APT36 Phishing via Malicious Documents and Fake Government Websites

EXECUTIVE SUMMARY:

This advisory highlight a surge in cyber operations originating from Pakistan, driven by both state-linked actors and independent hacktivist groups. These actors, motivated by ideological and nationalistic agendas, have intensified campaigns primarily against Indian governmental and defense institutions. Groups such as Team Insane PK, Gano Hack Team, Pakistan Cyber Army, and T3RRY have been responsible for multiple disruptive incidents. Their objectives are often centered on spreading propaganda, causing reputational damage, and inciting psychological distress rather than conducting long-term espionage. However, more sophisticated actors like APT36—also known as Transparent Tribe—exhibit advanced capabilities and persistent efforts aligned with cyber-espionage objectives. Active, APT36 targets Indian military and government personnel, diplomatic entities, and organizations in Afghanistan and the Middle East. They typically deploy custom malware such as Crimson RAT, CapraRAT, and Poseidon RAT for surveillance, credential theft, and data exfiltration. [emaillocker id="1283"]

APT36 typically begins its operations through spear phishing emails that carry compressed archives with misleading filenames, often themed around military or governmental matters. Inside these archives are shortcut files disguised as legitimate documents; when executed, they trigger scripts that download and install malware from attacker-controlled servers. These include tools like Poseidon RAT, which grants remote access and control, and Crimson RAT, which supports capabilities like keylogging, screenshot capture, and system reconnaissance. In one campaign, fake documents referencing the Pahalgam terror attack were used to lure targets, while malicious URLs imitated government websites to steal credentials. In parallel, Team Insane PK launched phishing attacks targeting judiciary and academic sectors by embedding links in fake course feedback forms or resource pages. The payloads acted as information stealers, extracting full names, phone numbers, court IDs, addresses, and official statements from compromised systems. This data was later shared in public leaks to amplify the impact.

Organizations managing sensitive information, particularly in the government and defense sectors, are urged to adopt stronger cybersecurity measures to combat these evolving threats. Recommendations include isolating affected systems, blacklisting known malicious IPs and domains, enforcing mandatory password resets, and enabling multi-factor authentication. Execution of unverified macro-enabled files and add-ins should be blocked via policy restrictions. Continuous monitoring using Endpoint Detection and Response (EDR) tools is vital to detect behaviors like unauthorized screen captures, registry modifications, and suspicious file activities. Teams should actively search logs for known file names, malware indicators, and domain patterns resembling official government sites. Employee awareness is equally important staff should be trained to recognize social engineering tactics leveraging current events or fake official communications. Additional defenses such as secure email gateways, sandboxing, and behavioral analytics can help identify and contain attacks early. Integrating all known indicators of compromise into security systems for ongoing threat detection and response is essential. With persistent, geopolitically driven campaigns on the rise, a robust and proactive defense strategy is crucial to mitigate damage and protect national security infrastructure.

THREAT PROFILE:

REFERENCES:

• Eventus Security Threat Research & Development Team