Tag: india

20 Attack Reports | 0 Vulnerabilities

Attack reports

Silver Fox Targeting India Using Tax Themed Phishing Lures

A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection p…
apt
phishing
india
c2 communication
multi-stage attack
dll hijacking
chinese threat actor
2025-12-24
tax-themed
valley rat
Published: December 24, 2025
Downloadable IOCs: 8

Indian Income Tax-Themed Phishing Campaign Targets Local Businesses

A sophisticated phishing campaign impersonating the Indian Income Tax Department has been targeting local businesses. The attack begins with a spear-phishing email containing a PDF attachment that directs victims to a fake compliance portal. This triggers the download of a malicious ZIP file, which…
rat
phishing
india
nsis installer
remote access trojan
data harvesting
china-linked
2025-12-22
income tax
Published: December 22, 2025
Downloadable IOCs: 3

Evasive SideWinder APT Campaign Detected

A sophisticated espionage campaign targeting Indian entities has been identified, masquerading as the Income Tax Department of India. The activity is associated with the SideWinder APT group, which has evolved its toolkit to evade detection by mimicking Chinese enterprise software. The campaign use…
apt
phishing
india
dll side-loading
geofencing
cloud storage
2025-12-20
income tax department
mpgear.dll
mysetup.exe
url shorteners
Published: December 20, 2025
Downloadable IOCs: 5

Digital Frontlines: India Under Multi-Nation Hacktivist Attack

In July-August 2025, India faced a surge of cross-border cyberattacks combining data breaches, DDoS, defacement, phishing, and malware. Pakistani, Bangladeshi, Russian, Indonesian, and likely Chinese actors targeted Indian judicial, defense, and transport systems. High-impact incidents included jud…
phishing
cyberattacks
ddos
india
hacktivism
data breach
defacement
2025-09-15
cross-border
smss.exe
sysaid.exe
103.97.128.77#clientsetup.exe
fshost64.exe
svchost.exe
manc.exe
Published: September 15, 2025
Downloadable IOCs: 14

APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files

APT36, a Pakistan-based threat actor, is conducting a cyber-espionage campaign against Indian Government entities, targeting BOSS Linux systems with weaponized .desktop files. The group uses spear-phishing emails to deliver malicious payloads, exploiting the Linux environment to maintain persistent…
pakistan
persistence
india
government
spear-phishing
cyber-espionage
elf
boss linux
2025-08-23
.desktop files
Published: August 23, 2025
Downloadable IOCs: 0

A Phishing Campaign Targeting Indian Government Entities

A sophisticated phishing campaign, likely attributed to Pakistan-linked APT36 (Transparent Tribe), is targeting Indian defense organizations and government entities using spoofed domains. The attackers employ advanced social engineering techniques, including real-time OTP harvesting, to bypass mult…
phishing
typosquatting
pakistan
india
defense
government
credential-harvesting
2025-08-03
kavach
otp
Published: August 3, 2025
Downloadable IOCs: 2

Indian Infrastructure Targeted with Desktop Lures and Poseidon Backdoor

APT36, a Pakistan-linked threat group, has expanded its operations to target Indian government and civilian infrastructure, including railways, oil & gas, and the Ministry of External Affairs. The group employs sophisticated phishing techniques and novel payload strategies, using .desktop files dis…
phishing
india
poseidon
infrastructure
government impersonation
2025-08-01
poseidon backdoor
mythic framework
desktop lures
Published: August 1, 2025
Downloadable IOCs: 36

DRAT V2: Updated DRAT Emerges in Arsenal

TAG-140, a threat actor group overlapping with SideCopy, has deployed an updated version of their DRAT remote access trojan, dubbed DRAT V2. This new variant, developed in Delphi, introduces enhanced command and control capabilities, including arbitrary shell command execution and improved C2 obfus…
india
remote access trojan
2025-06-23
delphi
drat
drat v2
c2 obfuscation
broaderaspect
Published: June 23, 2025
Downloadable IOCs: 8

Operation Sindoor: Anatomy of a High-Stakes Cyber Siege

Operation Sindoor, a coordinated cyber campaign targeting India's critical sectors, involved state-sponsored APT activity and hacktivist operations. The attack utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, employed advanced …
crimson rat
pakistan
ares rat
ddos
cyber espionage
india
hacktivism
apt36
spear phishing
2025-05-23
operation sindoor
Published: May 23, 2025
Downloadable IOCs: 8

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge

In May 2025, Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. However, an investigation reveals most breaches were exaggerated or fake. Alleged data leaks contained primarily public information, website defacement…
phishing
crimson rat
pakistan
ddos
india
cyberattack
data leak
apt36
hacktivist
defacement
2025-05-11
Published: May 11, 2025
Downloadable IOCs: 0

TURNING AID INTO ATTACK: EXPLOITATION OF PAKISTAN’S YOUTH LAPTOP SCHEME TO TARGET INDIA

A Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users.
python
android
windows
crimson rat
pakistan
india
defense
rust
discord
clickfix
apt36
2025-03-27
html code
india post
bootreceiver
mywire
Published: March 27, 2025
Downloadable IOCs: 5

PrintSteal: Exposing unauthorized CSC-Impersonating Websites Engaging in Large-Scale KYC Document Generation Fraud

This investigation uncovers a massive criminal operation known as 'PrintSteal' that generates and distributes fake Indian KYC documents. The scheme involves over 1,800 fraudulent domains impersonating government websites, with at least 2,727 registered operators on one platform alone. Over 167,000 …
india
identity theft
government impersonation
2025-03-06
api abuse
financial crime
document forgery
kyc fraud
Published: March 6, 2025
Downloadable IOCs: 9

SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & Extortion

A sophisticated Android malware called SpyLend, disguised as a 'Finance Simplified' app, is targeting Indian users through the Google Play Store. The app leverages location-based targeting to display unauthorized loan applications, enabling predatory lending, blackmail, and extortion. It has rapidl…
malware
android
data theft
extortion
india
financial
2025-02-22
google play store
spylend
loan apps
Published: February 22, 2025
Downloadable IOCs: 0

XELERA Ransomware Campaign: Fake Food Corporation of India Job Offers Targeting Tech Aspirants

A newly discovered ransomware campaign is targeting tech job aspirants in India using fake Food Corporation of India job offers. The XELERA ransomware, written in Python and packed with PyInstaller, is distributed through spear-phishing emails containing malicious Word documents. The infection chai…
ransomware
india
spear-phishing
pyinstaller
2025-02-12
job offer
tech sector
discord bot
xelera
memz
Published: February 12, 2025
Downloadable IOCs: 4

OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe

This investigation tracked infrastructure linked to the APT group Transparent Tribe, identifying 15 malicious hosts on DigitalOcean serving as command-and-control servers for the Mythic exploitation framework. The group employs Linux desktop entry files as an attack vector, targeting individuals in…
linux
india
c2
poseidon
mythic
2024-09-30
apt36
desktop entry
osint
digitalocean
jarm
Published: September 30, 2024
Downloadable IOCs: 19

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team uncovered a ransomware attack impacting banks and payment providers in India. The attack, initiated through a compromised Jenkins server at Brontoo Technology Solutions, is attributed to the RansomEXX ransomware group. This sophisticated threat actor employs tactics …
ransomware
vulnerability
india
banking
2024-08-20
jenkins
ransomexx
CVE-2024-23897
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-23897
Downloadable IOCs: 18

Umbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India

This report examines the convergence of tactics employed by Pakistani cyber threat groups, including Transparent Tribe, SideCopy, and RusticWeb, targeting Indian government entities and critical infrastructure. It uncovers overlaps in their infrastructure, tactics, and payloads, suggesting coordina…
apt
espionage
crimson rat
pakistan
action rat
reverse rat
india
disgomoji
2024-07-29
poseidon
geta rat
Published: July 29, 2024
Downloadable IOCs: 89

DISGOMOJI Malware Used to Target Indian Government

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities inclu…
linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847
Published: June 18, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2022-0847
Downloadable IOCs: 149

The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…
malware
apt
rat
action rat
india
infection chain
2024-05-15
2024-05-10
reverserat
Published: May 15, 2024
Downloadable IOCs: 21

New Pakistan-based Cyber Espionage Group’s Year-Long Campaign Targeting Indian Defense Forces with Android Malware

CYFIRMA researchers identified an Android malware campaign, active for over a year, targeting Indian defense personnel by an unidentified Pakistan-based cyber espionage group. The threat actor utilized Spynote or a modified version called Craxs Rat, obfuscating the app with high complexity. Through…
malware
espionage
android
pakistan
2024-05-03
2024-05-04
2024-05-05
2024-05-06
india
spynote
defense
craxs rat
Published: May 6, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports