APT36 Expands Beyond Military: New Attacks Hit Indian Railways, Oil & Government Systems

APT36, also known as Transparent Tribe, is a Pakistan-linked threat group that is once again refining its playbook. What began as military-focused campaigns now stretches into broader Indian government and civilian targets, using advanced phishing, novel payload strategies, and persistent backdoors.

This investigation traces two new desktop-based infection chains, exposes redundant command infrastructure, and confirms the use of Mythic-based Poseidon malware in live attacks. Here's what defenders need to know.

Key Takeaways

• APT36 has expanded its focus to include Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs.

• They use .desktop files disguised as PDF documents to execute scripts that download malware and establish persistence using cron jobs.

• Two attack variants were identified. One uses a single command and control server, while the other includes redundant servers for resiliency.

• The Poseidon backdoor, built on the Mythic framework and written in Go, is used to maintain access and support lateral movement.

• Hunt.io researchers discovered more than 100 phishing domains, many of which impersonated Indian government organizations and were hosted by AlexHost.

The first phishing domains in this campaign were registered in early July 2025, with live infrastructure observed as of mid-July. This suggests ongoing and active targeting.

Initial Discovery and Indicators

The investigation began with technical indicators shared by researcher Sathwik Ram Prakki, who highlighted suspicious files, command-and-control (C2) infrastructure, and phishing domains in a public post.

These initial findings enabled a deeper dive into APT36's evolving infection techniques, specifically, their use of .desktop files as lures.

Attack Variants via .desktop Files

Through analysis of .desktop files, we identified that APT36 uses two separate attack variants, each with its own infrastructure.

This strategy allows them to target different groups while keeping their operations secure and harder to detect.

Let's break down each of the two variants to understand how APT36 customizes delivery and infrastructure.

Variant 1: Single C2 Server Setup

Both attack variants rely on .desktop files that look like legitimate PDF documents. These files serve as decoys, appearing harmless to the user but executing scripts in the background that download and run malicious files. The aim is to keep the user distracted with the decoy content while the malicious activity occurs unnoticed.

The group ensures persistence by setting up cron jobs that automatically run the downloaded payloads. These payloads are retrieved from remote IP addresses and stored in directories like ~/.local/share/ and /dev/shm/. The names of the malicious files, such as p7zip-full, tcl-8.7, emacs-bin, and crond-98, are chosen to blend in with legitimate system files.

The first attack variant connects to a command and control server at 209.38.203.53 and uses base64-encoded paths like /dG9nb2pvbW8=/p7zip-full and /eXVndW5kdQ==/tcl-8.7 to hide the locations of the malicious files.

The decoy document is hosted on Google Drive ( 1c-5EqS7ztM2QrhKTTgIdOsdfWgx1wj6N), adding a layer of legitimacy to the initial interaction with the victim.

When the victim opens the decoy document, the malicious scripts run in the background to download the payloads, set up cron jobs for persistence, and clean up traces, such as temporary files in /dev/shm/myc.txt.

Variant 2: Redundant C2 Infrastructure

The second attack variant employs a .desktop file masquerading as National Anubhav Scheme-2025.pdf, likely intended to appeal to individuals seeking information on Indian government employment or training programs.

This demonstrates APT36's use of context-specific social engineering lures while maintaining operational separation from other campaigns through distinct infrastructure.

In contrast to the first variant, which relied on a single command and control server, this attack chain uses two: 165.232.114.63 and 165.22.251.224. This setup provides redundancy, allowing communication to continue if one server is taken offline, and increases complexity for defenders attempting to block malicious traffic.

The payload is retrieved using standard tools and saved under the names emacs-bin and crond-98, a likely attempt to avoid detection by blending in with legitimate binaries.

Both variants ultimately deliver the same second-stage payload. The next section explains how APT36 uses the Poseidon backdoor to maintain access and operate post-infection.

​​Second-stage payload: Poseidon backdoor

APT36 uses the Poseidon backdoor as its main tool after the initial infection. It enables long-term control over compromised systems and is critical to understanding the group's full capability.

The Poseidon Backdoor

Following initial infection via .desktop lures, APT36 deploys the Poseidon backdoor as its primary tool for persistence and access. Poseidon, developed using the open-source Mythic command and control framework and written in Go, supports multiple operating systems and is used for maintaining access, collecting system information, and enabling lateral movement. Its modular design allows attackers to load functionality as needed.

Poseidon enables long-term access, credential harvesting, and potentially lateral movement within Indian government and critical infrastructure networks.

Analysis confirms that IP addresses 178.128.204.138 and 64.227.189.57 are acting as command and control servers for Poseidon. Both are hosted by DigitalOcean under AS14061, with infrastructure located in Germany and India.

Further inspection of the identified infrastructure confirms that port 7443 is actively running a Mythic C2 service. As shown in the screenshot below, IP address 64.227.189.57 is hosted in Karnataka, India, under DigitalOcean’s AS14061 and has port 7443 exposed with a detected Mythic C2 instance. This validates the direct use of Mythic within the Poseidon infrastructure and establishes a technical bridge for broader infrastructure enumeration based on TLS certificate metadata.

Pivoting from Mythic-based Infrastructure

To understand the wider use of the Mythic C2 framework beyond APT36, we pivoted off TLS indicators tied to Poseidon's infrastructure. By searching for TLS certificates with the IssuerOrganization "Mythic" on port 7443, we identified 352 active servers.

This finding suggests that Mythic-based infrastructure extends well beyond APT36, pointing to broader use by multiple threat actors. The identified infrastructure spans a range of hosting providers, from major cloud platforms like Amazon Web Services to smaller companies such as Senita Netherlands BV, ColoCrossing, KCOM GROUP LIMITED, and VNPT Corp.

Most of the servers returned HTTP 200 OK responses, suggesting they are active. Not all are directly linked to APT36.

Phishing Campaign and Domain Infrastructure

Alongside malware delivery, APT36 has continued its phishing operations, using spoofed government domains to steal credentials and stage secondary compromises.

APT36's phishing campaign first came to light through a tweet by security researcher Sathwik Ram Prakki. He flagged a suspicious domain impersonating the Indian DRDO, registered on July 2, 2025, and used to deliver decoy documents through a fake government portal.

It was used to deliver a decoy PDF titled MoS Defence Letter to DRDO Secy and Scientist. A screenshot shared in the tweet showed a fake login page mimicking the DRDO portal, likely intended to collect user credentials.

Initial Phishing Domain

The phishing domain drdo[.]gov[.]in[.]nominationdrdo[.]report has been flagged for phishing activity.. Although the domain name appears to mimic a legitimate Indian government domain (drdo.gov.in), it's a deceptive subdomain under nominationdrdo.report.

This technique is commonly used in phishing campaigns to trick victims into believing the link is trustworthy. The A record for the domain resolves to the IP address 99.83.175.80, which could be part of the infrastructure used by the attackers.

To verify the infrastructure behind the phishing domain, we examined drdo[.]gov.in.nominationdrdo.report using publicly available scanning data. The domain resolved to the IP address 37.221.64.202, hosted by AlexHost in Sofia, Bulgaria, a provider known for being used in malicious activity.

The server responded over TLS 1.3 and appeared to be running the Express web framework. Although the HTTP request returned a 502 Bad Gateway error at the time of the scan, details such as the resource hash

( 8441601f4bb59f529ff1130bd308b94d0a0785f660193f6a7a748071913f9045) and reverse DNS (ksm.ik) supports its connection to suspicious infrastructure. This confirms that the domain was active and accessible during the phishing activity.

Hunting Phishing domains

Pivoting on the resource hash 8441601f4bb59f529ff1130bd308b94d0a0785f660193f6a7a748071913f9045, analysts identified over 100 additional domains hosting or referencing similar phishing content.

Many of these domains are designed to impersonate Indian government organizations, including the DRDO, Ministry of Defence, Ministry of External Affairs, Indian Air Force, Jammu and Kashmir Police, and the Indian Army.

Examples include indianarmy.nic.in.nominationdrdo.report, mod.gov.in.defencepersonnel.support, and iaf.nic.in.ministryofdefenceindia.org.

A common tactic among these domains is the use of familiar-looking subdomains combined with misleading top-level domains (TLDs) such as .report, .support, .digital, and .link. Several domains also use prefixes like email. or accounts. to mimic government login portals more convincingly.

Most of the domains resolved to IP addresses associated with AlexHost infrastructure, suggesting centralized control. The consistent use of domain formats, content templates, and hosting providers points to a single actor behind the activity.

Based on the targeting and techniques, the campaign is likely linked to APT36 (Transparent Tribe), which has a history of credential phishing operations aimed at Indian government and defense entities.

These findings reveal the scale of APT36's phishing infrastructure. Defenders should consider the following mitigation steps to reduce risk.

Mitigation Strategies

• Monitor traffic to C2 IPs: 209.38.203.53, 165.232.114.63, and others listed below

• Detect use of .desktop files posing as PDFs in user downloads

• Block domains resolving to AlexHost that spoof gov.in or .nic.in domains

• Search logs for access to suspicious subdomains like *.gov.in.nominationdrdo.report

Conclusion

APT36 continues to evolve, expanding its operations beyond traditional defense targets in India. Their use of .desktop files, redundant command and control infrastructure, and the Poseidon backdoor shows a deliberate effort to improve stealth and persistence.

The phishing infrastructure shows a coordinated and ongoing campaign likely tied to APT36. The combination of credential harvesting, malware delivery, and persistent access mechanisms highlights a growing threat to the Indian public sector and critical infrastructure.

The discovery of shared infrastructure and consistent techniques provides valuable insight for attribution. Security teams should closely monitor for connections to known C2 addresses, suspicious .desktop files, and credential harvesting domains tied to AlexHost or similar providers.

Further investigation and sharing of indicators across the security community will be key to tracking APT36's activity and preventing additional compromises.

APT36 Indicators of Compromise (IOCs)