APT36 phishing tactics targeting Indian government systems

The Pakistan-linked threat group APT36, also known as Transparent Tribe, has expanded its cyber operations to include Indian railways, oil and gas infrastructure, and the Ministry of External Affairs. Recent findings reveal that APT36 is using sophisticated infection chains that leverage .desktop files disguised as PDF documents to deploy malware.

APT36 phishing tactics targeting Indian government systemsAPT36 phishing tactics targeting Indian government systems

Infection Chains

Security researchers have identified two main attack variants that exploit these deceptive files. The first variant utilizes a command-and-control (C2) server at IP 209.38.203.53 to retrieve payloads via base64-encoded paths, storing them in hidden directories on the victim's system. This variant achieves persistence through cron jobs, with decoy content hosted on Google Drive to enhance credibility.

APT36 phishing tactics targeting Indian government systemsAPT36 phishing tactics targeting Indian government systems

Phishing Infrastructure

APT36's phishing operations target credentials through spoofed domains that mimic legitimate Indian entities, such as the DRDO and the Indian Army. Over 100 phishing domains have been linked to this campaign, indicating centralized control and tailored social engineering tactics aimed at Indian public sector users.