APT36 Targets India with Pahalgam Attack-Themed Phishing

Seqrite Labs APT team has revealed that Pakistan-linked threat actor APT36 (Transparent Tribe) has launched a coordinated phishing campaign targeting Indian government and defense personnel. This operation weaponizes Pahalgam terror attack-themed documents, using them as lures to deploy the Crimson RAT and harvest sensitive credentials.

The campaign, uncovered just days after the April 22, 2025 Pahalgam terror attack, demonstrates APT36’s rapid operational tempo and proficiency in social engineering. Seqrite’s report warns:

“The campaign involves both credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and Indian Air Force (IAF) created shortly after the April 22, 2025 attack.”

Phishing documents with titles like “Action Points & Response by Govt Regarding Pahalgam Terror Attack” and “Report Update Regarding Pahalgam Terror Attack” contain embedded URLs leading to fake login pages hosted on crafted domains such as: hxxps://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed/service/home/

.This domain mimics the legitimate Jammu & Kashmir Police site while exploiting heightened awareness and confusion surrounding the real-world tragedy.

The report also details a PowerPoint-based attack using .ppam files—the same filenames as the phishing PDFs. When opened, these macro-enabled presentations:

• Extract hidden files into stealth directories,
• Identify the victim’s OS version,
• Open a decoy file,
• And silently deploy the Crimson RAT.

The final payload is disguised as an image (WEISTT.jpg) with the internal name jnmxrvt hcsm.exe. Seqrite observed that: “All three RAT payloads have a compilation timestamp of 2025-04-21, just before the Pahalgam terror attack.”

The deployed version of Crimson RAT has over 20 command-and-control (C2) capabilities, including:

• Screenshot capture: cscreen, scren, thumb
• File and directory access: filsz, listf, fldr
• Persistence mechanisms: putsrt
• Remote command execution and download: runf, dowr, udlt

Its C2 endpoint, masked behind hardcoded decoys, ultimately resolves to: 93.127.133[.]58.

APT36’s infrastructure hinges on domain impersonation. Seqrite linked the phishing campaign to a network of spoofed subdomains, including:

• iaf[.]nic[.]in[.]ministryofdefenceindia[.]org
• email[.]gov[.]in[.]departmentofdefence[.]de
• indianarmy[.]nic[.]in[.]departmentofdefence[.]de

Registered within days of the Pahalgam attack, these domains were hosted on infrastructure belonging to Alexhost Srl, IP Connect Inc, and Shinjiru Technology.

Seqrite attributes the campaign to APT36 with high confidence, citing tactics that mirror historical activity:

“They often exploit sensitive topics like Kashmir conflict, border skirmishes, and military movements… delivering Crimson RAT, hidden behind fake documents or malicious links embedded in spoofed domains.”

The goal, as observed in similar past operations, is espionage—harvesting credentials, surveilling activity, and infiltrating systems tied to India’s national security apparatus.

Related Posts:

• Transparent Tribe Targets Indian Government and Defense Sectors with Evolving Cyber Espionage Tactics
• Chinese State-Sponsored Hackers Target Southeast Asian Government in Operation Crimson Palace
• APT36 Advances with ElizaRAT and ApoloStealer: New Tactics in Espionage Against India
• From SideCopy to Transparent Tribe: Pakistan APTs Hit Indian Government With RATs
• Crimson Palace Returns: Chinese State-Sponsored Cyber Espionage Operation Escalates with New Tools and Targets