APT36 Exploits Pahalgam Tragedy for MFA Push Bombing Attacks

In April–May 2025, a coordinated cyber threat campaign linked to the state-sponsored group APT36 (aka Transparent Tribe) was uncovered, leveraging Pahalgam terror attack-themed content to target Indian government personnel and civilians. This campaign uses social engineering tactics to distribute malware that bypasses multi-factor authentication (MFA) through a method known as push bombing or MFA fatigue. The attackers aim to gain unauthorized access to sensitive accounts and data by exploiting human psychology and emotional triggers.

Severity Level: High

THREAT OVERVIEW:

1. Initial Reconnaissance and Social Engineering Lures:
   • Geopolitical Exploitation: The attackers exploit the Pahalgam terror attack in Kashmir as a way to craft emotionally charged phishing lures, making them more effective. The attackers leverage the event’s political significance to trick individuals into engaging with malicious content.
   • Phishing Documents: APT36 crafts phishing documents such as “Report & Update Regarding Pahalgam Terror Attack.pdf” designed to mimic legitimate communications from the Indian government and military, including fake reports and response strategies related to the attack.
   • Other lures used: “set this as your DP” or “watch this tourist’s final message”
2. Delivery and Exploitation:
   • Phishing with Fake Domains: The attackers send phishing emails containing malicious PDF files or links. The PDFs, once opened, link to fake login pages disguised as legitimate Indian government websites (e.g., “jkpolice[.]gov[.]in[.]kashmirattack[.]exposed”).
   • Push Bombing MFA Fatigue: In parallel, attackers deploy malware disguised as emotionally manipulative content (e.g., videos or images related to the Pahalgam attack). Once downloaded, the malware starts a push bombing attack, repeatedly sending MFA requests to the victim’s device to trick them into approving access, bypassing MFA security.
3. Execution and Infection:
   • Malware Execution: Upon interacting with the phishing email or malicious file, the victim unknowingly downloads malware like Crimson RAT, which silently installs on their system. This remote access trojan allows attackers to execute commands, monitor system activity, and exfiltrate data.
   • MFA Fatigue Attack: For the push bombing tactic, the malware exploits the victim’s tendency to approve repeated login requests, bypassing the second layer of security (MFA). The attackers already have access to the victim’s credentials from previous data breaches, enabling them to take full control of their accounts.

Recommendations:

1. Implement sophisticated email filtering and anti-phishing solutions to detect malicious attachments or links.
2. Continuously monitor MFA logs and be aware of suspicious repetitive approval requests that may indicate push bombing.
3. Disable macros by default on all endpoints, especially for untrusted sources.
4. Train users to recognize phishing attempts, especially those tied to sensitive geopolitical issues, and provide education on the dangers of interacting with emotionally charged content.
5. Develop and regularly update incident response plans to handle both phishing attacks and MFA bypass incidents.
6. Block the IOCs at their respective controls. https://www.virustotal.com/gui/collection/b43febc2a497e755664c5ad8d66c83b53d5607512200823b554e2722922a5f55/iocs

Source:

• https://www.newindianexpress.com/cities/bengaluru/2025/May/04/beware-of-pahalgam-push-bombing-warn-bengaluru-cyber-police
• https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

virustotal

No related posts found.