By rssfeeds-admin 
Investigations reveal the attackers are leveraging typo-squatted domains that closely mimic official government portals, aiming to steal credentials and bypass multi-factor authentication (MFA) used to secure sensitive accounts.
Spoofed Government Portals and Social Engineering
According to threat intelligence reports, the phishing campaign uses malicious URLs that redirect users to counterfeit web pages replicating key visual elements such as official logos, page layouts, and government branding to deceive users into believing they are interacting with genuine Indian government platforms.
Once a victim enters their email ID, they are prompted for their password and a Kavach authentication code.
Kavach, India’s official MFA application developed by the National Informatics Centre (NIC), generates time-based one-time passwords that act as a second layer of security for government email services.
The attackers display advanced social engineering by referencing legitimate cybersecurity reporting email addresses on the phishing sites, thereby enhancing their credibility and lowering users’ suspicion.
By requesting both the password and the time-sensitive Kavach OTP, the attackers seek to harvest credentials and bypass multi-factor security in real time, potentially gaining immediate access to protected government email accounts.
Technical Infrastructure and Connections to Pakistani IT Firms
Forensic analysis reveals that captured credentials and authentication codes are relayed to external command and control servers, one of which is registered to the IP address 37.221.64[.]202 over-encrypted HTTPS connections.
These C2 servers are associated with infrastructure in Pakistan, including content hosted from Zah Computers, a Pakistani IT firm, raising the possibility of either shared infrastructure use or compromise of Zah Computers’ services.
Typosquatted domain registrations, including mgovcloud[.]in and virtualeoffice[.]cloud, reveal a coordinated campaign.
These domains were registered between March and July 2025 and hosted with leading international cloud providers.
Associated IP addresses, such as 99.83.175.80 (AMAZON-02, US) and 169.148.144.250 (MarkMonitor Inc.), have all been flagged by threat intelligence feeds for phishing-related behaviors, further highlighting the organized, short-term intent of the campaign.
Implications and Attribution
Transparent Tribe, active since 2016, is closely aligned with Pakistani state interests, targeting military, diplomatic, and government sectors across the globe, including India. Their modus operandi relies on spear-phishing, watering hole attacks, and the exploitation of zero-day vulnerabilities.
Analysts assess with medium confidence that APT36 is behind this latest campaign, citing infrastructure links, domain naming conventions, and real-time MFA bypassing techniques as consistent with their established tactics.
The campaign’s ability to harvest credentials from MFA-protected email accounts poses a significant threat to India’s national security infrastructure, underlining the persistent risk posed by nation-state threat actors in the digital domain.
LIST OF IOC’s
| sl.no | Indicator of compromise | Recommendation |
| 1 | 99[.]83[.]175[.]80 | Block |
| 2 | 37[.]221.64[.]202 | Block |
| 3 | 104[.]21[.]76[.]236 | Block |
| 4 | 172[.]67[.]202[.]22 | Block |
| 5 | mgovcloud[.]in | Block |
| 6 | Virtualeoffice[.]cloud | Block |
The post APT36 Hackers Target Indian Government Agencies in Bid to Harvest Login Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.