APT36 Hackers Target Indian Defense Personnel with Sophisticated Phishing Campaign

APT36, also known as Transparent Tribe, a Pakistan-based cyber espionage group, has launched a highly sophisticated phishing campaign targeting Indian defense personnel.

According to recent findings by CYFIRMA, this group has meticulously crafted phishing emails that deliver malicious PDF attachments disguised as official government documents.

Cyber Espionage Group Transparent Tribe Strikes Again

These deceptive files are designed to infiltrate sensitive defense networks, focusing on credential harvesting and long-term access to critical infrastructure.

This campaign underscores the evolving threat landscape where nation-state actors like APT36 continuously refine their tactics, techniques, and procedures (TTPs) to conduct targeted espionage against strategic sectors.

The phishing campaign begins with emails embedding a malicious PDF file named “PO-003443125.pdf,” which, upon opening, displays a blurred background and a deceptive button mimicking the login interface of the National Informatics Centre (NIC).

This clever social engineering tactic lures victims into clicking the “Click to View Document” button, redirecting them to a fraudulent URL (hXXps://superprimeservices[.]com/nishat/order/PO-003443125.pdf.7z).

This URL triggers the download of a ZIP archive, “PO-003443125.pdf.7z,” containing a malicious executable, “PO-003443125.pdf.exe,” disguised with a PDF icon to appear legitimate.

Technical Breakdown of the Malicious Operation

Upon execution, the malware, written in C/C++ for Windows systems, deploys advanced anti-analysis techniques such as anti-debugging (using IsDebuggerPresent), anti-VM detection (via IsWow64Process), and obfuscation through double extensions to evade detection.

It employs keylogging, clipboard surveillance, and browser data theft to exfiltrate credentials and sensitive information, while establishing command-and-control (C2) communications with encrypted channels hosted on Cloudflare infrastructure.

The malware also exhibits defense evasion through process injection, DLL side-loading, and hidden window creation, alongside persistence mechanisms like registry modification.

This multi-layered attack, first observed on May 7, 2025, maps to numerous MITRE ATT&CK techniques, including T1566 (Phishing), T1056.001 (Keylogging), and T1573 (Encrypted Channel), highlighting its sophistication and intent for data exfiltration and resource hijacking.

The domain used in the attack, registered on October 23, 2024, resolves to an IP address (104.21.0.118) hosted in São Paulo, Brazil, shared with over 655 other domains, indicating a short-term malicious infrastructure setup.

This operation’s impact is severe, posing a direct threat to Indian defense networks through unauthorized access and potential lateral movement within compromised systems.

In response, CYFIRMA recommends bolstering email security with government-grade solutions, enforcing strict attachment policies, and implementing multi-factor authentication (MFA) alongside endpoint detection and response (EDR) tools.

Continuous user awareness training and real-time threat intelligence integration are critical to mitigate such targeted threats.

Indicators of Compromise (IOCs) provided below, including file hashes and malicious domains, should be blocked and monitored to prevent further incursions by APT36.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates