Introduction
APT36 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], also known as Transparent Tribe or Mythic Leopard [5], is a Pakistan-linked advanced persistent threat group active since at least 2013. This group primarily targets Indian military personnel, government defense sectors [7], research institutions, diplomats [2] [10], and critical infrastructure [5] [10]. In early 2025 [3] [6], India experienced significant cyberattacks attributed to APT36 [6], including a coordinated strike on the national power grid, resulting in widespread electricity blackouts in major cities [6].
Description
APT36 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], also known as Transparent Tribe or Mythic Leopard [5], is a Pakistan-linked advanced persistent threat group that has been active since at least 2013. This cyber espionage group primarily targets Indian military personnel, government defense sectors [7], research institutions, diplomats [2] [10], and critical infrastructure [5] [10]. In early 2025 [3] [6], India faced a series of significant cyberattacks attributed to APT36, including a coordinated strike on the national power grid that resulted in widespread electricity blackouts in major cities such as Delhi, Mumbai [6], and Chandigarh [4] [6]. This attack involved the remote shutdown of multiple substations through malware implanted months prior [6], disrupting essential services in hospitals, airports [6] [9], and metro systems [6], and forcing military bases to switch to emergency power due to breaches in data lines [6].
Following the April 22, 2025, Pahalgam terror attack in Indian-administered Kashmir [11], APT36 launched a sophisticated phishing campaign aimed at infiltrating Indian defense networks. This campaign exploits emotionally charged events to enhance trust and urgency among recipients, employing emotionally charged lures and social engineering tactics. Phishing emails appear to originate from credible sources [3], such as government officials [3], and often contain malicious attachments disguised as official documents [3].
The phishing emails utilize two primary methods of delivery: PowerPoint files and PDF documents. PowerPoint add-on files (ppam format) masquerade as reports [3], such as “Report & Update Regarding Pahalgam Terror Attack.ppam,” containing malicious macros that [3], when activated [3], trigger the download of Crimson RAT, a .NET-based Remote Access Trojan [1] [8]. Similarly, PDFs [1] [3] [8] [9] [11], like “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf,” created under the alias “Kalu Badshah,” include embedded URLs redirecting users to fake login pages on spoofed domains [3], such as jkpolice.gov.in.kashmirattack.exposed [3], designed to steal user credentials [2] [3]. These documents cover various topics [2], including internal defense meetings and diplomatic agendas [2], demonstrating APT36’s adaptability to current affairs [2].
APT36 has advanced in both scope and sophistication [4], frequently updating its malware arsenal and employing a range of custom-made tools, including Crimson RAT and CapraRAT [4]. Crimson RAT is designed to take control of infected systems, enabling file theft [7], screen recording [4] [7], and long-term access to compromised systems [3] [7] [8]. Once installed, it connects to a command-and-control server, allowing remote attackers to capture screenshots [5], access files [9], execute commands, and maintain persistent access [1] [8] [9]. The malware payload is cleverly disguised; the malicious macros in the PowerPoint file download Crimson RAT [3], which is presented as an image file (e.g. [3], WEISTT.jpg) to evade detection [3]. Once executed, this image file launches an executable (jnmxrvt hcsm.exe) [3], which is the actual Crimson RAT payload [3], allowing the malware to infiltrate the victim’s system [3].
In addition to its phishing campaigns, APT36 has been linked to intrusion attempts on Indian military satellites, with cybersecurity agencies identifying efforts to breach satellite communication ground stations. The group has established a network of spoofed domains [3], including iaf.nic.in.ministryofdefenceindia.org and email.gov.in.departmentofdefence.de [3], created as early as April 16, 2025 [3], to facilitate credential phishing and malware delivery [3]. APT36 has also been observed deploying ElizaRAT [5], a custom implant [5], in targeted attacks against high-profile entities in India [5]. Furthermore, the group has utilized Android malware [7], such as CapraRAT [5] [7], delivered through fake dating and chat applications to compromise the mobile devices of military personnel and activists [5] [7]. Notable campaigns have included spear-phishing attempts against Indian Army officials [4], where malware was embedded in defense-related documents [4], compromising secure email communications [4]. The group has also attempted infiltration of Indian research organizations and power grid companies [4], indicating a shift from surveillance to potential sabotage [4].
To mitigate risks [10], individuals are advised to avoid clicking on unknown links or downloading files from untrusted sources [10], particularly APK files [10], which may contain malware [10]. The stealth and persistence of Crimson RAT, particularly in targeting defense networks [11], classify it as a high-risk espionage tool [11]. The malware discreetly collects sensitive data [11], such as screenshots and system information [11], and transmits this information back to the command server for analysis by the attackers [11], minimizing detection risks by security software [11]. The Indian Computer Emergency Response Team (CERT-In) has recommended safety measures for organizations [10], including 24/7 network monitoring [10], enforcing two-factor authentication [10], keeping systems updated [10], training employees to recognize phishing attempts [10], maintaining offline data backups [10], and adopting a zero-trust security model [10]. Organizations are urged to report any unusual activity or potential breaches and check for Indicators of Compromise (IOCs) [10]. APT36 is considered highly dangerous due to its persistent and stealthy operations [5], quickly adapting its tactics and reusing infrastructure to avoid detection [5].
Conclusion
APT36 poses a significant threat to Indian national security through its sophisticated cyber espionage activities. The group’s ability to adapt and employ advanced tactics, such as phishing campaigns and malware deployment [4], underscores the need for robust cybersecurity measures. Organizations must remain vigilant, implementing recommended safety protocols to mitigate risks. The ongoing threat from APT36 highlights the importance of continuous monitoring and adaptation to evolving cyber threats, ensuring the protection of critical infrastructure and sensitive information.
References
[1] https://cioaxis.com/industry/india-pakistan-cyber-conflict-cloudsek-exposes-the-truth-behind-hacktivist-hype
[2] https://advisory.eventussecurity.com/advisory/pahalgam-themed-phishing-lures-target-indian-state-agencies/
[3] https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
[4] https://the420.in/stealth-spies-and-spyware-pakistans-apt36-back-in-indian-cyberspace/
[5] https://www.livemint.com/technology/pakistanlinked-hackers-cyberattacks-data-breaches-disinformation-campaigns-cyber-threats-india-digital-infrastructure-11747030409728.html
[6] https://tntechup.com/how-to-protect-yourself-from-cyberattacks-in-2025/
[7] https://www.dailyexpertnews.com/technology/mint-armor-the-truth-behind-pakistan-linked-cyber-attacks-on-india/
[8] https://digitalterminal.in/tech-companies/cloudsek-report-debunks-cyberattack-claims-in-india-pakistan-hacktivist-surge
[9] https://www.ndtvprofit.com/technology/india-pakistan-conflict-bold-claims-of-cyberattacks-but-overstated-impact-says-cloudsek
[10] https://indianexpress.com/article/cities/chandigarh/as-pakistani-hacker-group-apt36-targets-indian-systems-chandigarh-police-issue-advisory-9993652/
[11] https://www.infosecurity-magazine.com/news/hacktivist-attacks-india/
