APT36 and Sidecopy Hackers Target India’s Critical Infrastructure with Malware Attacks

Seqrite Labs, India’s largest malware analysis facility, has uncovered a sophisticated campaign dubbed Operation Sindoor, orchestrated by Pakistan-aligned threat groups APT36 and Sidecopy.

Launched on May 7, 2025, this state-sponsored Advanced Persistent Threat (APT) activity, combined with coordinated hacktivist operations, targeted India’s critical sectors, including defense, government IT infrastructure, healthcare, telecom, and education.

Operation Sindoor Unleashes

The campaign employed a deadly mix of spear phishing, malicious scripts, website defacements, and data leaks, aiming to destabilize national operations through cyber espionage and hybrid warfare tactics.

Seqrite’s telemetry recorded over 650 DDoS and defacement events between May 7 and 10, alongside the involvement of 35 hacktivist groups, seven of which were newly emerged, signaling a alarming convergence of technical intrusion and psychological operations.

The technical sophistication of Operation Sindoor is evident in the evolved tactics, techniques, and procedures (TTPs) of APT36, which has transitioned from older Poseidon loaders to the modular and evasive Ares RAT.

This malware framework enables keylogging, screen capturing, file manipulation, credential theft, and remote command execution, mimicking commercial RATs but tailored for stealth.

Deceptive Tactics Exposed

Initial access was gained through spear phishing attachments using file types like .ppam, .xlam, .lnk, .xlsb, and .msi, often disguised with urgent, contextually relevant names tied to events like the Pahalgam Terror Attack.

These files triggered macros executing web queries to malicious domains such as fogomyart[.]com, with payloads delivered via spoofed Indian entities like zohidsindia[.]com and nationaldefensecollege[.]com.

Command-and-control (C2) communications were routed through application layer protocols to IP 167.86.97[.]58:17854, identified as a Crimson RAT C2 server.

For persistence, APT36 leveraged Living Off the Land Binaries (LOLBins), scheduled tasks, UAC bypasses, and obfuscated PowerShell scripts, ensuring prolonged access while evading detection.

According to the Report, Parallel hacktivist efforts under hashtags like #OpIndia amplified disruptions via DDoS attacks and data leaks, targeting entities like the Ministry of Defence, NIC, GSTN, AIIMS, Jio, and BSNL.

The use of deceptive domains such as pahalgamattack[.]com and operationsindoor2025[.]in exploited geopolitical narratives, undermining trust in official digital communications.

The impact is profound data exfiltration has compromised sensitive documents and credentials, DDoS attacks have disrupted critical services, and website defacements have damaged public confidence, highlighting vulnerabilities in India’s cybersecurity posture and escalating geopolitical tensions.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!