APT36: A PHISHING CAMPAIGN TARGETING INDIAN GOVERNMENT ENTITIES

EXECUTIVE SUMMARY

A sophisticated phishing campaign, possibly attributed to Pakistan-linked APT36 (Transparent Tribe) is targeting Indian defense organizations and related government entities using spoofed domains. These typo-squatted domains mimic official government platforms to steal credentials, and infrastructure analysis reveals connections to Pakistani IPs and possible staging via Zah Computers. The campaign demonstrates advanced social engineering, real-time one-time password (OTP) harvesting and coordinated domain usage, potentially posing a significant threat to national security.

PHISHING ANALYSIS

A malicious URL has been identified which, when accessed, redirects the user to a counterfeit webpage designed to closely mimic the official Indian government portal, replicating key visual elements such as the official logo, page layout, and title to create a convincing appearance of legitimacy and deceive users into believing they are interacting with a genuine government platform.

Characteristics
Upon entering a valid email ID in the initial phishing page and clicking the “Next” button, the victim is redirected to a second page that prompts the user to input their email account password and the Kavach authentication code.

This phishing campaign employs advanced social engineering techniques by incorporating legitimate government cybersecurity reporting email addresses to enhance credibility and reduce suspicion. The attackers request both the victim’s password and a time-sensitive Kavach-generated OTP, aiming to bypass multi-factor authentication (MFA) and gain real-time access to official email accounts.

By referencing trusted authorities and secure communication flows, the threat actors create a false sense of legitimacy. The real-time harvesting of credentials and OTPs demonstrates a sophisticated effort to compromise MFA-protected accounts, and, if successful, could result in unauthorized access to sensitive systems, exposure of classified data, and broader threats to national security infrastructure.

KAVACH AUTHENTICATION OVERVIEW

Kavach is a MFA application developed by the National Informatics Centre (NIC) to enhance the security of government email services in India, generating time-based OTPs that function alongside the user’s password to authenticate official email accounts.

During the inspection of the phishing web page, it was observed that the domain is configured to establish an outbound connection to a remote server with the IP address 37.221.64[.]202 over port 443 (HTTPS), indicating active communication with an external command and control (C2) server. The phishing site is designed to capture sensitive user inputs—including email IDs, passwords, and Kavach OTPs—and transmit this information securely to the remote server, enabling the attacker to harvest credentials in real time while evading basic detection mechanisms using encrypted traffic.

An investigation into the domain reveals, with high confidence, that it is being used for phishing and other malicious activities. The domain appears to have been specifically registered to target the government entities through spoofing and credential harvesting campaigns. It exhibits multiple indicators of impersonation and deceptive behavior, consistent with tactics commonly employed in targeted phishing operations.

DOMAIN DETAILS

The domain was registered on June 16, 2025, with an expiration date set one year later, indicating recent creation and potential use for short-term malicious activity. It is resolved to the IP address 99[.]83[.]175[.]80, which is hosted by TLD Registrar Solutions Ltd.

Spoofing and Impersonation Indicators:
This domain mimicry technique, often referred to as typo squatting, is commonly used by threat actors to exploit user trust by spoofing well-known brands, particularly foundations government and NGOs .

Suspicious Infrastructure Analysis:
During technical analysis, the following IP address was associated to the domain:

The IP is hosted within Amazon’s cloud infrastructure (AS16509), a common choice for both legitimate and malicious services. However, in this case:

• The IP is flagged in threat intelligence feeds for Phishing behavior.
• Associated hostnames and behavioral patterns suggest involvement in typo squatting campaigns, likely as a staging ground for phishing or credential harvesting.

Further analysis revealed three subdomains associated with Indian Government entities.

Subsequent analysis has identified additional phishing campaign URLs that follow a similar pattern, including domain names crafted to resemble official Indian government-related entities. These domains exhibit consistent characteristics in structure, naming conventions, and visual design, all intended to deceive users by mimicking legitimate government platforms.

Notably, these domains were registered within the same time frame, indicating a coordinated and premeditated effort by the threat actors. The uniformity across these domains, coupled with their use in similar credential harvesting schemes, suggests they are part of a broader, organized phishing campaign specifically targeting government infrastructure.

This coordinated approach reinforces the severity of the threat, highlighting the attackers’ strategic intent and potential access to resources enabling simultaneous domain registration and deployment.

The primary domain was registered on July 14, 2025, with an expiration date of June 16, 2026, indicating recent creation and potential use for short-term malicious activity. It resolves to the IP addresses 172[.]67[.]202[.]22 and 104[.]21[.]76[.]236, both hosted by TLD Registrar Solutions Ltd.

The primary domain was registered on March 18, 2024, and is set to expire on March 18, 2026. This relatively recent registration suggests potential use for short-term malicious activity. The domain currently resolves to the IP address 169.148.144.250, which is hosted by MarkMonitor Inc.

The subdomain resolves to the IP address 37[.]221[.]64[.]202, which has been flagged in multiple threat intelligence feeds for phishing-related activity. The associated hostnames and observed network behaviour indicate that this subdomain is likely part of a broader typosquatting campaign, designed to impersonate legitimate government services. Its infrastructure suggests possible use in phishing attacks, credential harvesting, or malware distribution, posing a significant risk to unsuspecting users who may be tricked by its deceptive structure.

An investigation into the domain revealed a notable connection to Pakistani infrastructure: an associated subdomain was observed hosting content from Zah Computers, a Pakistani IT services firm, which suggests either the use of shared or compromised infrastructure to host malicious content, or potential direct involvement by actors operating from Pakistan.

Furthermore, APT36 is a Pakistan-aligned threat group – known for deploying phishing infrastructure that impersonates Indian government entities – and the tactics observed here (including typosquatted domains and spoofed portals) are consistent with their known behavior.

The presence of Zah Computers’ web content within this malicious infrastructure raises two possibilities: either APT36 is leveraging Pakistani-hosted services for staging phishing assets, or Zah Computers has been compromised and used to lend legitimacy to malicious traffic. In both scenarios, the evidence strongly supports the attribution of this operation to APT36, reflecting their continued use of deceptive, infrastructure-based targeting of Indian government entities.

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM)

This phishing campaign is assessed with medium confidence to be the work of APT36 – also known as Mythic Leopard or Transparent Tribe – which is a Pakistan-linked advanced persistent threat group known for targeting Indian government entities and critical infrastructure through sophisticated credential harvesting and social engineering tactics. The use of typo-squatted domains combined with infrastructure hosted on Pakistan-based servers (and IP addresses previously flagged in threat intelligence feeds) is consistent with the group’s established tactics, techniques, and procedures. The deployment of spoofed government login portals to capture sensitive credentials further reinforces attribution to APT36.

THREAT ACTOR PROFILE

Transparent Tribe / APT36 is believed to be a State-sponsored Pakistani threat actor specifically targeting military, embassies, and government entities. Active since 2016, the group carries out cyber-espionage operations with the goal of collecting sensitive information from foreign countries that serves its military and diplomatic interests. Their modus operandi relies on phishing and watering hole attacks to take a position on the victims, and the phishing email is either a malicious macro text or a vulnerability-based RTF file.

• Attack Type: Spear-Phishing, Malware Implant, Exploitation of Vulnerabilities, Click Fix Technique, Watering-hole Attacks.
• Objective: Espionage, Information Theft.
• Target Technology: Office Suites Software, Operating System, Web Application.
• Target Geography: Afghanistan, Australia, Austria, Azerbaijan, Belgium, Botswana, Bulgaria, Canada, China, Czech Republic, Germany, India, Iran, Japan, Kazakhstan, Kenya, Malaysia, Mongolia, Nepal, Netherlands, Oman, Pakistan, Romania, Saudi Arabia, Spain, Sweden, Thailand, Turkey, UAE, UK, USA.
• Target Industries: Aerospace & Defense, Capital Goods, Diplomats, Education, Embassies, Government, Military, Rail & Road, Transportation.
• Business Impact: Data Theft, Operational Disruption, Reputational Damage.

YARA RULE

rule APT36_MultiIndicator_Threat
{
rule APT36_Phishing_Indicators
{
meta:
author = “Cyfirma Research”
description = “Detects IOCs related to APT36 phishing infrastructure”
threat_actor = “APT36 (Transparent Tribe)”
last_updated = “2025-07-30”

strings:
// IP addresses
$ip1 = “99.83.175.80”
$ip2 = “37.221.64.202”
$ip3 = “104.21.76.236”
$ip4 = “172.67.202.22”

// Domains and subdomains
$domain1 = “mgovcloud.in”
$domain2 = “virtualeoffice.cloud”

condition:
any of ($ip*) or any of ($domain*)
}

CONCLUSION

The phishing campaign possibly linked to APT36 underscores the persistent threat posed by state-sponsored actors targeting Indian government entities. By leveraging social engineering and spoofed infrastructure, the attackers aim to bypass authentication and compromise sensitive systems. Mitigating such threats requires a coordinated approach strategic domain control, robust operational defenses, and strong cybersecurity governance to safeguard national assets and ensure the resilience of critical government infrastructure against advanced phishing attacks.

RECOMMENDATIONS

Strategic Recommendations

• Strengthen National Domain Policies: Enforce stricter domain registration and takedown policies for domains spoofing government entities. Collaborate with international domain registrars to swiftly identify and neutralize typo-squatted and impersonation domains.
• Promote Cybersecurity Awareness at National Level: Launch targeted cybersecurity awareness campaigns for the government entities on identifying phishing attacks and reporting procedures.

Operational Recommendations

• Enforce Multi-Layered Email Filtering: Deploy advanced anti-phishing email gateways and sandboxing tools to detect malicious links, attachments, and domain-based spoofing.
• Real-Time Kavach OTP Abuse Detection: Integrate behavior analytics into Kavach MFA systems to flag anomalous login attempts and possible OTP harvesting in real time.
• Network Defense Hardening: Use DNS filtering, TLS decryption, and threat intelligence feeds to block outbound connections to known C2 infrastructure (e.g., 37.221.64[.]202).
• Red Team Exercises & Phishing Simulations: Conduct frequent red team assessments and phishing simulation drills specifically tailored for and government users.

Management Recommendations

• Policy Enforcement and Cyber Hygiene: Mandate strong password policies, MFA for all users, regular account audits, and strict enforcement of least privilege access models.
• Incident Response Readiness: Review and update incident response plans with defined roles, escalation paths, and exercises focused on phishing and credential compromise scenarios.
• Training and Capacity Building: Provide mandatory cybersecurity training modules for all government entities , with focused content on APT phishing tactics.
• Reporting & Metrics: Establish KPIs for phishing detection, incident response time, and employee reporting rate to evaluate the effectiveness of awareness and security controls.

LIST OF IOC’s