APT36 Hackers Attacking Indian Government Entities to Steal Login Credentials

A sophisticated phishing campaign attributed to the Pakistan-linked APT36 group has emerged as a serious threat to Indian government infrastructure.

First detected in early August 2025, this operation leverages typo-squatted domains designed to mimic official government login portals.

When unsuspecting users enter their email IDs and passwords, they are redirected to counterfeit pages that replicate the National Informatics Centre’s Kavach authentication interface, complete with legitimate logos and layouts.

By harvesting one-time passwords (OTPs) in real time, the attackers bypass multi-factor authentication and gain unfettered access to sensitive email accounts.

Cyfirma analysts identified the primary malicious domain, registered on July 14, 2025, which resolves to IP addresses flagged for phishing.

They also noted that supporting infrastructure—including additional domains registered in March and May 2025—follows a uniform naming convention and hosting pattern, indicating a coordinated campaign.

The domains resolve to IPs in both Amazon cloud infrastructure and Pakistan-based servers, suggesting either compromised third-party services or direct staging by threat actors.

The use of encrypted HTTPS traffic to communicate with a remote command-and-control (C2) server at 37.221.64[.]202 further demonstrates the campaign’s sophistication and intent to evade basic network detection mechanisms.

Victims report that after entering their credentials on the initial phishing page, they are immediately prompted for the Kavach OTP on a second page.

This prompt faithfully reproduces the MFA workflow, reducing suspicion and facilitating real-time OTP harvesting. Once captured, the credentials and OTPs are transmitted over port 443 to the attacker’s C2 infrastructure, enabling live account takeover.

If unmitigated, this could expose classified communications, undermine operational security, and lead to broader national security breaches.

Infection Mechanism and Persistence Tactics

The phishing infrastructure employs both spear-phishing emails and typosquatted domains to achieve initial access.

Spear-phishing emails contain links that redirect victims to malicious landing pages hosted on domains such as mgovcloud.in and virtualeoffice.cloud.

Upon successful credential theft, APT36 uses registry run keys and scheduled tasks to maintain persistence on compromised systems.

A custom Visual Basic script deployed via these registry keys establishes periodic callbacks to the attacker’s C2 server, downloading additional payloads and exfiltrating local files.

Cyfirma researchers provided the following YARA rule to detect indicators of compromise associated with this campaign:-

rule APT36_Phishing_Indicators {
    meta:
        author = "Cyfirma Research"
        description = "Detects IOCs for APT36 phishing infrastructure"
        last_updated = "2025-07-30"
    strings:
        $ip1 = "99.83.175.80"
        $ip2 = "37.221.64.202"
        $domain1 = "mgovcloud.in"
        $domain2 = "virtualeoffice.cloud"
    condition:
        any of ($ip*) or any of ($domain*)
}

This rule matches both the flagged IP addresses and the spoofed domains employed by APT36, empowering defenders to block malicious traffic and alerts on attempted phishing access.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searche