APT36 Unleashes Advanced Phishing Against Indian Defense Personnel: New Anti-Analysis Malware & NIC Impersonation

CYFIRMA has released an in-depth analysis detailing a highly targeted phishing campaign by APT36, also known as Transparent Tribe. The Pakistan-based threat group has a well-documented history of targeting Indian defense personnel, and their latest operation underscores a disturbing escalation in both technical sophistication and tactical deception.

“APT36… has been actively targeting Indian defense personnel through highly sophisticated phishing campaigns,” the CYFIRMA report confirms.

The attack begins with a spear-phishing email containing a malicious file named PO-003443125.pdf. Upon opening, the document presents a blurred interface and a convincing “Click to View Document” button, mimicking the login portal of India’s National Informatics Centre (NIC).

Clicking this button doesn’t reveal any official content—it redirects the victim to a fraudulent website, triggering the download of a malicious archive named PO-003443125.pdf.7z. Hidden within is a fake PDF—PO-003443125.pdf.exe—which is, in fact, a malware-laced executable file.

“This naming convention is intentionally misleading… designed to trick users and evade casual detection by analysts or basic security tools,” CYFIRMA explains.

What makes this campaign particularly dangerous is the multi-layered anti-analysis techniques baked into the malware:

• Anti-debugging and anti-VM evasion using IsDebuggerPresent and IsWow64Process
• Fileless execution via embedded scripts and Windows COM interfaces
• DLL side-loading, environment variable manipulation, and startup persistence
• Masquerading as svchost.exe to blend in with legitimate Windows activity

“The malware uses GetCurrentProcess and TerminateProcess for process control, privilege escalation, code injection, and anti-analysis,” the report notes.

APT36’s malware is designed to harvest sensitive information, leveraging a broad set of capabilities:

• Keylogging using GetAsyncKeyState and GetKeyState
• Clipboard scraping via OpenClipboard, GetClipboardData
• Session hijacking, browser credential theft, and email data extraction
• Drive enumeration and file searches for exfiltration targets

“The malware targets browser data cookies, saved credentials, form inputs, email client credentials, and system clipboard contents,” CYFIRMA warns.

The malware communicates with its command-and-control (C2) server through encrypted HTTP(S) traffic, using infrastructure hosted on Cloudflare and other CDNs to obfuscate malicious activity.

The registered domain superprimeservices[.]com, which serves the payload, is hosted in São Paulo, Brazil, and shares its IP with over 655 domains—a technique likely meant to blend into benign traffic.

CYFIRMA provides an exhaustive breakdown of the malware’s behavior across MITRE ATT&CK tactics, including:

• Initial Access: T1566.001 (Spear phishing attachment)
• Persistence: T1547.009 (Shortcut Modification), T1574.002 (DLL Side-Loading)
• Credential Access: T1056.001 (Keylogging), T1115 (Clipboard Data)
• Command and Control: T1071 (Application Layer Protocol), T1573 (Encrypted Channel)
• Impact: T1485 (Data Destruction), T1496 (Resource Hijacking)

This campaign demonstrates not only technical prowess, but long-term strategic intent to infiltrate, persist, and exfiltrate critical defense data.

Related Posts:

• APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics
• Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
• Transparent Tribe Targets Indian Government and Defense Sectors with Evolving Cyber Espionage Tactics
• APT36 Targets India with Pahalgam Attack-Themed Phishing
• New Report Reveals SmokeLoader’s Advanced Tactics in Taiwan Campaign