In a recent and concerning development in the ongoing cyber conflict landscape, the Pakistan-linked Advanced Persistent Threat (APT) group known as APT36 (also referred to as Transparent Tribe) has launched a new wave of attacks targeting Indian government and defense personnel. Demonstrating tactical agility, the group is leveraging emotionally charged themes, including a recent terror attack, to lure victims into credential phishing schemes and deploy malware. This campaign highlights the group’s persistent focus on espionage against Indian entities and its evolving methods.
The “Pahalgam Attack” Phishing Lure
A key element of the latest campaign involves exploiting the sensitive subject of a terror attack in Pahalgam. APT36 crafted emails carrying a malicious PDF file attachment deceptively named “Report Update Regarding Pahalgam Terror Attack.pdf”. The objective of this lure is credential phishing – tricking recipients into entering their login details on a fake web page.
To enhance the legitimacy of the scam, the threat actors registered and utilized a domain specifically designed to mimic the official Jammu & Kashmir Police website: jkpolice[.]gov[.]in[.]kashmirattack[.]exposed. This domain cleverly uses subdomains to appear authentic, appending .kashmirattack[.]exposed after what looks like a legitimate government address (jkpolice.gov.in). The use of the .exposed top-level domain is a clear indicator of illegitimacy. Notably, this domain, along with another mimicking the Indian Air Force (iaf[.]nic[.]in[.]ministryofdefenceindia[.]org), was reportedly registered very recently (noted as 24-Apr-2025 in the source data, though this date is in the future and may be a typo – regardless, the registration is recent). These domains are hosted on infrastructure located in Bulgaria (AS200019 – Alexhost Srl and AS45839 – Shinjiru Technology).
CrimsonRAT Deployment via PowerPoint Add-in
Parallel to the phishing effort, APT36 continues to deploy its signature malware, CrimsonRAT. In this campaign phase, a malicious PowerPoint Add-in file (.ppam) named “Report & Update Regarding Pahalgam Terror Attack.ppam” was used. CrimsonRAT is a well-documented Remote Access Trojan (RAT) favored by APT36, granting attackers extensive control over compromised systems. This includes capabilities like file exfiltration, screen capture, keylogging, and executing commands remotely.
The Command and Control (C2) infrastructure associated with this CrimsonRAT deployment includes the IP address 93.127.133[.]58, communicating over various ports (1097, 17241, 19821, 21817, 23221, 27425), allowing the attackers to manage the infected machines.
Recent Recruitment-Themed Attacks
This “Pahalgam” themed attack follows closely on the heels of another APT36 campaign observed just last week. In that instance, the group used recruitment-themed lures, employing malicious Microsoft Excel Add-in files (.xlam) with names like “Nisha2.xlam,” “Office.xlam,” and “Summer Camp.xlam”. These files likely contained macros designed to gain initial access to victim systems. The job titles used as bait included “Head of Department of Defence (Admin)” and “Applied Science & ML Engineer (12 open jobs),” clearly indicating the targeting of defense and technical personnel. The C2 infrastructure for this recruitment campaign was identified as 104.129.27[.]14, utilizing ports 8108, 16197, 19867, 28784, and 30123.
Ongoing Linux Campaign with Poseidon Malware
APT36 has also demonstrated a sustained effort to target Linux systems since at least mid-March 2024. This ongoing campaign involves the deployment of a Golang-based Mythic agent known as Poseidon. Mythic is a legitimate command-and-control framework, but its agents are often abused by threat actors. APT36 deploys Poseidon using desktop entry files (.desktop), which are shortcuts used in Linux environments.
To trick users into executing these malicious shortcuts, the group has employed a wide variety of themes relevant to Indian government and defense operations, including:
- Revised Standard Operating Procedures (SOPs) for Webex meetings.
- Phishing alerts and urgent technical meeting notices.
- SOPs for outsourcing services.
- Award medal declaration forms.
- Payment requests against Government e-Marketplace (GeM) contracts.
- Manuals for creating NIC & GOV email IDs.
- Posting and transfer orders.
- Requests for Deadline Extension under Force Majeure clauses.
This diverse set of lures indicates a significant reconnaissance effort to understand the internal workings and common document types within their target organizations. A substantial C2 infrastructure supports this Poseidon campaign, utilizing numerous IP addresses and hosting servers primarily associated with providers like DigitalOcean and Choopa LLC.
Broader Arsenal and Related Activity
The group’s toolkit is not limited to CrimsonRAT and Poseidon. In March, APT36 was observed using a “Developing Leadership for Future Wars” theme to deploy the legitimate Remote Monitoring and Management (RMM) tool MeshAgent, likely abusing it for remote access and control. Furthermore, a sub-group associated with APT36, known as SideCopy, has been active, using themes like the “US vs. China Trade War” in multiple campaigns since August 2023.
Conclusion and Implications
The latest activities attributed to APT36 underscore the group’s persistent, adaptive, and multi-faceted approach to cyber espionage against Indian targets. By leveraging current events like terror attacks, standard procedures like recruitment, and mimicking official communications, APT36 attempts to exploit human psychology and institutional trust to breach security.
The use of diverse malware (CrimsonRAT, Poseidon), varied delivery mechanisms (PDFs, PPAM, XLAM, .desktop files), and tailored lures across different operating systems (Windows, Linux) demonstrates a sophisticated and well-resourced operation. Indian government and defense organizations must remain vigilant, emphasizing user awareness training against phishing and social engineering, robust email filtering, endpoint detection and response (EDR) solutions, and continuous network monitoring for indicators of compromise (IoCs) associated with APT36 infrastructure. The detailed technical indicators (hashes, IPs, domains) provided by threat intelligence researchers are crucial for effective threat hunting and defense hardening.