Pakistan APT Hackers Create Fake India Post Website to Attack Windows & Android Users

Cybersecurity researchers have discovered a dangerous phishing campaign where Pakistani APT hackers are using a fake India Post website to spread malware to Windows and Android users. The fraudulent site, hosted at postindia[.]site, tricks victims into downloading malicious files, putting their data and devices at risk.

  •  Fake India Post website (postindia[.]site) created by Pakistan-based APT36 hackers.

  •  Windows users are tricked into running a PowerShell command that installs malware.
  •  Android users are prompted to download a fake India Post APK that steals sensitive data.
  •  APT36 (Transparent Tribe) has a history of targeting Indian users since 2013.
  •  Malware uses advanced evasion techniques, disguising itself as a Google Accounts app.
  •  Infected APK requests permissions for contacts, location tracking, and clipboard monitoring.

How the Attack Works

For Windows Users:

  • The fake site detects if the user is on a desktop.
  • It prompts them to download a PDF with “ClickFix” instructions.
  • The PDF tricks users into running a PowerShell command, infecting their system.

For Android Users:

  • The site delivers a malicious APK file named “indiapost.apk”.
  • The app mimics a Google Accounts app to avoid suspicion.
  • It steals contacts, tracks location, and monitors clipboard activity.
  • The malware remains active by bypassing battery optimizations.

Who is Behind This Attack?

Researchers at Cyfirma linked this attack to APT36 (Transparent Tribe), a Pakistani state-sponsored hacking group.

  • The PDF’s metadata revealed it was created in Pakistan’s time zone and referenced the Pakistan Prime Minister Youth Laptop Scheme (PMYLS).
  • The attack infrastructure included fake Indian government domains and IPs.

To Stay Safe

  • Do not download APKs or software from unofficial websites.
  • Never execute PowerShell commands from unknown sources.
  • Check URLs carefully – Indian government sites usually end in .gov.in.
  • Use a trusted security solution like NPAV to detect and block malicious files.
  • Stay informed about the latest cyber threats targeting Indian users.

This sophisticated cyberattack by Pakistani APT hackers highlights the growing risks of fake government websites spreading malware. Users must be extremely cautious when visiting unknown sites and avoid downloading suspicious files. Protecting yourself with strong cybersecurity measures is essential in today’s digital world.