In the recent terror attackconducted by Pakistan state sponsored terrorists that killed innocent civiliansin Pahalgam a town in Anantnag district of the Indian union territory of Jammuand Kashmir. In retaliation the Indian government carried out OperationSindoor.
Amid many falsely claimedPakistan based cyber attacks. Security researchersfrom India has uncovered a specific targeted campaign by the Pakistan-linkedthreat actor Transparent Tribe (APT36), leveraging documents themed around theApril 22, 2025 “Pahalgam Terror Attack” to target Indian Government and Defensepersonnel. The campaign employs both credential phishing and malware deploymenttactics, with spoofed domains impersonating legitimate entities such as theJammu & Kashmir Police and the Indian Air Force (IAF). These domains wereregistered shortly after the attack, suggesting a rapid exploitation of currentevents to enhance the credibility of their phishing infrastructure.
The lure documents includephishing PDFs and macro-enabled Office files designed to deliver Crimson RAT,a remote access trojan commonly used by APT36 for surveillance and dataexfiltration. The group’s use of timely, region-specific themes combined with amulti-stage infection chain highlights their continued focus on espionageagainst Indian strategic sectors.
Involvedthreat actor(s) detail
APT36 (Transparent Tribe): APT36 is a Pakistan-basedAdvanced Persistent Threat (APT) group active since at least 2013. Its primaryobjective is cyber espionage, targeting Indian governmental, military, defense,and educational sectors.
Associated Groups:
· COPPERFIELDSTONE
· MythicLeopard
· ProjectM
Primary Targets:
· Geography: Primarily India, with occasionaloperations targeting other South Asian countries.
· Sectors: Government, military, defensecontractors, aerospace, and education.
Tactics and Tools:
· InitialCompromise: APT36 predominantlyemploys spear-phishing attacks, leveraging malicious attachments andcounterfeit websites to gain initial access.
· MalwareUtilized:
o CrimsonRAT: Remote Access Trojan(RAT) for intelligence collection.
o Poseidon: Linux-based malware aimed at Indiangovernment entities.
o ElizaRAT: Windows RAT with advanced evasioncapabilities.
· EvasionTechniques: The group utilizescross-platform languages (Python, Golang, Rust) and exploits cloud services(Telegram, Discord, Slack, Google Drive) for command-and-control operations.
Notable Campaigns:
· Indianmilitary personnel
· Governmentagencies
· Defenseand research organizations
· Activistsand journalists focused on Kashmir
CampaignTechnicals
On April 24, 2025, a phishing PDF attributed wasidentified, crafted to exploit the aftermath of the Pahalgam Terror Attack. Thedocument titles including:
· “ActionPoints & Response by Govt Regarding Pahalgam Terror Attack .pdf”
· “ReportUpdate Regarding Pahalgam Terror Attack.pdf”
are themed to appear as official governmentcommunications.
The content is masked, with the attack vector embedded ina malicious hyperlink leading to a credential harvesting page.
Upon interaction, the link redirects users to a spoofed login portal designedto harvest credentials as part of a targeted social engineering campaign. Thetriggered URL is: hxxps://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed/service/home/
This domain deceptively mimics the legitimate Jammu &Kashmir Police site (jkpolice[.]gov[.]in) by appending a malicious subdomain(kashmirattack[.]exposed), thereby exploiting domain structure familiarity toenhance credibility and lure victims.
Once the government credentials are entered for @gov.inor @nic.in, they are sent directly back to the host.
A wide range of filenames has been observed, crafted to impersonate officialdocuments from government and defense institutions. These include references toongoing meetings, internal communications, and sensitive administrativematters, highlighting the threat actor’s ability to rapidly weaponize currentevents. Notable examples include:
· Report& Update Regarding Pahalgam Terror Attack.pdf
· ReportUpdate Regarding Pahalgam Terror Attack.pdf
· ActionPoints & Response by Govt Regarding Pahalgam Terror Attack .pdf
· J&KPolice Letter Dated 17 April 2025.pdf
· RODon Review Meeting held on 10 April 2025 by Secy DRDO.pdf
· RECORDOF DISCUSSION TECHNICAL REVIEW MEETING NOTICE, 07 April 2025 (1).pdf
· MEETINGNOTICE – 13th JWG meeting between India and Nepal.pdf
· AgendaPoints for Joint Venture Meeting at IHQ MoD on 04 March 2025.pdf
· DOLetter Integrated HQ of MoD dated 3 March.pdf
· CollegiateMeeting Notice & Action Points MoD 24 March.pdf
· Letterto the Raksha Mantri Office Dated 26 Feb 2025.pdf
· AllegedCase of Sexual Harassment by Senior Army Officer.pdf
· AgendaPoints of Meeting of Dept of Defence held at 11March 25.html
· ActionPoints of Meeting of Dept of Defence held at 10March 25.html
· AgendaPoints of Meeting of External Affairs Dept 10 March 25.pdf.html
PowerPoint PPAM Dropper
A malicious PowerPointAdd-in (.ppam) file named “Report & Update Regarding PahalgamTerror Attack.ppam” has been identified, consistent with previouslyobserved phishing lure documents. The file contains embedded macros thatexecute upon opening, extracting multiple payload components into a concealeddirectory within the user’s profile, named dynamically at runtime.
The malware performs environment checks to determine the host’s Windows versionand selects the appropriate payload accordingly. In parallel, it launches adecoy presentation containing the same phishing URL used in earlier PDF-basedattacks, while simultaneously deploying the Crimson RAT, enabling remote accessand potential data exfiltration. This indicates a multi-stage infectionstrategy combining social engineering, system profiling, and targeted malwaredeployment.
The final payload, Crimson RAT, is dropped as "WEISTT.jpg"with the internal name "jnmxrvt hcsm.exe". The associated PDBpath : "C:\jnmhxrv cstm\jnmhxrv cstm\obj\Debug\jnmhxrv cstm.pdb".
All identified samplesshare a compilation timestamp of April 21, 2025, indicating they were preparedjust prior to the Pahalgam terror attack. A hardcoded decoy IP is present, butthe actual C2 server is 93.127.133[.]58, revealed after decoding.The RAT supports 22 commands for remote control, alongside system and userinformation collection, consistent with APT36’s post-compromise objectives.
The phishing domainsidentified through hunting have the creation day just one or two days after thedocuments were created and here are some of them:
| Domains | Creation | IP | ASN |
| jkpolice[.]gov[.]in[.]kashmirattack[.]exposed | 2025-04-24 | 37.221.64.134 | AS 200019 (Alexhost Srl) |
| iaf[.]nic[.]in[.]ministryofdefenceindia[.]org | 2025-04-16 | 37.221.64.134 | AS 200019 (Alexhost Srl) |
| email[.]gov[.]in[.]ministryofdefenceindia[.]org | 2025-04-16 | 45.141.58.224 | AS 213373 (IP Connect Inc) |
| email[.]gov[.]in[.]departmentofdefenceindia[.]link | 2025-02-18 | 45.141.59.167 | AS 213373 (IP Connect Inc) |
|
|
|
|
|
This attack exemplifies tactics commonly associated withhacktivist or state-aligned campaigns, wherein emotionally charged orpolitically sensitive events are strategically weaponized to amplifypsychological impact. In this instance, the threat actor is leveragingheightened tensions related to the Kashmir conflict to enhance the credibilityand engagement of their decoy content. The use of such contextually resonantlures not only increases the likelihood of successful infection but also alignswith broader objectives of intelligence gathering and narrative manipulationwithin a geopolitically volatile region.
IOCs
PhishingDocuments
· c4fb60217e3d43eac92074c45228506a
· 172fff2634545cf59d59c179d139e0aa
· 7b08580a4f6995f645a5bf8addbefa68
· 1b71434e049fb8765d528ecabd722072
· c4f591cad9d158e2fbb0ed6425ce3804
· 5f03629508f46e822cf08d7864f585d3
· f5cd5f616a482645bbf8f4c51ee38958
· fa2c39adbb0ca7aeab5bc5cd1ffb2f08
· 00cd306f7cdcfe187c561dd42ab40f33
· ca27970308b2fdeaa3a8e8e53c86cd3e
PhishingDomains
· jkpolice[.]gov[.]in[.]kashmirattack[.]exposed
· iaf[.]nic[.]in[.]ministryofdefenceindia[.]org
· email[.]gov[.]in[.]ministryofdefenceindia[.]org
· email[.]gov[.]in[.]departmentofdefenceindia[.]link
· email[.]gov[.]in[.]departmentofdefence[.]de
· email[.]gov[.]in[.]briefcases[.]email
· email[.]gov[.]in[.]modindia[.]link
· email[.]gov[.]in[.]defenceindia[.]ltd
· email[.]gov[.]in[.]indiadefencedepartment[.]link
· email[.]gov[.]in[.]departmentofspace[.]info
· email[.]gov[.]in[.]indiangov[.]download
· indianarmy[.]nic[.]in[.]departmentofdefence[.]de
· indianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org
· email[.]gov[.]in[.]indiandefence[.]work
· email[.]gov[.]in[.]indiangov[.]download
· email[.]gov[.]in[.]drdosurvey[.]info
PhishingURLs
· hxxps://iaf[.]nic[.]in[.]ministryofdefenceindia[.]org/publications/default[.]htm
· hxxps://jkpolice[.]gov[.]in[.]kashmiraxxack[.]exposed/service/home
· hxxps://email[.]gov[.]in[.]ministryofdefenceindia[.]org/service/home/
· hxxps://email[.]gov[.]in[.]departmentofdefenceindia[.]link/service/home/
· hxxps://email[.]gov[.]in[.]departmentofdefence[.]de/service/home/
· hxxps://email[.]gov[.]in[.]indiangov[.]download/service/home/
· hxxps://indianarmy[.]nic[.]in[.]departmentofdefence[.]de/publications/publications-site-main/index[.]html
· hxxps://indianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org/publications/publications-site-main/index[.]htm
· hxxps://email[.]gov[.]in[.]briefcases[.]email/service/home/
· hxxps://email[.]gov[.]in[.]modindia[.]link/service/home/
· hxxps://email[.]gov[.]in[.]defenceindia[.]ltd/service/home/
· hxxps://email[.]gov[.]in[.]indiadefencedepartment[.]link/service/home/
· hxxps://email[.]gov[.]in[.]departmentofspace[.]info/service/home/
· hxxps://email[.]gov[.]in[.]indiandefence[.]work/service/home/
PPAM/XLAM
· d946e3e94fec670f9e47aca186ecaabe
· e18c4172329c32d8394ba0658d5212c2
· 2fde001f4c17c8613480091fa48b55a0
· c1f4c9f969f955dec2465317b526b600
CrimsonRAT
· 026e8e7acb2f2a156f8afff64fd54066
· fb64c22d37c502bde55b19688d40c803
· 70b8040730c62e4a52a904251fa74029
· 3efec6ffcbfe79f71f5410eb46f1c19e
· b03211f6feccd3a62273368b52f6079d
· 93.127.133.58(Ports – 1097, 17241, 19821, 21817, 23221, 27425)
· 104.129.27.14(Ports – 8108, 16197, 19867, 28784, 30123)
MITRE ATT&CK
| Tactics | Technique | Description |
| Reconnaissance | T1598.003 | Phishing for Information: Spearphishing Link |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
| Execution | T1204.001 | User Execution: Malicious Link |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Discovery | T1033 | System Owner/User Discovery |
| Collection | T1005 | Data from Local System |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Advisory
AmidIndia's launch of Operation Sindoor in response to the Pahalgam terror attack,there has been a noticeable surge in disinformation campaigns falselyattributing cyberattacks to Indian systems, allegedly originating fromPakistan. Several of these claims have been debunked by the Indian PressInformation Bureau (PIB), which has issued official clarifications tocounter the spread of misinformation. These coordinated narratives are likelyintended to sow confusion, undermine public trust, and divert attention fromongoing threat actor activity. It is strongly recommended that stakeholders andthe public rely exclusively on verified government advisories and statementswhen evaluating claims related to cybersecurity incidents or geopoliticaldevelopments. Following authoritative sources remains critical to counteringpsychological operations and information warfare tactics that often accompanystate-sponsored campaigns.
Mitigationsteps
Tomitigate risks associated with this phishing campaign and similar threatactivity, the following security measures are advised:
· Emailand Attachment Scanning: Deploy advanced threatprotection tools capable of detecting malicious links and payloads embeddedwithin PDFs and document attachments.
· MacroRestriction Policies: Enforce default blockingof macro execution across endpoints, particularly for documents originatingfrom untrusted or external sources.
· NetworkSegmentation and Access Control:Implement strict segmentation of critical assets and enforce the principle of leastprivilege to minimize lateral movement and data exposure.
· SecurityAwareness and Training: Conduct ongoing trainingprograms focused on phishing recognition, social engineering tactics, andexploitation of current geopolitical events.
· IncidentResponse Readiness: Maintain an updated andtested incident response plan specifically addressing credential phishing,disinformation campaigns, and APT-level intrusions.
· ThreatIntelligence Integration: Leverage geopolitical andsector-specific threat intelligence to detect and preempt targeted campaigns;actively monitor and block known indicators of compromise (IOCs).
· BehaviouralMonitoring: Utilize behavioralanalytics and anomaly detection to identify suspicious login attempts,privilege escalation, or unauthorized data access indicative of compromise.
