APT36’s New Focus: Indian Railways, Oil & Foreign Affairs Under Siege

In July 2025, threat actor APT36 (also known as Transparent Tribe), a group associated with Pakistan-linked cyber operations, launched a sophisticated campaign targeting India’s critical infrastructure, including railways, oil & gas sectors, and government entities such as the Ministry of External Affairs. This operation marks a shift from their traditional military focus to broader civilian and infrastructure targets, combining phishing with advanced persistence tools.

Severity Level: High

Threat Details

• Initial Access: Delivered via .desktop files posing as PDF documents, exploiting Linux environments through user deception.
• Execution: The malicious .desktop files executed Base64-encoded scripts that downloaded payloads from remote servers and stored them under deceptive filenames (emacs-bin, crond-98).
• Persistence: Persistence was achieved using cron jobs, allowing malware to survive reboots and maintain foothold.
• Command and Control (C2)
  • Variant 1: Single C2 IP: 209.38.203.53
  • Variant 2: Redundant C2s: 165.232.114.63, 165.22.251.224
  • Poseidon C2: 64.227.189.57, 178.128.204.138, 99.83.175.80
• Payload: The second-stage payload was Poseidon, a Mythic C2-based backdoor written in Go. It allowed long-term access, credential harvesting, system reconnaissance, and lateral movement.
• Anti-Analysis Features: Payloads used sleep functions and environment checks to evade sandboxing and dynamic analysis.
• Phishing Infrastructure
  Over 100 fake domains mimicking Indian entities such as:
  • drdo.gov.in.nominationdrdo.report
  • mod.gov.in.defencepersonnel.support
  • indianarmy.nic.in.ministryofdefenceindia.org
    Hosted primarily on AlexHost, known for abuse-tolerant hosting.
• Infrastructure Insights
  • Poseidon backdoor operated on port 7443 and showed TLS 1.3 Mythic C2 certificates.
  • Pivoting off the infrastructure revealed over 350 Mythic-powered servers, some likely used by other actors.
• Target Sectors: Indian Railways, Oil & Gas Infrastructure, Ministry of External Affairs, and Broader Indian government networks

Recommendations

1. Block/alert on emails containing .desktop attachments or disguised .pdf.desktop extensions.
2. Detect creation of suspicious cron jobs tied to /dev/shm/, ~/.local/share/ payloads.
3. Hunt for processes like emacs-bin, crond-98 being executed by non-root users.
4. Reinforce training to hover over links and check file extensions—alert users to .desktop disguised as .pdf.
5. Inform users about the risks of downloading or opening files from platforms like Google Drive that impersonate government sources.
6. Disallow execution of .desktop files from user downloads or email directories.
7. Apply application control (e.g., AppLocker, SELinux, or similar) to prevent execution of unknown binaries/scripts.
8. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/6cac3abe1178b2a08786dccdf753badb01423f98fd4377030fbc5cca45f3092a/iocs

MITRE ATT&CK

Source:

• https://hunt.io/blog/apt36-india-infrastructure-attacks

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.