By rssfeeds-admin 
A new wave of highly targeted phishing campaigns orchestrated by APT36, also known as Transparent Tribe, has been detected against Indian defense personnel.
CYFIRMA researchers have revealed that the Pakistan-based cyber espionage group continues to escalate its offensive, utilizing refined social engineering and technical sophistication to breach sensitive Indian defense networks.
Sophisticated Campaign Uses Fake NIC Documents
The group’s latest operation leverages phishing emails that deliver malicious PDF documents, carefully crafted to mimic official communications from the National Informatics Centre (NIC).
Once opened, these PDFs display a blurred background superimposed with a fake login button, goading recipients into believing they are accessing a protected government document.
Interaction with the button triggers a redirection to a malicious URL resembling legitimate NIC infrastructure, which subsequently delivers a ZIP archive packed with a deceptive executable file.
Technical analysis reveals the ZIP archive hosts an executable named in double-extension format (e.g., PO-003443125.pdf.exe) with a PDF icon, specifically designed to trick users on Windows systems, where known file extensions are hidden by default.
This executable initiates a series of sophisticated anti-analysis routines. Notably, it checks for the presence of debugging tools and virtual environments, terminating itself if analysis is detected a classic hallmark of advanced persistent threat (APT) operations seeking to evade scrutiny by researchers or automated sandbox systems.
Upon successful execution, the malware adopts a fileless or in-memory execution strategy by unpacking and running a script embedded within its executable resources.
The malware proceeds to conduct several credential and data theft operations, such as monitoring and exfiltrating keystrokes, stealing clipboard contents, and harvesting browser and email credentials.
It also enumerates local drives and leverages Windows API calls to manipulate its persistence and evade detection, including spawning seemingly legitimate system processes (e.g., svchost.exe) and leveraging DLL side-loading techniques.
Malware Exploits Windows Systems
The analysis further highlights APT36’s emphasis on establishing long-term access by hijacking execution flows, modifying registry keys, manipulating startup processes, and employing obfuscation techniques to avoid endpoint security solutions.
Their infrastructure infrastructure leverages recently registered domains, many hosted via Cloudflare to mask their origins and evade traditional network filters.
The detected domains and IPs show a pattern of rapid creation and cycling, suggesting a preference for short-lived campaign infrastructure to maximize impact and minimize attribution risk.
This recent campaign demonstrates APT36’s evolving playbook, with a strategic focus on credential harvesting to enable deep infiltration and ongoing espionage within Indian defense environments.
The attack chain meticulously mirrors legitimate defense workflows, heightening the risk of successful compromise among targeted personnel.
Given the sophistication of these phishing campaigns, security experts recommend immediate action for the Indian defense sector, including deployment of advanced threat protection for email, strict handling and quarantining of suspicious attachments, and enforcement of multi-factor authentication on sensitive systems.
Enhanced user awareness training coupled with simulated phishing exercises are emphasized to prepare staff for social engineering tactics.
Network defenders are urged to maintain dynamic threat intelligence feeds, monitor for anomalous connections to known APT36 indicators, and deploy endpoint detection and response (EDR) solutions capable of identifying both file-based and fileless malware behaviors.
Periodic credential audits, robust password policies, and regular incident response drills are essential to minimize the threat posed by this active and credible adversary.
APT36’s campaign underscores the persistent threat posed by nation-state actors to critical sectors, highlighting the need for a multi-layered, adaptive cybersecurity posture that integrates technical controls, user vigilance, and proactive threat intelligence sharing.
Indicators of Compromise (IOC)
| S.No | Indicator | Type | Remarks |
|---|---|---|---|
| 1 | f03ac870cb91c00b51ddf29b6028d9ddf42477970eafa7c556e3a3d74ada25c9 | SHA256 Hash | Block |
| 2 | 55b7e20e42b57a32db29ea3f65d0fd2b2858aaeb9307b0ebbcdad1b0fcfd8059 | SHA256 Hash | Block |
| 3 | 55972edf001fd5afb1045bd96da835841c39fec4e3d47643e6a5dd793c904332 | SHA256 Hash | Block |
| 4 | SuperPrimeServices[.]com | Domain | Block |
| 5 | Advising-Receipts[.]com | Domain | Block |
| 6 | FunDay24[.]ru | Domain | Block |
| 7 | PO-003443125.pdf : 6ee3b0f4cb84e18751e7088043741e9a | MD5 Hash | Block |
| 8 | PO-003443125.pdf.7z : cdb9fb87dcb44d8f3040f4fb87d89508 | MD5 Hash | Block |
| 9 | PO-003443125.pdf.exe : 154f4cdcd4b822314293ad566d7255fa | MD5 Hash | Block |
| 10 | hXXps://superprimeservices[.]com/nishat/order/PO-003443125[.]pdf[.]7z | URL | Block |
| 11 | 104[.]21[.]41[.]144 | IP Address | Monitor |
| 12 | 188[.]114[.]97[.]7 | IP Address | Monitor |
| 13 | 76[.]223[.]54[.]146 | IP Address | Monitor |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post APT36 Hackers Launches Advanced Phishing Attacks Against Indian Defense Personnel appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.