Pakistan’s Cyber Offensive: APT36 Targets Indian Defence

Uploaded on 2025-06-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

A recent report by Cyfirma details a sophisticated phishing campaign orchestrated by the Pakistan-based Advanced Persistent Threat group APT36, also known as Transparent Tribe. Active since at least 2013, APT36 has honed its focus on Indian entities, particularly the defence sector, government agencies, and educational institutions.

The campaign, uncovered in June 2025, leverages social engineering and malicious payloads to infiltrate sensitive systems, exploiting India’s National Informatics Centre (NIC) credentials to gather intelligence.

This summary dissects the report’s findings, highlighting the tactics, implications, and broader geopolitical context.

A Deceptive Lure

APT36’s latest operation employs spear-phishing emails masquerading as official NIC correspondence. These emails, often themed around urgent policy updates or geopolitical events like the April 2025 Pahalgam terror attack, when Indian tourists in Kasmir were murdered, to entice recipients to open malicious attachments or click embedded links. The campaign uses decoy documents, such as PDFs titled “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf,” which direct users to fake login portals mimicking Indian government domains like jkpolice.gov.in.

These portals harvest credentials from officials using @gov .in or @nic domains, enabling further network infiltration.

The group’s malware arsenal includes Crimson RAT, a remote access trojan for data exfiltration, and macro-enabled PowerPoint files (PPAM) that deploy payloads when opened. Analysis of a malicious PDF’s metadata reveals it was created on 23 October 2024, in Pakistan’s time zone, using a laptop from the Prime Minister’s Youth Laptop Scheme - a telling clue to the campaign’s origins.

The use of fake domains, such as email.gov.in.gov-in.mywire.org, hosted on IPs linked to Pakistani APT tactics, further solidifies attribution to APT36 with moderate confidence.

Evolving Tactics

APT36’s methods reflect a blend of persistence and innovation. The group exploits human vulnerabilities through carefully crafted social engineering rather than zero-day software flaws, maximising psychological impact by leveraging sensitive topics like Kashmir. Its use of cross-platform languages like Python, Golang, and Rust, alongside command-and-control channels on platforms like Telegram and Google Drive, demonstrates technical sophistication. The campaign also employs “ClickFix” tactics, instructing users to execute malicious PowerShell commands via the Windows Run dialogue, a method increasingly popular amongst cybercriminals for its ability to bypass traditional defences.

The report notes APT36’s focus on India’s defence and aerospace sectors, with previous campaigns targeting state-run contractors and military personnel. By impersonating legitimate entities and exploiting topical events, the group ensures high success rates in credential theft and malware deployment.

This campaign’s rapid response to the Pahalgam attack underscores APT36’s agility in capitalising on real-world incidents.

Geopolitical Undercurrents

The campaign is not merely a technical exploit but a facet of Pakistan’s broader cyber-espionage strategy against India. Amid strained bilateral relations, exacerbated by Kashmir tensions, APT36’s activities align with Islamabad’s interest in gathering strategic intelligence. The use of government-issued laptops suggests possible state sponsorship, though Cyfirma stops short of definitive attribution. India, meanwhile, faces mounting pressure to bolster its cybersecurity infrastructure, as repeated breaches expose vulnerabilities in its defence ecosystem.

The IMF’s October 2024 report, forecasting sluggish global growth, indirectly highlights the economic stakes: India’s defence modernisation, critical to countering such threats, competes with fiscal constraints. The NIC, a backbone of India’s e-governance, is a prime target, as compromised credentials could unlock access to sensitive national systems.

Countering the Threat

Cyfirma recommends robust defences: advanced email filtering to detect phishing, disabling macros by default, and regular simulation drills to train personnel. Integrating geopolitical threat intelligence into security operations could preempt such campaigns. India’s government must also address systemic gaps, such as outdated software and lax credential management, to deter future attacks.

A Persistent Menace

APT36’s campaign underscores the growing nexus of cyberwarfare and geopolitics. As Pakistan-based actors refine their tactics, India’s defence sector remains a vulnerable target.

Without decisive action - technical, organisational, and diplomatic - these digital incursions risk eroding national security. The stakes are high in this shadow war, where clicks can be as damaging as missiles.

Cyfirma  |    Cyfirma   |    IMF 

Image:  Ideogram

You Might Also Read: 

Cyber Threat Forecast Part 2 - India:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Police Shut Down A Criminal Malware Operation
Cybersecurity Has Become Britain's Top Defence Priority »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Securezoo

Securezoo

Securezoo's mission is to simplify and enhance information security by providing trusted security guidance, products, and information to small and mid-sized businesses and security professionals.

Verve Industrial

Verve Industrial

Verve specialize in providing software and services to help protect and secure critical industrial control systems.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

Carbonite

Carbonite

Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters.

Bace Cybersecurity Institute (BCI)

Bace Cybersecurity Institute (BCI)

Bace Cybersecurity Institute focuses on understanding, empowering and taking action across four critical areas driving continual improvement toward a safer, more secure cyber world.

AngelList

AngelList

AngelList champion startups and the people who empower them. Search tech & startup jobs, find new tech products, and invest in startups.

Sharktech

Sharktech

Sharktech designs, develops, and supports advanced DDoS protection and web technologies.

TAV Technologies

TAV Technologies

TAV Technologies is a provider of technology services to the aviation industry in areas including airport infrastructure systems, digital transformation and cybersecurity.

GAVS Technologies

GAVS Technologies

GAVS is a global IT services provider with focus on AI-led Managed Services and Digital Transformation.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

NextGen Cyber Talent

NextGen Cyber Talent

NextGen Cyber Talent is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry.

EPAM Systems

EPAM Systems

Since 1993, EPAM Systems has leveraged its advanced software engineering heritage to become a leading global digital transformation services provider.

Deepware

Deepware

Deepware is an emerging AI research company dedicated to exploring the potential of GenAI in both generation and detection.

Infodot Technologies

Infodot Technologies

Infodot Technologies specialize in a co-managed IT support and services approach, where businesses share their IT responsibilities with a skilled Managed IT Services Provider (MSP).

Aztek

Aztek

Aztek is one of the UK’s leading Managed Service Providers, providing customer-focused IT, Communication and Cyber Security solutions to help transform and grow your business.