APT36 Targets Indian Government with Sophisticated Phishing, Bypassing MFA with Real-Time OTP Harvest

A new report by CYFIRMA has uncovered a meticulously crafted phishing campaign attributed to APT36 (Transparent Tribe), a Pakistan-linked threat actor with a long-standing focus on Indian government, defense, and infrastructure targets. The campaign weaponizes typo-squatted domains, deceptive portals mimicking official Indian government websites, and real-time OTP harvesting designed to bypass multi-factor authentication (MFA) mechanisms like Kavach.

“The campaign demonstrates advanced social engineering, real-time one-time password (OTP) harvesting and coordinated domain usage, potentially posing a significant threat to national security,” CYFIRMA notes.

The operation begins with phishing emails that direct victims—mostly Indian defense personnel and government officials—to typo-squatted domains designed to resemble legitimate Indian government services. These domains feature stolen branding, official logos, and identical layouts to create a false sense of legitimacy.

Upon visiting the fake site, users are prompted to enter their email ID, followed by their password and Kavach-generated OTP. This phishing flow is specifically engineered to capture credentials in real time, giving attackers immediate access to government email accounts.

“By referencing trusted authorities and secure communication flows, the threat actors create a false sense of legitimacy,” the report explains. “The real-time harvesting of credentials and OTPs demonstrates a sophisticated effort to compromise MFA-protected accounts.”

Kavach is India’s official MFA solution developed by the National Informatics Centre (NIC). It generates time-based OTPs used in conjunction with passwords to secure government email access. The attackers’ phishing infrastructure is explicitly designed to capture these OTPs on the fly.

CYFIRMA observed that compromised domains establish encrypted outbound connections to command-and-control (C2) servers such as 37.221.64[.]202, allowing the attackers to transmit credentials securely while evading detection.

The infrastructure behind the phishing campaign reveals strong ties to Pakistan. One of the hosting subdomains was found serving content from Zah Computers, a Pakistani IT services firm, suggesting either compromised infrastructure or direct involvement.

“The presence of Zah Computers’ web content within this malicious infrastructure raises two possibilities: either APT36 is leveraging Pakistani-hosted services for staging phishing assets, or Zah Computers has been compromised,” the researchers state.

APT36, also known as Transparent Tribe or Mythic Leopard, has been active since 2016 and is known for conducting cyber-espionage operations using spear-phishing, macro-laced documents, and spoofed login pages to collect sensitive information from military, diplomatic, and governmental targets.

“The use of typo-squatted domains combined with infrastructure hosted on Pakistan-based servers is consistent with the group’s established tactics, techniques, and procedures.”

The attackers have shown signs of strategic planning by registering multiple phishing domains within the same time frame. These include:

• mail[.]mgovcloud[.]in (registered March 2024)
• virtualeoffice[.]cloud (registered May 2025)

Additional spoofed domains resolving to IPs hosted by Amazon and MarkMonitor Inc., flagged for phishing behavior

“The uniformity across these domains, coupled with their use in similar credential harvesting schemes, suggests they are part of a broader, organized phishing campaign specifically targeting government infrastructure.”

Related Posts:

• Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users
• APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics
• APT36 Escalates Cyber-Espionage on India: Poseidon Backdoor Targets Railways, Oil & Government
• APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
• Wedding Invitation Scam: SpyMax RAT Targets Indian WhatsApp Users, Stealing OTPs & Banking Credentials