APT36 Hackers Attacking Indian Defense Personnel in Sophisticated Phishing Attack

A Pakistan-based cyber espionage group known as APT36 or Transparent Tribe has launched a highly sophisticated phishing campaign targeting Indian defense personnel, utilizing credential-stealing malware designed to establish long-term infiltration within sensitive military networks.

The campaign represents a significant escalation in nation-state cyber threats, employing advanced social engineering techniques that exploit the trust inherent in official government communications.

The attack vector relies on meticulously crafted phishing emails containing malicious PDF attachments that mimic legitimate government documents.

When recipients open these PDFs, they encounter a deliberately blurred background designed to create authenticity, accompanied by a message stating the document is protected and requires user interaction to access content.

CYFIRMA analysts identified that clicking the prominently displayed “Click to View Document” button redirects users to a fraudulent URL mimicking the National Informatics Centre (NIC) login interface, ultimately initiating the download of a ZIP archive containing disguised malware.

The campaign’s impact extends beyond immediate credential theft, as the malware establishes persistent access mechanisms within targeted systems.

The operation demonstrates APT36’s strategic objective of maintaining long-term presence within India’s defense infrastructure, highlighting critical vulnerabilities in current cybersecurity protocols.

The malicious domain involved was registered on October 23, 2024, with an expiration date of October 23, 2025, suggesting a calculated, short-term deployment strategy.

Technical Infection Mechanism and Evasion Tactics

The malware’s infection mechanism reveals sophisticated technical capabilities designed to evade detection and analysis.

The executable file, named “PO-003443125.pdf.exe,” employs multiple anti-analysis techniques including the Windows API function IsDebuggerPresent to detect debugging environments.

Upon detection of analysis tools such as x64dbg, WinDbg, or OllyDbg, the malware displays a critical message stating “This is a third-party compiled script” before terminating execution.

Additionally, the malware utilizes IsWow64Process to identify 32-bit processes running on 64-bit systems, a common indicator of virtualized or analysis environments.

The malware’s resource loading mechanism employs FindResourceExW to locate an embedded script resource, which is then executed through COM or ActiveScript interfaces, enabling fileless execution that bypasses traditional detection methods.

This multi-layered approach demonstrates APT36’s evolving sophistication in developing detection-resistant malware specifically targeting high-value defense sector targets.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial