APT36 Expands Beyond Military: New Attacks Hit Indian Railways, Oil & Government Systems

Published on

Published on

Published on

Jul 31, 2025

Jul 31, 2025

Jul 31, 2025

APT36 Targets Indian Infrastructure with Desktop Lures and Poseidon Backdoor
APT36 Targets Indian Infrastructure with Desktop Lures and Poseidon Backdoor
APT36 Targets Indian Infrastructure with Desktop Lures and Poseidon Backdoor
APT36 Targets Indian Infrastructure with Desktop Lures and Poseidon Backdoor

APT36 Expands Beyond Military: New Attacks Hit Indian Railways, Oil & Government Systems

APT36, also known as Transparent Tribe, is a Pakistan-linked threat group that is once again refining its playbook. What began as military-focused campaigns now stretches into broader Indian government and civilian targets, using advanced phishing, novel payload strategies, and persistent backdoors.

This investigation traces two new desktop-based infection chains, exposes redundant command infrastructure, and confirms the use of Mythic-based Poseidon malware in live attacks. Here's what defenders need to know.

Key Takeaways

  • APT36 has expanded its focus to include Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs.

  • They use .desktop files disguised as PDF documents to execute scripts that download malware and establish persistence using cron jobs.

  • Two attack variants were identified. One uses a single command and control server, while the other includes redundant servers for resiliency.

  • The Poseidon backdoor, built on the Mythic framework and written in Go, is used to maintain access and support lateral movement.

  • Hunt.io researchers discovered more than 100 phishing domains, many of which impersonated Indian government organizations and were hosted by AlexHost.

The first phishing domains in this campaign were registered in early July 2025, with live infrastructure observed as of mid-July. This suggests ongoing and active targeting.

Initial Discovery and Indicators

The investigation began with technical indicators shared by researcher Sathwik Ram Prakki, who highlighted suspicious files, command-and-control (C2) infrastructure, and phishing domains in a public post.

These initial findings enabled a deeper dive into APT36's evolving infection techniques, specifically, their use of .desktop files as lures.

Attack Variants via .desktop Files

Through analysis of .desktop files, we identified that APT36 uses two separate attack variants, each with its own infrastructure.

This strategy allows them to target different groups while keeping their operations secure and harder to detect.

Figure 1: Initial indicators shared by researcher Sathwik Ram PrakkiFigure 1: Initial indicators shared by researcher Sathwik Ram Prakki

Let's break down each of the two variants to understand how APT36 customizes delivery and infrastructure.

Variant 1: Single C2 Server Setup

Both attack variants rely on .desktop files that look like legitimate PDF documents. These files serve as decoys, appearing harmless to the user but executing scripts in the background that download and run malicious files. The aim is to keep the user distracted with the decoy content while the malicious activity occurs unnoticed.

The group ensures persistence by setting up cron jobs that automatically run the downloaded payloads. These payloads are retrieved from remote IP addresses and stored in directories like ~/.local/share/ and /dev/shm/. The names of the malicious files, such as p7zip-full, tcl-8.7, emacs-bin, and crond-98, are chosen to blend in with legitimate system files.

The first attack variant connects to a command and control server at 209.38.203.53 and uses base64-encoded paths like /dG9nb2pvbW8=/p7zip-full and /eXVndW5kdQ==/tcl-8.7 to hide the locations of the malicious files.

The decoy document is hosted on Google Drive ( 1c-5EqS7ztM2QrhKTTgIdOsdfWgx1wj6N), adding a layer of legitimacy to the initial interaction with the victim.

When the victim opens the decoy document, the malicious scripts run in the background to download the payloads, set up cron jobs for persistence, and clean up traces, such as temporary files in /dev/shm/myc.txt.

Figure 2: First variant of the malicious desktopFigure 2: First variant of the malicious desktop

Variant 2: Redundant C2 Infrastructure

The second attack variant employs a .desktop file masquerading as National Anubhav Scheme-2025.pdf, likely intended to appeal to individuals seeking information on Indian government employment or training programs.

This demonstrates APT36's use of context-specific social engineering lures while maintaining operational separation from other campaigns through distinct infrastructure.

In contrast to the first variant, which relied on a single command and control server, this attack chain uses two: 165.232.114.63 and 165.22.251.224. This setup provides redundancy, allowing communication to continue if one server is taken offline, and increases complexity for defenders attempting to block malicious traffic.

The payload is retrieved using standard tools and saved under the names emacs-bin and crond-98, a likely attempt to avoid detection by blending in with legitimate binaries.

Figure 3: Second variant of the malicious desktopFigure 3: Second variant of the malicious desktop

Both variants ultimately deliver the same second-stage payload. The next section explains how APT36 uses the Poseidon backdoor to maintain access and operate post-infection.

​​Second-stage payload: Poseidon backdoor

APT36 uses the Poseidon backdoor as its main tool after the initial infection. It enables long-term control over compromised systems and is critical to understanding the group's full capability.

The Poseidon Backdoor

Following initial infection via .desktop lures, APT36 deploys the Poseidon backdoor as its primary tool for persistence and access. Poseidon, developed using the open-source Mythic command and control framework and written in Go, supports multiple operating systems and is used for maintaining access, collecting system information, and enabling lateral movement. Its modular design allows attackers to load functionality as needed.

Poseidon enables long-term access, credential harvesting, and potentially lateral movement within Indian government and critical infrastructure networks.

Analysis confirms that IP addresses 178.128.204.138 and 64.227.189.57 are acting as command and control servers for Poseidon. Both are hosted by DigitalOcean under AS14061, with infrastructure located in Germany and India.

Figure 4: C2 servers of Poseidon backdoorFigure 4: C2 servers of Poseidon backdoor

Further inspection of the identified infrastructure confirms that port 7443 is actively running a Mythic C2 service. As shown in the screenshot below, IP address 64.227.189.57 is hosted in Karnataka, India, under DigitalOcean’s AS14061 and has port 7443 exposed with a detected Mythic C2 instance. This validates the direct use of Mythic within the Poseidon infrastructure and establishes a technical bridge for broader infrastructure enumeration based on TLS certificate metadata.

Figure 5: Mythic C2 detection on 64.227.189.57Figure 5: Mythic C2 detection on 64.227.189.57

Pivoting from Mythic-based Infrastructure

To understand the wider use of the Mythic C2 framework beyond APT36, we pivoted off TLS indicators tied to Poseidon's infrastructure. By searching for TLS certificates with the IssuerOrganization "Mythic" on port 7443, we identified 352 active servers.

This finding suggests that Mythic-based infrastructure extends well beyond APT36, pointing to broader use by multiple threat actors. The identified infrastructure spans a range of hosting providers, from major cloud platforms like Amazon Web Services to smaller companies such as Senita Netherlands BV, ColoCrossing, KCOM GROUP LIMITED, and VNPT Corp.

Most of the servers returned HTTP 200 OK responses, suggesting they are active. Not all are directly linked to APT36.

Figure 6: Infrastructure of Poseidon backdoorFigure 6: Infrastructure of Poseidon backdoor

Phishing Campaign and Domain Infrastructure

Alongside malware delivery, APT36 has continued its phishing operations, using spoofed government domains to steal credentials and stage secondary compromises.

APT36's phishing campaign first came to light through a tweet by security researcher Sathwik Ram Prakki. He flagged a suspicious domain impersonating the Indian DRDO, registered on July 2, 2025, and used to deliver decoy documents through a fake government portal.

It was used to deliver a decoy PDF titled MoS Defence Letter to DRDO Secy and Scientist. A screenshot shared in the tweet showed a fake login page mimicking the DRDO portal, likely intended to collect user credentials.

Figure 7: Phishing domain impersonating DRDO used in APT36 credential theft campaignFigure 7: Phishing domain impersonating DRDO used in APT36 credential theft campaign

Initial Phishing Domain

The phishing domain drdo[.]gov[.]in[.]nominationdrdo[.]report has been flagged for phishing activity.. Although the domain name appears to mimic a legitimate Indian government domain (drdo.gov.in), it's a deceptive subdomain under nominationdrdo.report.

This technique is commonly used in phishing campaigns to trick victims into believing the link is trustworthy. The A record for the domain resolves to the IP address 99.83.175.80, which could be part of the infrastructure used by the attackers.

Figure 8: Getting information about a phishing domain using Hunt.ioFigure 8: Getting information about a phishing domain using Hunt.io

To verify the infrastructure behind the phishing domain, we examined drdo[.]gov.in.nominationdrdo.report using publicly available scanning data. The domain resolved to the IP address 37.221.64.202, hosted by AlexHost in Sofia, Bulgaria, a provider known for being used in malicious activity.

The server responded over TLS 1.3 and appeared to be running the Express web framework. Although the HTTP request returned a 502 Bad Gateway error at the time of the scan, details such as the resource hash

( 8441601f4bb59f529ff1130bd308b94d0a0785f660193f6a7a748071913f9045) and reverse DNS (ksm.ik) supports its connection to suspicious infrastructure. This confirms that the domain was active and accessible during the phishing activity.

Figure 9: Checking phishing domain using URLScanFigure 9: Checking phishing domain using URLScan

Hunting Phishing domains

Pivoting on the resource hash 8441601f4bb59f529ff1130bd308b94d0a0785f660193f6a7a748071913f9045, analysts identified over 100 additional domains hosting or referencing similar phishing content.

Many of these domains are designed to impersonate Indian government organizations, including the DRDO, Ministry of Defence, Ministry of External Affairs, Indian Air Force, Jammu and Kashmir Police, and the Indian Army.

Examples include indianarmy.nic.in.nominationdrdo.report, mod.gov.in.defencepersonnel.support, and iaf.nic.in.ministryofdefenceindia.org.

A common tactic among these domains is the use of familiar-looking subdomains combined with misleading top-level domains (TLDs) such as .report, .support, .digital, and .link. Several domains also use prefixes like email. or accounts. to mimic government login portals more convincingly.

Most of the domains resolved to IP addresses associated with AlexHost infrastructure, suggesting centralized control. The consistent use of domain formats, content templates, and hosting providers points to a single actor behind the activity.

Based on the targeting and techniques, the campaign is likely linked to APT36 (Transparent Tribe), which has a history of credential phishing operations aimed at Indian government and defense entities.

Figure 10: Hunting infrastructure of phishing domains with URLScanFigure 10: Hunting infrastructure of phishing domains with URLScan

These findings reveal the scale of APT36's phishing infrastructure. Defenders should consider the following mitigation steps to reduce risk.

Mitigation Strategies

  • Monitor traffic to C2 IPs: 209.38.203.53, 165.232.114.63, and others listed below

  • Detect use of .desktop files posing as PDFs in user downloads

  • Block domains resolving to AlexHost that spoof gov.in or .nic.in domains

  • Search logs for access to suspicious subdomains like *.gov.in.nominationdrdo.report

Conclusion

APT36 continues to evolve, expanding its operations beyond traditional defense targets in India. Their use of .desktop files, redundant command and control infrastructure, and the Poseidon backdoor shows a deliberate effort to improve stealth and persistence.

The phishing infrastructure shows a coordinated and ongoing campaign likely tied to APT36. The combination of credential harvesting, malware delivery, and persistent access mechanisms highlights a growing threat to the Indian public sector and critical infrastructure.

The discovery of shared infrastructure and consistent techniques provides valuable insight for attribution. Security teams should closely monitor for connections to known C2 addresses, suspicious .desktop files, and credential harvesting domains tied to AlexHost or similar providers.

Further investigation and sharing of indicators across the security community will be key to tracking APT36's activity and preventing additional compromises.

APT36 Indicators of Compromise (IOCs)

MD5 HashDescription
e354cf4cc4177e019ad236f8b241ba3c.desktop file used by APT36 to impersonate legitimate documents and deliver payloads; likely initiates persistence and evasion mechanisms.
76e9ff3c325de4f2d52f9881422a88cbMalicious .desktop file crafted by APT36; contains embedded scripts that delay execution and perform system profiling.
65167974b397493fce320005916a13e9APT36 launcher disguised as a document shortcut; designed to run secondary payloads under a legitimate-sounding process name.
6065407484f1e22e814dfa00bd1fae06desktop file from APT36; uses long sleeps and debug-environment detection to bypass dynamic analysis.
5c71c683ff55530c73477e0ff47a1899APT36 file masquerading as an official form; executes embedded payloads using .desktop execution logic on Linux systems.
8d46a7e4a800d15e31fb0aa86d4d7b7fPhishing lure dropped by APT36; launches backdoor with anti-analysis and process-masquerading capabilities.
589cf2077569b95178408f364a1aa721APT36 .desktop file used for initial compromise; typically includes stealthy execution, sandbox evasion, and optional C2 beaconing.
b3f57fe1a541c364a5989046ac2cb9c5Malicious shortcut used by APT36 for Linux-based targeting; deploys payloads while evading detection using long sleeps and host checks.
IP AddressCityCountryASNCompanyRoleContext / Notes
209.38.203.53Frankfurt am MainDEAS14061DigitalOcean, LLCHostingC2 server used in Variant 1
165.232.114.63Frankfurt am MainDEAS14061DigitalOcean, LLCVPN / Hosting / ServiceC2 server used in Variant 2
165.22.251.224SingaporeSGAS14061DigitalOcean, LLCHostingRedundant C2 in Variant 2
64.227.189.57BāshettihalliINAS14061DigitalOcean, LLCHostingPoseidon backdoor C2
178.128.204.138Frankfurt am MainDEAS14061DigitalOcean, LLCHostingPoseidon backdoor C2
99.83.175.80SeattleUSAS16509Amazon.com, Inc.HostingA record of phishing domain drdo.gov.in.nominationdrdo.report
37.221.64.202SofiaBGAS200019ALEXHOST SRLHostingResolution of phishing domain, same as above
HostReason
mod.gov.in.defencepersonnel.supportSpoofs mod.gov.in, ends in .support
jkpolice.gov.in.kashmirattack.exposedFake jkpolice.gov.in, .exposed is suspicious
www.mod.gov.in.indiandefence.servicesSpoofs MOD domain, uses .services
email.gov.in.indiandefence.workFake email.gov.in, non-gov .work
iaf.nic.in.ministryofdefenceindia.orgSpoofs IAF, domain ends in .org
email.gov.in.indiadefencedepartment.linkFake email.gov.in, ends in .link
email.gov.in.departmentofspace.infoSpoofs Department of Space, uses .info
indianarmy.nic.in.ministryofdefenceindia.orgSpoofs Indian Army, fake gov domain
indianarmy.nic.in.departmentofdefence.deSpoofs Indian Army, ends in .de (Germany)
mea.gov.in.indiandefence.servicesSpoofs MEA, uses .services TLD
accounts.mgovcloud.in.indiagov.supportFake gov domain, ends in .support
www.mnscare.liveGeneric .live domain, likely phishing
dayenter.shopGeneric .shop domain, suspicious
email.gov.in.modindia.linkFake gov email, ends in .link
mod.gov.in.indiandefence.servicesSpoofed MOD domain in .services
email.gov.in.defencedept.workFake email.gov.in, ends in .work
email.gov.in.ministryofdefenceindia.orgSpoofs email.gov.in, ends in .org
indianarmy.nic.in.nominationdrdo.reportSpoofs gov entities, ends in .report
email.gov.in.briefcases.emailFake gov email, .email TLD
accounts.mgovcloud.in.storagecloud.downloadSpoofed cloud domain, .download TLD
email.gov.in.defenceindia.ltdFake gov email, ends in .ltd
www.email.gov.in.modindia.linkFake nested gov email, ends in .link
dmsupport.liveGeneric .live domain, suspicious
www.email.gov.in.defenceindia.ltdSpoofs gov email, ends in .ltd
email.gov.in.indiangov.downloadFake gov email, ends in .download
mod.gov.in.modpersonnel.supportSpoofs MOD, ends in .support
mod.gov.in.indiandefence.directorySpoofs MOD, ends in .directory
drdo.gov.in.nominationdrdo.reportSpoofs DRDO, ends in .report
accounts.mgovcloud.in.cloudshare.digitalFake cloud service, .digital TLD
email.gov.in.departmentofdefence.deSpoofs gov email, ends in .de
37-221-64-252.cprapid.comSuspicious IP-based domain, likely malicious
www.email.gov.in.indiandefence.workFake gov email, ends in .work

APT36, also known as Transparent Tribe, is a Pakistan-linked threat group that is once again refining its playbook. What began as military-focused campaigns now stretches into broader Indian government and civilian targets, using advanced phishing, novel payload strategies, and persistent backdoors.

This investigation traces two new desktop-based infection chains, exposes redundant command infrastructure, and confirms the use of Mythic-based Poseidon malware in live attacks. Here's what defenders need to know.

Key Takeaways

  • APT36 has expanded its focus to include Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs.

  • They use .desktop files disguised as PDF documents to execute scripts that download malware and establish persistence using cron jobs.

  • Two attack variants were identified. One uses a single command and control server, while the other includes redundant servers for resiliency.

  • The Poseidon backdoor, built on the Mythic framework and written in Go, is used to maintain access and support lateral movement.

  • Hunt.io researchers discovered more than 100 phishing domains, many of which impersonated Indian government organizations and were hosted by AlexHost.

The first phishing domains in this campaign were registered in early July 2025, with live infrastructure observed as of mid-July. This suggests ongoing and active targeting.

Initial Discovery and Indicators

The investigation began with technical indicators shared by researcher Sathwik Ram Prakki, who highlighted suspicious files, command-and-control (C2) infrastructure, and phishing domains in a public post.

These initial findings enabled a deeper dive into APT36's evolving infection techniques, specifically, their use of .desktop files as lures.

Attack Variants via .desktop Files

Through analysis of .desktop files, we identified that APT36 uses two separate attack variants, each with its own infrastructure.

This strategy allows them to target different groups while keeping their operations secure and harder to detect.

Figure 1: Initial indicators shared by researcher Sathwik Ram PrakkiFigure 1: Initial indicators shared by researcher Sathwik Ram Prakki

Let's break down each of the two variants to understand how APT36 customizes delivery and infrastructure.

Variant 1: Single C2 Server Setup

Both attack variants rely on .desktop files that look like legitimate PDF documents. These files serve as decoys, appearing harmless to the user but executing scripts in the background that download and run malicious files. The aim is to keep the user distracted with the decoy content while the malicious activity occurs unnoticed.

The group ensures persistence by setting up cron jobs that automatically run the downloaded payloads. These payloads are retrieved from remote IP addresses and stored in directories like ~/.local/share/ and /dev/shm/. The names of the malicious files, such as p7zip-full, tcl-8.7, emacs-bin, and crond-98, are chosen to blend in with legitimate system files.

The first attack variant connects to a command and control server at 209.38.203.53 and uses base64-encoded paths like /dG9nb2pvbW8=/p7zip-full and /eXVndW5kdQ==/tcl-8.7 to hide the locations of the malicious files.

The decoy document is hosted on Google Drive ( 1c-5EqS7ztM2QrhKTTgIdOsdfWgx1wj6N), adding a layer of legitimacy to the initial interaction with the victim.

When the victim opens the decoy document, the malicious scripts run in the background to download the payloads, set up cron jobs for persistence, and clean up traces, such as temporary files in /dev/shm/myc.txt.

Figure 2: First variant of the malicious desktopFigure 2: First variant of the malicious desktop

Variant 2: Redundant C2 Infrastructure

The second attack variant employs a .desktop file masquerading as National Anubhav Scheme-2025.pdf, likely intended to appeal to individuals seeking information on Indian government employment or training programs.

This demonstrates APT36's use of context-specific social engineering lures while maintaining operational separation from other campaigns through distinct infrastructure.

In contrast to the first variant, which relied on a single command and control server, this attack chain uses two: 165.232.114.63 and 165.22.251.224. This setup provides redundancy, allowing communication to continue if one server is taken offline, and increases complexity for defenders attempting to block malicious traffic.

The payload is retrieved using standard tools and saved under the names emacs-bin and crond-98, a likely attempt to avoid detection by blending in with legitimate binaries.

Figure 3: Second variant of the malicious desktopFigure 3: Second variant of the malicious desktop

Both variants ultimately deliver the same second-stage payload. The next section explains how APT36 uses the Poseidon backdoor to maintain access and operate post-infection.

​​Second-stage payload: Poseidon backdoor

APT36 uses the Poseidon backdoor as its main tool after the initial infection. It enables long-term control over compromised systems and is critical to understanding the group's full capability.

The Poseidon Backdoor

Following initial infection via .desktop lures, APT36 deploys the Poseidon backdoor as its primary tool for persistence and access. Poseidon, developed using the open-source Mythic command and control framework and written in Go, supports multiple operating systems and is used for maintaining access, collecting system information, and enabling lateral movement. Its modular design allows attackers to load functionality as needed.

Poseidon enables long-term access, credential harvesting, and potentially lateral movement within Indian government and critical infrastructure networks.

Analysis confirms that IP addresses 178.128.204.138 and 64.227.189.57 are acting as command and control servers for Poseidon. Both are hosted by DigitalOcean under AS14061, with infrastructure located in Germany and India.

Figure 4: C2 servers of Poseidon backdoorFigure 4: C2 servers of Poseidon backdoor

Further inspection of the identified infrastructure confirms that port 7443 is actively running a Mythic C2 service. As shown in the screenshot below, IP address 64.227.189.57 is hosted in Karnataka, India, under DigitalOcean’s AS14061 and has port 7443 exposed with a detected Mythic C2 instance. This validates the direct use of Mythic within the Poseidon infrastructure and establishes a technical bridge for broader infrastructure enumeration based on TLS certificate metadata.

Figure 5: Mythic C2 detection on 64.227.189.57Figure 5: Mythic C2 detection on 64.227.189.57

Pivoting from Mythic-based Infrastructure

To understand the wider use of the Mythic C2 framework beyond APT36, we pivoted off TLS indicators tied to Poseidon's infrastructure. By searching for TLS certificates with the IssuerOrganization "Mythic" on port 7443, we identified 352 active servers.

This finding suggests that Mythic-based infrastructure extends well beyond APT36, pointing to broader use by multiple threat actors. The identified infrastructure spans a range of hosting providers, from major cloud platforms like Amazon Web Services to smaller companies such as Senita Netherlands BV, ColoCrossing, KCOM GROUP LIMITED, and VNPT Corp.

Most of the servers returned HTTP 200 OK responses, suggesting they are active. Not all are directly linked to APT36.

Figure 6: Infrastructure of Poseidon backdoorFigure 6: Infrastructure of Poseidon backdoor

Phishing Campaign and Domain Infrastructure

Alongside malware delivery, APT36 has continued its phishing operations, using spoofed government domains to steal credentials and stage secondary compromises.

APT36's phishing campaign first came to light through a tweet by security researcher Sathwik Ram Prakki. He flagged a suspicious domain impersonating the Indian DRDO, registered on July 2, 2025, and used to deliver decoy documents through a fake government portal.

It was used to deliver a decoy PDF titled MoS Defence Letter to DRDO Secy and Scientist. A screenshot shared in the tweet showed a fake login page mimicking the DRDO portal, likely intended to collect user credentials.

Figure 7: Phishing domain impersonating DRDO used in APT36 credential theft campaignFigure 7: Phishing domain impersonating DRDO used in APT36 credential theft campaign

Initial Phishing Domain

The phishing domain drdo[.]gov[.]in[.]nominationdrdo[.]report has been flagged for phishing activity.. Although the domain name appears to mimic a legitimate Indian government domain (drdo.gov.in), it's a deceptive subdomain under nominationdrdo.report.

This technique is commonly used in phishing campaigns to trick victims into believing the link is trustworthy. The A record for the domain resolves to the IP address 99.83.175.80, which could be part of the infrastructure used by the attackers.

Figure 8: Getting information about a phishing domain using Hunt.ioFigure 8: Getting information about a phishing domain using Hunt.io

To verify the infrastructure behind the phishing domain, we examined drdo[.]gov.in.nominationdrdo.report using publicly available scanning data. The domain resolved to the IP address 37.221.64.202, hosted by AlexHost in Sofia, Bulgaria, a provider known for being used in malicious activity.

The server responded over TLS 1.3 and appeared to be running the Express web framework. Although the HTTP request returned a 502 Bad Gateway error at the time of the scan, details such as the resource hash

( 8441601f4bb59f529ff1130bd308b94d0a0785f660193f6a7a748071913f9045) and reverse DNS (ksm.ik) supports its connection to suspicious infrastructure. This confirms that the domain was active and accessible during the phishing activity.

Figure 9: Checking phishing domain using URLScanFigure 9: Checking phishing domain using URLScan

Hunting Phishing domains

Pivoting on the resource hash 8441601f4bb59f529ff1130bd308b94d0a0785f660193f6a7a748071913f9045, analysts identified over 100 additional domains hosting or referencing similar phishing content.

Many of these domains are designed to impersonate Indian government organizations, including the DRDO, Ministry of Defence, Ministry of External Affairs, Indian Air Force, Jammu and Kashmir Police, and the Indian Army.

Examples include indianarmy.nic.in.nominationdrdo.report, mod.gov.in.defencepersonnel.support, and iaf.nic.in.ministryofdefenceindia.org.

A common tactic among these domains is the use of familiar-looking subdomains combined with misleading top-level domains (TLDs) such as .report, .support, .digital, and .link. Several domains also use prefixes like email. or accounts. to mimic government login portals more convincingly.

Most of the domains resolved to IP addresses associated with AlexHost infrastructure, suggesting centralized control. The consistent use of domain formats, content templates, and hosting providers points to a single actor behind the activity.

Based on the targeting and techniques, the campaign is likely linked to APT36 (Transparent Tribe), which has a history of credential phishing operations aimed at Indian government and defense entities.

Figure 10: Hunting infrastructure of phishing domains with URLScanFigure 10: Hunting infrastructure of phishing domains with URLScan

These findings reveal the scale of APT36's phishing infrastructure. Defenders should consider the following mitigation steps to reduce risk.

Mitigation Strategies

  • Monitor traffic to C2 IPs: 209.38.203.53, 165.232.114.63, and others listed below

  • Detect use of .desktop files posing as PDFs in user downloads

  • Block domains resolving to AlexHost that spoof gov.in or .nic.in domains

  • Search logs for access to suspicious subdomains like *.gov.in.nominationdrdo.report

Conclusion

APT36 continues to evolve, expanding its operations beyond traditional defense targets in India. Their use of .desktop files, redundant command and control infrastructure, and the Poseidon backdoor shows a deliberate effort to improve stealth and persistence.

The phishing infrastructure shows a coordinated and ongoing campaign likely tied to APT36. The combination of credential harvesting, malware delivery, and persistent access mechanisms highlights a growing threat to the Indian public sector and critical infrastructure.

The discovery of shared infrastructure and consistent techniques provides valuable insight for attribution. Security teams should closely monitor for connections to known C2 addresses, suspicious .desktop files, and credential harvesting domains tied to AlexHost or similar providers.

Further investigation and sharing of indicators across the security community will be key to tracking APT36's activity and preventing additional compromises.

APT36 Indicators of Compromise (IOCs)

MD5 HashDescription
e354cf4cc4177e019ad236f8b241ba3c.desktop file used by APT36 to impersonate legitimate documents and deliver payloads; likely initiates persistence and evasion mechanisms.
76e9ff3c325de4f2d52f9881422a88cbMalicious .desktop file crafted by APT36; contains embedded scripts that delay execution and perform system profiling.
65167974b397493fce320005916a13e9APT36 launcher disguised as a document shortcut; designed to run secondary payloads under a legitimate-sounding process name.
6065407484f1e22e814dfa00bd1fae06desktop file from APT36; uses long sleeps and debug-environment detection to bypass dynamic analysis.
5c71c683ff55530c73477e0ff47a1899APT36 file masquerading as an official form; executes embedded payloads using .desktop execution logic on Linux systems.
8d46a7e4a800d15e31fb0aa86d4d7b7fPhishing lure dropped by APT36; launches backdoor with anti-analysis and process-masquerading capabilities.
589cf2077569b95178408f364a1aa721APT36 .desktop file used for initial compromise; typically includes stealthy execution, sandbox evasion, and optional C2 beaconing.
b3f57fe1a541c364a5989046ac2cb9c5Malicious shortcut used by APT36 for Linux-based targeting; deploys payloads while evading detection using long sleeps and host checks.
IP AddressCityCountryASNCompanyRoleContext / Notes
209.38.203.53Frankfurt am MainDEAS14061DigitalOcean, LLCHostingC2 server used in Variant 1
165.232.114.63Frankfurt am MainDEAS14061DigitalOcean, LLCVPN / Hosting / ServiceC2 server used in Variant 2
165.22.251.224SingaporeSGAS14061DigitalOcean, LLCHostingRedundant C2 in Variant 2
64.227.189.57BāshettihalliINAS14061DigitalOcean, LLCHostingPoseidon backdoor C2
178.128.204.138Frankfurt am MainDEAS14061DigitalOcean, LLCHostingPoseidon backdoor C2
99.83.175.80SeattleUSAS16509Amazon.com, Inc.HostingA record of phishing domain drdo.gov.in.nominationdrdo.report
37.221.64.202SofiaBGAS200019ALEXHOST SRLHostingResolution of phishing domain, same as above
HostReason
mod.gov.in.defencepersonnel.supportSpoofs mod.gov.in, ends in .support
jkpolice.gov.in.kashmirattack.exposedFake jkpolice.gov.in, .exposed is suspicious
www.mod.gov.in.indiandefence.servicesSpoofs MOD domain, uses .services
email.gov.in.indiandefence.workFake email.gov.in, non-gov .work
iaf.nic.in.ministryofdefenceindia.orgSpoofs IAF, domain ends in .org
email.gov.in.indiadefencedepartment.linkFake email.gov.in, ends in .link
email.gov.in.departmentofspace.infoSpoofs Department of Space, uses .info
indianarmy.nic.in.ministryofdefenceindia.orgSpoofs Indian Army, fake gov domain
indianarmy.nic.in.departmentofdefence.deSpoofs Indian Army, ends in .de (Germany)
mea.gov.in.indiandefence.servicesSpoofs MEA, uses .services TLD
accounts.mgovcloud.in.indiagov.supportFake gov domain, ends in .support
www.mnscare.liveGeneric .live domain, likely phishing
dayenter.shopGeneric .shop domain, suspicious
email.gov.in.modindia.linkFake gov email, ends in .link
mod.gov.in.indiandefence.servicesSpoofed MOD domain in .services
email.gov.in.defencedept.workFake email.gov.in, ends in .work
email.gov.in.ministryofdefenceindia.orgSpoofs email.gov.in, ends in .org
indianarmy.nic.in.nominationdrdo.reportSpoofs gov entities, ends in .report
email.gov.in.briefcases.emailFake gov email, .email TLD
accounts.mgovcloud.in.storagecloud.downloadSpoofed cloud domain, .download TLD
email.gov.in.defenceindia.ltdFake gov email, ends in .ltd
www.email.gov.in.modindia.linkFake nested gov email, ends in .link
dmsupport.liveGeneric .live domain, suspicious
www.email.gov.in.defenceindia.ltdSpoofs gov email, ends in .ltd
email.gov.in.indiangov.downloadFake gov email, ends in .download
mod.gov.in.modpersonnel.supportSpoofs MOD, ends in .support
mod.gov.in.indiandefence.directorySpoofs MOD, ends in .directory
drdo.gov.in.nominationdrdo.reportSpoofs DRDO, ends in .report
accounts.mgovcloud.in.cloudshare.digitalFake cloud service, .digital TLD
email.gov.in.departmentofdefence.deSpoofs gov email, ends in .de
37-221-64-252.cprapid.comSuspicious IP-based domain, likely malicious
www.email.gov.in.indiandefence.workFake gov email, ends in .work

Related Posts:

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait
May 15, 2025

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait
May 15, 2025

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

Track Threat Actors Using Real-World IOC Pivoting
May 29, 2025

Track attacker infrastructure with Hunt.io’s real-time IOC pivoting and threat actor intelligence. Learn more.

Track Threat Actors Using Real-World IOC Pivoting
May 29, 2025

Track attacker infrastructure with Hunt.io’s real-time IOC pivoting and threat actor intelligence. Learn more.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait
May 15, 2025

Shared SSH keys expose coordinated phishing targeting Kuwaiti fisheries, telecoms, and insurers with cloned login portals and mobile payment lures. Learn more.

Track Threat Actors Using Real-World IOC Pivoting
May 29, 2025

Track attacker infrastructure with Hunt.io’s real-time IOC pivoting and threat actor intelligence. Learn more.

APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
May 5, 2025

APT36-style phishing campaign mimics India’s Ministry of Defence to drop malware on Windows and Linux via spoofed press releases and HTA payloads.