current geopolitical events, military operations, and internal security incidents. This has become a hallmark of their operational strategy—timing their attacks to coincide with high-profile events
Indicators of Compromise (IOCs)
Ip Addr
93.127.133[.]58
Domain
- kashmirattack[.]exposed,
- iaf[.]nic[.]in[.]ministryofdefenceindia[.]org,
- ministryofdefenceindia[.]org,
URL
hxxps://jkpolice.gov[.]in[.]kashmirattack[.]exposed/service/home/
MD5
- d946e3e94fec670f9e47aca186ecaabe,
- c4fb60217e3d43eac92074c45228506a,
- fb64c22d37c502bde55b19688d40c803,
- 70b8040730c62e4a52a904251fa74029,
- 026e8e7acb2f2a156f8afff64fd54066
Mitigation
- Integrating and Monitoring Indicators of Compromise (IOCs): Integrate the Indicators of Compromise (IOCs) identified in this campaign into your security infrastructure to detect potential intrusions and prevent further breaches.
- User Awareness and Training: Regularly train employees and users on recognizing phishing attempts and suspicious emails, especially those that reference current or high-profile events.
- Multi-Factor Authentication (MFA): Implement MFA to protect sensitive systems. Even if login credentials are compromised, MFA can prevent unauthorized access.
- Email Filtering and URL Blacklisting: Use advanced email filtering systems to detect and block phishing emails. Blacklist known malicious domains and URLs to prevent access to phishing sites.
- Network Traffic Monitoring: Monitor network traffic for unusual activity, especially any data being sent to external or unknown C2C servers.
At CyberXTron, we specialize in Autonomous Digital Risk Protection and AI-driven Threat Intelligence tailored for protection against hacktivist threats and targeted cyber-attacks.
Click here to Book a free consultation with our expert team!!!