{ "id": "7750833e-cba8-4c1c-951d-c37ceab80569", "created_at": "2026-04-06T00:11:25.943023Z", "updated_at": "2026-04-10T03:32:43.555897Z", "deleted_at": null, "sha1_hash": "822f7d6100e2b01d547a4271c8907cc76fa3b3a3", "title": "India: Human Rights Defenders Targeted by a Coordinated Spyware Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 498905, "plain_text": "India: Human Rights Defenders Targeted by a Coordinated Spyware\r\nOperation\r\nPublished: 2020-06-15 · Archived: 2026-04-05 23:07:02 UTC\r\nNine human rights defenders, most of whom have been fighting for the release of the Bhima Koregaon 11 through\r\nlitigation, research, or activism, were unlawfully targeted with a spyware attack\r\nThis blog post is jointly written by Amnesty International and Citizen Lab. Citizen Lab is an interdisciplinary laboratory\r\nbased at the Munk School of Global Affairs \u0026 Public Policy at the University of Toronto.\r\nSummary\r\nAmnesty International and the Citizen Lab have uncovered a coordinated spyware campaign targeting at least nine\r\nhuman rights defenders (HRDs) in India. Eight of the nine HRDs have been calling for the release of other prominent\r\nactivists, popularly known as the Bhima Koregaon 11, most of whom have been imprisoned in Maharashtra, India\r\nsince 2018.\r\nBetween January and October 2019, the HRDs were targeted with emails containing malicious links. If these links\r\nwere clicked, a form of commercially-manufactured Windows spyware would have been deployed, compromising\r\nthe target’s Windows computers, in order to monitor their actions and communications. This is a violation of their\r\nrights to freedom of expression and privacy.\r\nAt least three of the nine HRDs were also targeted with NSO Group’s Pegasus spyware in 2019.\r\nIntroduction\r\nAmnesty International and the Citizen Lab have uncovered a coordinated spyware campaign targeting at least nine human\r\nrights defenders (HRDs) in India. These targets include activists, lawyers, academics, and journalists.\r\nBetween January and October 2019, each of the targets were sent spearphishing emails containing malicious links that, if\r\nopened, would have installed NetWire, a commercially available spyware. A spearphishing attack is a targeted attempt to\r\ninstall a spyware (a malicious software) on the victim’s computer or smartphone. Spearphishing is generally performed by\r\nsending very carefully crafted and personalized emails to the target, often impersonating colleagues or loved ones.\r\nWhile NetWire is known to be used in cybercrime and corporate espionage, Amnesty International and the Citizen Lab\r\nbelieve that in this case it was used to target the HRDs because of their human rights work.\r\nSurveillance of people based solely on their human rights work amounts to an arbitrary and unlawful attack on their privacy\r\nand violates their right to freedom of expression and other rights that are enshrined in the International Covenant on Civil\r\nand Political Rights, to which India is a state party.\r\nContext\r\nThe targeted HRDs have been openly speaking out about human rights violations in the country. Recently, eight called for\r\nthe release of 11 prominent activists arrested two years ago in relation to the protests and violence at Bhima Koregaon in\r\nMaharashtra, a state in south-west India. One of the targets is not directly linked to this case, but has been vocal in calling\r\nfor the release of GN Saibaba, a disabled academic jailed in Maharashtra.\r\nThe Bhima Koregaon Case\r\nOn 31 December 2017, activists organized a public event in Bhima Koregaon, Maharashtra. The following day, violence\r\nerupted between Dalits and Hindu nationalists. Police claim that activists at the event allegedly instigated the violence\r\nthrough inflammatory speeches.The police allegedly found evidence of other criminal activities as well. In 2018, the\r\nMaharashtra Police arrested nine activists including Sudha Bharadwaj, Shoma Sen, Surendra Gadling, Mahesh Raut, Arun\r\nFerreira, Sudhir Dhawale, Rona Wilson, Vernon Gonsalves and Varavara Rao. The subsequent charge sheets filed by the\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 1 of 11\n\npolice accuse the HRDs of terror-related activities. In February 2020, the National Investigation Agency (NIA) took over the\r\ncase from the Maharashtra police after the newly-elected Maharashtra Government raised doubts about the police\r\ninvestigation and signalled a probe against the officials. In March 2020, the Supreme Court of India denied anticipatory bail\r\napplications of two other activists, Gautam Navlakha and Anand Teltumbde, who were also charged in the same case. They\r\nwere both arrested on 14 April 2020. The case relies almost entirely on digital evidence obtained from the arrested activists’\r\ndevices. In a breach of due process, some materials found on their devices were also released to the media in an effort to\r\nsmear the activists.\r\nThe arrest of the eleven HRDs is an egregious example of how Indian authorities are clamping down on dissent and\r\nactivism. These activists have been charged under various penal provisions and the draconian Unlawful Activities\r\n(Prevention) Act (UAPA), an anti-terror law that violates several international human rights standards and circumvents fair\r\ntrial guarantees. It is also routinely used to intimidate HRDs, journalists, activists and students through arbitrary arrests and\r\nprolonged detention. These 11 activists are currently imprisoned and rights groups, including Amnesty International India,\r\nhave demanded their release.\r\nThe attempts at unlawful surveillance outlined in this blog are not the first time that activists and HRDs have been targeted\r\nwith malware in India. In October 2019, Facebook’s WhatsApp revealed that NSO Group, a surveillance tool vendor, had\r\nexploited a zero-day vulnerability on their platform to target 1400 individuals earlier in the year. A zero-day vulnerability is\r\na security flaw in software which is unknown to the vendor or developer. In collaboration with Citizen Lab, WhatsApp\r\nrevealed that more than 100 of those targeted were HRDs, activists, journalists, across numerous countries and notified them\r\nof the breach. Subsequent reports revealed that at least 22 of the 100 were activists, lawyers, and scholars, including many\r\nHRDs who have been involved in advocating for the release of the 11 activists. NSO Group says that it sells its products\r\nonly to “government intelligence and law enforcement agencies”. \r\nTargeted Campaign against HRDs demanding the release of the Bhima Koregaon 11\r\nThe spyware campaign revealed in this blog targeted lawyers and activists Nihalsing B Rathod, Degree Prasad Chouhan,\r\nYug Mohit Choudhary, and Ragini Ahuja; academics Partho Sarothi Ray and PK Vijayan, a journalist who prefers to\r\nstay anonymous, and a human rights collective – Jagdalpur Legal Aid Group (JAGLAG), received malicious e-mails on\r\nthe group’s official ID, which is accessed by all of its members, including lawyer Shalini Gera. Another JAGLAG member,\r\nIsha Khandelwal also received malicious emails on her personal account. All the people mentioned consented to be named\r\nin this blog.\r\nNihalsing B Rathod is a human rights lawyer based in Maharashtra. He has worked closely with the imprisoned\r\nlawyer Surendra Gadling as a junior lawyer. Crucially, he is one of the leading lawyers representing one of the 11\r\nimprisoned HRDs in their legal proceedings.\r\nIsha Khandelwal is a lawyer associated with JAGLAG, a Chattisgarh-based lawyers collective which provides legal\r\naid to the Adivasi/indigenous and other marginalised communities. The group’s primary email, which was targeted, is\r\nalso accessed by lawyer Shalini Gera. They are also involved in the legal defense of the HRDs in the same case.\r\nDegree Prasad Chouhan is a Dalit HRD who has worked closely with Sudha Bharadwaj in the past. Degree has\r\nbeen documenting and campaigning against land dispossession and forced evictions of indigenous communities in\r\nIndia, which have been carried out by coal companies and governments.\r\nPartho Sarothi Ray is a Kolkata-based activist and academic, who has been a vocal critic of rights violations in the\r\ncountry. He has also been a member of a collective called Persecuted Prisoners’ Solidarity Committee, and has\r\nspoken out openly against the imprisonment of these 11 activists.\r\nYug Mohit Chaudhry and Ragini Ahuja are criminal lawyers based in Mumbai. Their main area of work include\r\nlitigating death penalty and civil liberties cases. They represent two of the 11 imprisoned activists in the legal\r\nproceedings.\r\nA journalist based in Maharashtra, who wishes to remain anonymous was also targeted. The journalist has been\r\nclosely reporting on the Bhima Koregaon case.\r\nFinally, PK Vijayan is a Delhi-based academic. He is not directly linked to the campaign for the release of the 11\r\nHRDs, but is known to have campaigned for the release of GN Saibaba, a disabled academic who remains\r\nimprisoned in Maharashtra. Saibaba has been convicted under the draconian UAPA.\r\nWhile the spyware campaign detailed in this blog has no known links to NSO Group, three of the nine HRDs targeted –\r\nShalini Gera (from JAGLAG), Nihal Singh Rathod, and Degree Prasad Chouhan- were targeted using NSO Group’s\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 2 of 11\n\nsurveillance tools. Anand Teltumbde, who is one of the 11 charged and imprisoned in the Bhima Koregaon incident, was\r\nalso targeted using NSO Group’s tools. That some of these individuals were targeted multiple times shows that there is a\r\ndisturbing pattern of spyware attacks against HRDs involved in the Bhima Koregaon case.\r\nA Campaign of Malicious Emails\r\nDuring this investigation, we identified 12 spearphishing emails sent between January and October 2019 targeting the nine\r\nactivists.\r\nA spearphishing attack is an attempt to install spyware (a malicious software) on the victim’s computer or smartphone by\r\nsending very carefully crafted and personalized emails to the target, often impersonating colleagues or loved ones. In a\r\nsuccessful attack, computers or mobile devices may, in essence, become wiretaps, revealing confidential and intimate\r\nconversations and interactions but nullifying the possibility of privacy or confidentiality. Besides this direct effect, the\r\nsecretive and ubiquitous nature of these attacks means that the victims never know for certain if they are being targeted or\r\nhave unwittingly downloaded some kind of spyware. The consequence is that they begin to fear that every communication\r\nposes a threat, which can be highly disruptive to trust and collaboration.\r\nSpearphishing Emails\r\nOne of the spearphishing emails was sent from an email ID impersonating the name of an activist that may be known by the\r\ntargets. Other spearphishing emails came from the e-mail IDs pretending to be journalists or masquerading as officials from\r\nlocal courts.\r\nEmail sent to JAGLAG by someone pretending to work for IBC24 in October 2019\r\nAll these spearphishing emails included a malicious link to a file hosted on Firefox Send, a free and secure file sharing\r\nplatform developed by Mozilla. We suspect that this technique was used to avoid detection by e-mail spam and malware\r\nfilters, as a malicious file sent in such a way cannot be analyzed by security solutions used by email providers.\r\nEmail sent to a Human Rights Defender in October 2019 masquerading as a court summons\r\nA detailed list of emails is available in Appendix 1.\r\nCommercial Off-the-Shelf Spyware: NetWire\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 3 of 11\n\nNetWire is a commercially available spyware reportedly used for cyber-criminality and corporate espionage since at least\r\n2014. It has been analyzed in depth by several security companies including the Computer Incident Response Center\r\nLuxembourg and Fortinet, who have shown that NetWire exhibits classic spyware features such as stealing credentials,\r\naudio recordings, logging keystrokes and more.\r\nScreenshot of the website selling Netwire (Retrieved in December 2019)\r\nThe spearphishing emails targeting these nine HRDs attempted to deliver NetWire by attaching what looked like a PDF\r\ndocument but which was actually malicious Windows programs that, when opened, would install NetWire on the HRD’s\r\ndevice. The disguise of these supposed PDFs included opening a decoy, real PDF when clicked. This tactic was clearly\r\nintended to trick the targeted HRD into believing that no infection had taken place. Additionally, this attack takes advantage\r\nof numerous other obfuscation techniques often abused by the surveillance industry to make NetWire more challenging to\r\nfind and analyze (see: Appendix 1 for more information).\r\nConclusion\r\nA coordinated spyware campaign targeted prominent HRDs, most of whom were vocal against the arbitrary and prolonged\r\nimprisonment of the Bhima Koregaon 11. The spearphishing emails and spyware suggest that this is not a cyber-crime\r\nattack, but a spyware campaign trying to compromise devices of HRDs. If successful it would have enabled the attackers, to\r\nmonitor the HRDs actions and communications and is therefore a violation of their rights to freedom of expression and\r\nprivacy. This spyware campaign is very concerning in the context of an already perilous situation for HRDs in India where\r\nsurveillance is used along with threats, imprisonment and smear campaigns against activists to shrink the space for civil\r\nsociety.\r\nOur investigation was not able to conclusively attribute the attack to a particular group with high confidence. However, it is\r\nnot the first time that activists and journalists in India have been targeted using malware intended to put them under\r\nsurveillance. Three of the HRDs in this incident were targeted earlier in 2019 with NSO Group’s Pegasus spyware, a\r\ncommercial product only sold to government entities. This new campaign confirms that there is a pattern of digital attacks\r\nagainst HRDs supporting the imprisoned Bhima Koregaon activists. This pattern underscores the necessity of India fulfilling\r\nits obligation to provide a remedy for these abuses by conducting a full, independent and impartial investigation into these\r\nattacks, including by determining whether there are links between this spyware campaign and specific government agencies.\r\nTargeting people solely for exercising their right to peaceful dissent amounts to an arbitrary or unlawful attack on their\r\nprivacy and violates their right to freedom of expression. States have an obligation to protect human rights by ensuring that\r\nHRDs are protected from unlawful surveillance.\r\nRecommendations\r\nTo Indian Authorities:\r\nConduct an independent, impartial, and transparent investigation into the unlawful targeted surveillance of the nine\r\nhuman rights defenders, including determining whether there are links between this spyware campaign and any\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 4 of 11\n\nspecific government agencies\r\nEnsure that all surveillance meets the tests of legality, necessity, and proportionality as enshrined in international\r\nhuman rights standards and affirmed in the Supreme Court of India’s landmark judgement of KS Puttaswamy v.\r\nUnion of India.\r\nEnsure adequate and effective legal remedies are available for people to challenge violations of their human rights\r\nlinked to surveillance\r\nReview Section 69 of the Information Technology Act and the 2018 order of the Ministry of Home Affairs that allows\r\ngovernment agencies to intercept, monitor and decrypt information without any judicial oversight and other\r\nprocedural safeguards.\r\nImplement domestic legislation that imposes limits on digital surveillance, ensuring that:\r\nSurveillance is governed by precise and publicly accessible laws\r\nSurveillance is only against specified persons, authorized by a competent, independent and impartial judicial\r\nbody with limitations on time, manner, place and scope of surveillance\r\nAuthorized digital surveillance is subject to detailed record keeping, in accordance with documented legal\r\nprocesses for a warrant, and targets are notified as soon as practicable without jeopardizing the purpose of\r\nsurveillance\r\nEnsure that all digital surveillance is subject to public oversight mechanisms, including:\r\nPublic notice and consultation for new surveillance purchases\r\nAn approval process\r\nRegular public reporting\r\nEnsure that the Personal Data Protection Bill, 2019 is not enacted in its current form and is brought in line with\r\ninternational human rights standards.\r\nAppendix 1: Technical Details\r\nWe retrieved 9 different malware binaries from the links in the original emails. These samples use several layers of\r\nobfuscation before delivering a NetWire sample.\r\nI. Emails and Samples\r\nWe identified 12 emails targeting Human Rights Defenders between January and October 2019:\r\nDate Sender Subject\r\nJan 16, 2019 jagdish.meshraam[@]gmail.com DUSU activist Sujata files harassment complaint\r\nMay 13, 2019 drsnehapatil64[@]gmail.com\r\nIPC 120B [REDACTED] (PSSC) Accused of\r\nCriminal Conspiracy\r\nSept 10, 2019 payalshastri79[@]gmail.com Pune SHO Sexually Abuse Journalists\r\nOctober 6,\r\n2019\r\nsinhamuskaan04[@]gmail.com\r\nSUMMONS NOTICE JAGDALPUR ARSON\r\nCASE\r\nOctober 6,\r\n2019\r\nsinhamuskaan04[@]gmail.com\r\nSUMMONS NOTICE IN ARSON CASE\r\nJAGDALPUR\r\nOctober 11,\r\n2019\r\nsinhamuskaan04[@]gmail.com JAGLAG to be Blacklisted Over Irregularities\r\nOctober 26,\r\n2019\r\njennifergonzales789[@]gmail.com Rioting Case Summons Reminder\r\nOctober 26,\r\n2019\r\njennifergonzales789[@]gmail.com Reminder Summons For Rioting Case\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 5 of 11\n\nDate Sender Subject\r\nOctober 26,\r\n2019\r\njennifergonzales789[@]gmail.com Reminder Summons For Rioting Case\r\nOctober 26,\r\n2019\r\njennifergonzales789[@]gmail.com Reminder Summons For Rioting Case\r\nOctober 26,\r\n2019\r\njennifergonzales789[@]gmail.com Summons Notice For Rioting Case Cr.24/2018\r\nOctober 28,\r\n2019\r\njennifergonzales789[@]gmail.com Summons Notice For Rioting Case Cr.24/2018\r\nWe identified ten different malicious samples from 10 different emails shared with us:\r\nFile Name SHA 256 Hash\r\nComplaints_from_Ragini_Markande_Harrassment_letter.exe e3dea449bf74434ee1c9cdc04ca68b8f3c9bac357768e07df303433f2\r\nRioting Case Indictment Summary.exe 21d24e08889f75461a7ce6f21fc612a701bca35da1a218cf3cdd6e23f\r\nPune SHO Sexual Abuse Summary.exe 16b5c74fb55f52ae0ae4328f65b2bf3bbe3e5ee34268c1d32a247a0a1\r\nVijayan Rioting Case Indictment Summary.exe 5a4aca57541954195953066a4be96dfb19776ba099d72f8f1d367758\r\nDetonators_planted_Lawyers_house.exe 11cef331557eb693e718d27b6a7211a98d3982117a03ec1491db8098\r\n55_maoists_killed_by_c60_commandos.exe 88b92d985b7d616c93c391731c1e4a6d3c8323fdcbf31cfc4d340e27\r\nReminder Notice SP North Goa Ponda Division.exe b1b6e133aa320669c772ec7e5fd6fbe4cb3edca13ad5351f14df3c1f1\r\nmail2.exe ea5f37e1feab670171963aa83b235c772202b2d4bb7289dd45302c38\r\nmail3.exe de302a61e5f07b0e65753355d44d22181a2742ac3a92aa058bdcd00c\r\nSUMMONS NOTICE JAGDALPUR ARSON CASE.exe 31a3e3aba03b553d0f23f10b06ade30ae053cd667a8cc9660f310705\r\nWe have also identified three other similar samples uploaded on VirusTotal that we attribute to the same campaign:\r\nFile Name SHA 256 Hash\r\n“Supreme Court Order\r\nBan Sanatan Sanstha.exe\r\n“\r\nb09ca9d48a0455ed5e02a56aabeb397c41fb63320244719749e0741da72e79c4\r\n[unknown] 095ec879f323a0a3eceb97013125880d49ac701eef568e3b010fdddb1333941f\r\n[unknown] ac4d5d938009fd44b2f7587986862ab2278887a17d32f748278445b625b3efd9\r\nII. Obfuscation and payload delivery\r\nVariant 1\r\n1. SFX archive extracts AndvancedRun/VBS stage.\r\n1. AdvancedRun launches VBS script.\r\n1. VBS script extracts RAR archive containing 2nd level NetWire droppers. Task Scheduler entries\r\ncreated for 3 2nd level NetWire droppers. Launches decoy PDF.\r\nIn this variant, payloads are only launched by Task Scheduler.\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 6 of 11\n\nDelivery of the first payload variant\r\nVariant 2\r\nThis second variant was modified to add an additional execution of the NetWire payload in parallel to those launched by\r\ntask scheduler, and in order to add a layer in between with validly signed EXEs, likely to thwart antivirus detection\r\nheuristics.\r\n1. SFX archive extracts two payloads. A SFX archive and a NetWire dropper.\r\n1. Launch 1st NetWire dropper. Launch second SFX archive, which extracts AdvancedRun/VBS stage.\r\n1. AdvancedRun launches VBS script.\r\n1. VBS script extracts RAR archive containing additional NetWire droppers. Task Scheduler entries\r\ncreated for 3 new NetWire droppers. Launches decoy PDF.\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 7 of 11\n\nDelivery of the second payload variant\r\nThe Stage 1 SFX archive contains random README files, GPL licenses and even RFCs. Launches both the payloads\r\ncontained.\r\nThe 1st level and 2nd level NetWire droppers all launch the same payload, either by launching and hollowing dllhost.exe, or\r\nlaunching and hollowing rundll32.exe, or by launching and injecting a copy of themselves.\r\nBypassing Security Protections With Large Files\r\nIt is the first time we have observed large files being used as a trick to bypass security protections. As described earlier, the\r\nfirst dropper is a Self-Extracting RAR archive that extracts several files, including either the dropper or another self-extracting RAR archive running the final dropper. In almost all cases analyzed here, the droppers were very large files,\r\nbetween 50MB and 300MB.\r\nThese files mostly contain the byte 00 that is efficiently compressed by the RAR format, making the initial file quite small.\r\nAs many security solutions include a file size limitation to avoid overloading the detection system with heavy files, it is\r\nlikely that this trick would prevent some solutions from detecting these files as malicious.\r\nDigital Signatures\r\nWe identified five samples with valid digital signatures for three different UK-registered companies. We contacted the owner\r\nof one of these companies who told us that he was never involved in signing any software. Further investigation led us to\r\nquestion the involvement of the companies for which they were issued. It appears that this may be part of a pattern of\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 8 of 11\n\nidentity theft of small companies in order to issue signatures for malicious software. A recent study has shown that since\r\n2017, this underground market for code-signing certificates has substantially increased.\r\nFinal Payload: NetWire\r\nThe final payload launched in memory by these samples is a NetWire sample communicating with the dynamic DNS\r\ndomain researchplanet.zapto[.]org.\r\nNetwire is a commercial malware known since 2012, that has been analyzed in depth severaltimes. It has been used mostly\r\nin cyber-criminal activities, but has also been used several times in cyber-espionage operations for instance by the Iranian\r\nattributed group APT33 in 2017. It is today sold online for $15 a month by a company called World Wired Labs.\r\nIII. Network Analysis\r\nNetwork traffic appears to be similar in structure to typical NetWire C\u0026C communications:\r\nAll the samples identified communicate with the dynamic DNS domain researchplanet.zapto[.]org on port 1810. \r\nIV. Infrastructure\r\nAll the samples identified in this attack used the domain researchplanet.zapto[.]org on port 1810 as Command \u0026 Control\r\nserver. This domain is a dynamic DNS domain managed by the company NoIP, and was first seen as used by RiskIQ in mid-December 2018. This domain has used multiple IPs over this year according to several passive DNS databases, we have\r\nconfirmed the utilisation of the IP addresses 185.117.66[.]188 (Edelaraudtee Infrastruktuuri AS) and 185.82.202[.]155 (Host\r\nSailors) as NetWire C2 servers receiving connections from compromised systems.\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 9 of 11\n\nThe dynamic DNS domain socialstatistics.zapto[.]org is very likely linked to this campaign, as it was connected with\r\nseveral IPs also used by  researchplanet.zapto[.]org in the end of 2019. During the investigation, we confirmed that the IP\r\naddress used with this domain in December 2019, 185.45.193.14 (Host Sailor) was also running a NetWire server on ports\r\n7778 and 50070, confirming the link with this campaign.\r\nFinally, we consider a third dynamic DNS domain, duniaenewsportal.ddns[.]net to be linked with this campaign, as it shared\r\nthe same IP address 185.45.193[.]14 (Host Sailor). This domain could have been created based on the name of Dunya News,\r\nan Urdu language television channel from Pakistan.\r\nAppendix 2: Indicators of Compromise\r\nYou can find the full list of indicators of compromise here https://github.com/AmnestyTech/investigations\r\nFollowing are the domain names associated with this campaign:\r\nresearchplanet.zapto[.]org\r\nsocialstatistics.zapto[.]org\r\nduniaenewsportal.ddns[.]net\r\nThe IP address hosting the malicious infrastructure is:\r\n185.82.202[.]155\r\n185.117.66[.]188\r\n185.117.74[.]47\r\n185.117.74[.]28\r\n185.45.193[.]14\r\nFollowing are the email addresses used in spearphishing emails:\r\njagdish.meshraam[@]gmail.com\r\ndrsnehapatil64[@]gmail.com\r\nsinhamuskaan04[@]gmail.com\r\njennifergonzales789[@]gmail.com\r\npayalshastri79[@]gmail.com\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 10 of 11\n\nSource: https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nhttps://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/" ], "report_names": [ "india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434285, "ts_updated_at": 1775791963, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/822f7d6100e2b01d547a4271c8907cc76fa3b3a3.pdf", "text": "https://archive.orkl.eu/822f7d6100e2b01d547a4271c8907cc76fa3b3a3.txt", "img": "https://archive.orkl.eu/822f7d6100e2b01d547a4271c8907cc76fa3b3a3.jpg" } }