APT36 Unleashes Advanced Phishing Against Indian Defense Personnel: New Anti-Analysis Malware & NIC Impersonation
The Pakistani cyber-espionage group APT36, also known as Transparent Tribe, has launched a sophisticated new phishing campaign targeting personnel within India’s defense sector. Experts at CYFIRMA have uncovered that the threat actors are employing highly deceptive tactics, disguising malicious payloads as official government documents.
In these attacks, APT36 leverages counterfeit emails that include PDF attachments virtually indistinguishable from legitimate bureaucratic correspondence. One such file, titled “PO-003443125.pdf,” features a blurred background and a clickable button mimicking the login interface of India’s National Informatics Centre (NIC). Upon interaction, the victim is redirected to a fraudulent website camouflaged to resemble a trusted portal.
The spoofed website delivers a compressed archive bearing the “.7z” extension. Contained within is an executable file—“PO-003443125.pdf.exe”—masquerading as a harmless PDF document. When launched, this file unleashes malware written in C/C++, specifically designed to target Windows operating systems.
According to CYFIRMA’s analysis, the malware is equipped with an advanced suite of evasion techniques. It performs debugger detection via IsDebuggerPresent, identifies virtualized environments through IsWow64Process, and conceals itself using double file extensions. Its functionalities include keylogging, clipboard monitoring, and the exfiltration of browser-stored credentials and passwords. Data is siphoned off via encrypted communication channels hosted through Cloudflare infrastructure.
Moreover, the malware employs defense evasion techniques such as process injection, dynamic-link library (DLL) substitution, and the creation of invisible windows. For persistence, it modifies Windows registry entries to maintain foothold within the infected system.
The campaign was first observed on May 7, 2025, and aligns with multiple tactics and techniques from the MITRE ATT&CK framework—including phishing (T1566), keylogging (T1056.001), and encrypted data exfiltration (T1573).
Investigators determined that the domain used in the attack was registered on October 23, 2024, and routes traffic to an IP address located in Brazil. This address supports over 650 additional domains, suggesting the infrastructure is transient and tailored for malicious operations.
APT36’s campaign poses a significant threat to the cybersecurity of India’s strategic institutions. Once inside a targeted system, the attackers can escalate privileges and laterally move within internal networks—potentially accessing classified information.
As a countermeasure, security experts recommend implementing multi-layered email defenses, enforcing stricter policies around file attachments, enabling multi-factor authentication, and deploying advanced endpoint protection (EDR) solutions. It is also advised to conduct regular cybersecurity awareness training for employees and integrate real-time threat intelligence into monitoring systems.
