Description
Since August 2024, an India-linked threat actor has been targeting entities in China and South Asia using credential phishing pages that mimic legitimate webmail login portals. The campaign primarily focuses on government and defense sectors. The phishing domains share common characteristics, including registration via 1api, use of Royalhost nameservers, and resolution to IP address 65.21.85[.]206. The actor employs domain naming conventions related to webmail login or file download themes, often combined with references to specific targeted entities. Some domains redirect to credential phishing pages hosted on Netlify. The tactics, techniques, and procedures are consistent with previously reported Indian targeted intrusion actors, such as Sidewinder and Patchwork.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 18, 2024, 8:39 a.m. | Sept. 18, 2024, 8:39 a.m. | Sept. 18, 2024, 9:01 a.m. |
Attack Patterns
India-nexus targeted intrusion actor
T1608.004
T1583.001
T1589
T1566.002
T1584
T1566
Additional Informations
Defense
Government
British Indian Ocean Territory
Sri Lanka
Nepal
Bangladesh
India
China