APT36 Targets Indian Government: Credential Theft Campaign Uncovered

A sophisticated phishing campaign attributed with medium confidence to the Pakistan-linked APT36 group, also known as Transparent Tribe or Mythic Leopard, has been uncovered targeting Indian defense organizations and government entities.

This operation employs typo-squatted domains that mimic official Indian government platforms, such as mail.mgovcloud.in and virtualeoffice.cloud, to deceive users into surrendering credentials.

The campaign leverages advanced social engineering by spoofing legitimate government portals, incorporating trusted cybersecurity reporting email addresses to bolster credibility, and harvesting real-time one-time passwords (OTPs) from the Kavach multi-factor authentication (MFA) system developed by the National Informatics Centre (NIC).

Sophisticated Phishing Tactics

Upon accessing these malicious URLs, victims are redirected to counterfeit webpages that replicate official logos, layouts, and titles, prompting inputs of email IDs, passwords, and Kavach-generated OTPs.

This real-time credential theft aims to bypass MFA protections, enabling unauthorized access to sensitive email accounts and potentially exposing classified data, which poses a significant risk to national security infrastructure.

The phishing infrastructure demonstrates technical sophistication, with domains resolving to IP addresses like 99.83.175.80 (hosted on Amazon’s AS16509) and 37.221.64.202, the latter establishing outbound HTTPS connections over port 443 to remote command-and-control (C2) servers for secure exfiltration of captured data.

Analysis reveals these IPs are flagged in threat intelligence feeds for phishing activities, often linked to typosquatting campaigns.

Additional domains, registered between March 2024 and July 2025, exhibit coordinated patterns, including subdomains associated with Indian government entities and infrastructure tied to Pakistani IT firm Zah Computers, suggesting either direct involvement or compromised staging servers.

This setup aligns with APT36’s known tactics, techniques, and procedures (TTPs), including spear-phishing attachments, malicious links, and exploitation of vulnerabilities in office suites and web applications to achieve initial access (T1566.001), execution via user interaction (T1204.001), and data collection from local systems (T1005).

Attribution to APT36

Attribution to APT36 is reinforced by the group’s history of state-sponsored cyber espionage since 2016, targeting entities in India and beyond for military and diplomatic intelligence.

Operating from Pakistan, the group employs reconnaissance through phishing for information (T1598), resource development via domain acquisition (T1583.001), and persistence mechanisms like registry run keys (T1547.001).

Discovery techniques such as system owner/user discovery (T1033) and process discovery (T1057) facilitate deeper infiltration, culminating in exfiltration over C2 channels (T1041).

The campaign’s use of watering-hole attacks and click-fix techniques mirrors APT36’s modus operandi, impacting sectors like aerospace, defense, government, and military across geographies including India, Afghanistan, and the UAE.

Business repercussions include data theft, operational disruption, and reputational damage, underscoring the need for robust defenses.

To counter this threat, experts recommend strategic measures like enforcing national domain policies for rapid takedowns of spoofed domains and promoting cybersecurity awareness campaigns.

Operationally, multi-layered email filtering, real-time OTP abuse detection via behavioral analytics, and network hardening through DNS filtering and TLS decryption are essential.

Management should prioritize policy enforcement, incident response readiness, and mandatory training on APT tactics.

A custom YARA rule, APT36_Phishing_Indicators, detects associated IOCs like IPs 99.83.175.80 and 37.221.64.202, aiding in proactive mitigation.

This campaign highlights the evolving landscape of state-sponsored threats, demanding vigilant governance to safeguard critical assets.

List of IOCs

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!