{ "id": "b1b5a975-6e2d-4bd2-9620-1910acdc84a8", "created_at": "2026-04-06T00:18:11.639192Z", "updated_at": "2026-04-10T03:36:50.312265Z", "deleted_at": null, "sha1_hash": "c790cb00174eef53fe61d31ac4a5d26768d65871", "title": "Advisory: Pahalgam Attack themed decoys used by APT36 to target the Indian Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 669687, "plain_text": "Advisory: Pahalgam Attack themed decoys used by APT36 to\r\ntarget the Indian Government\r\nBy Rhishav Kanjilal\r\nPublished: 2025-04-30 · Archived: 2026-04-02 12:46:46 UTC\r\nSeqrite Labs APT team has discovered “Pahalgam Terror Attack” themed documents being used by the Pakistan-linked APT group Transparent Tribe (APT36) to target Indian Government and Defense personnel. The campaign\r\ninvolves both credential phishing and deployment of malicious payloads, with fake domains impersonating\r\nJammu \u0026 Kashmir Police and Indian Air Force (IAF) created shortly after the April 22, 2025 attack. This advisory\r\nalerts about the phishing PDF and domains used to uncover similar activity along with macro-laced document\r\nused to deploy the group’s well-known Crimson RAT.\r\nAnalysis\r\nThe PDF in question was created on April 24, 2025, with the author listed as “Kalu Badshah”. The names of this\r\nphishing document are related to the response measures by the Indian Government regarding the attack.\r\n“Action Points \u0026 Response by Govt Regarding Pahalgam Terror Attack .pdf”\r\n“Report Update Regarding Pahalgam Terror Attack.pdf”\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 1 of 12\n\nPicture 1\r\nThe content of the document is masked and the link embedded within the document is the primary vector for the\r\nattack. If clicked, it leads to a fake login page which is part of a social engineering effort to lure individuals. The\r\nembedded URL triggered is:\r\nhxxps://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed/service/home/\r\nThe domain mimics the legitimate Jammu \u0026 Kasmir Police (jkpolice[.]gov[.]in), an official Indian police website,\r\nbut the fake one introduces a subdomain kashmirattack[.]exposed.\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 2 of 12\n\nPicture 2\r\nThe addition of “kashmirattack” indicates a thematic connection to the sensitive geopolitical issue, in this case,\r\nrelated to the recent attack in the Kashmir region. Once the government credentials are entered for @gov.in or\r\n@nic.in, they are sent directly back to the host. Pivoting on the author’s name, we observed multiple such\r\nphishing documents.\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 3 of 12\n\nPicture 3\r\nMultiple names have been observed for each phishing document related to various government and defence\r\nmeetings to lure the targets, showcasing how quickly the group crafts lures around ongoing events in the country:\r\nReport \u0026 Update Regarding Pahalgam Terror Attack.pdf\r\nReport Update Regarding Pahalgam Terror Attack.pdf\r\nAction Points \u0026 Response by Govt Regarding Pahalgam Terror Attack .pdf\r\nJ\u0026K Police Letter Dated 17 April 2025.pdf\r\nROD on Review Meeting held on 10 April 2025 by Secy DRDO.pdf\r\nRECORD OF DISCUSSION TECHNICAL REVIEW MEETING NOTICE, 07 April 2025 (1).pdf\r\nMEETING NOTICE – 13th JWG meeting between India and Nepal.pdf\r\nAgenda Points for Joint Venture Meeting at IHQ MoD on 04 March 2025.pdf\r\nDO Letter Integrated HQ of MoD dated 3 March.pdf\r\nCollegiate Meeting Notice \u0026 Action Points MoD 24 March.pdf\r\nLetter to the Raksha Mantri Office Dated 26 Feb 2025.pdf\r\npdf\r\nAlleged Case of Sexual Harassment by Senior Army Officer.pdf\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 4 of 12\n\nAgenda Points of Meeting of Dept of Defence held at 11March 25.html\r\nAction Points of Meeting of Dept of Defence held at 10March 25.html\r\nAgenda Points of Meeting of External Affairs Dept 10 March 25.pdf.html\r\nPowerPoint PPAM Dropper\r\nA PowerPoint add-on file with the same name as of the phishing document “Report \u0026 Update Regarding\r\nPahalgam Terror Attack.ppam” has been identified which contains malicious macros. It extracts both the\r\nembedded files into a hidden directory under user’s profile with a dynamic name, determines the payload based on\r\nthe Windows version and eventually opens the decoy file with the same phishing URL embedded along with\r\nexecuting the Crimson RAT payload.\r\nPicture 4\r\nThe final Crimson RAT dropped has internal name “jnmxrvt hcsm.exe” and dropped as “WEISTT.jpg” with\r\nsimilar PDB convention:\r\nC:\\jnmhxrv cstm\\jnmhxrv cstm\\obj\\Debug\\jnmhxrv cstm.pdb\r\nAll three RAT payloads have compilation timestamp on 2025-04-21, just before the Pahalgam terror attack. As\r\nusual the hardcoded default IP is present as a decoy and the actual C2 after decoding is – 93.127.133[.]58. It\r\nsupports the following 22 commands for command and control apart from retrieving system and user information.\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 5 of 12\n\nCommands Functionality\r\nprocl / getavs Get a list of all processes\r\nendpo Kill process based on PID\r\nscrsz Set screen size to capture\r\ncscreen Get screenshot\r\ndirs Get all disk drives\r\nstops Stop screen capture\r\nfilsz Get file information (Name, Creation Time, Size)\r\ndowf Download the file from C2\r\ncnls Stop uploading, downloading and screen capture\r\nscren Get screenshots continuously\r\nthumb Get a thumbnail of the image as GIF with size ‘of 200×150.’\r\nputsrt Set persistence via Run registry key\r\nudlt Download \u0026 execute file from C2 with ‘vdhairtn’ name\r\ndelt Delete file\r\nfile Exfiltrate the file to C2\r\ninfo Get machine info (Computer name, username, IP, OS name, etc.)\r\nrunf Execute command\r\nafile Exfiltrate file to C2 with additional information\r\nlistf Search files based on extension\r\ndowr Download file from C2 (No execution)\r\nfles Get the list of files in a directory\r\nfldr Get the list of folders in a directory\r\nInfrastructure and Attribution\r\nThe phishing domains identified through hunting have the creation day just one or two days after the documents\r\nwere created.\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 6 of 12\n\nDomains Creation IP ASN\r\njkpolice[.]gov[.]in[.]kashmirattack[.]exposed\r\n2025-04-\r\n24\r\n37.221.64.134\r\n78.40.143.189\r\nAS 200019 (Alexhost\r\nSrl)\r\nAS 45839 (Shinjiru\r\nTechnology)\r\niaf[.]nic[.]in[.]ministryofdefenceindia[.]org\r\n2025-04-\r\n16\r\n37.221.64.134\r\nAS 200019 (Alexhost\r\nSrl)\r\nemail[.]gov[.]in[.]ministryofdefenceindia[.]org\r\n2025-04-\r\n16\r\n45.141.58.224\r\nAS 213373 (IP\r\nConnect Inc)\r\nemail[.]gov[.]in[.]departmentofdefenceindia[.]link\r\n2025-02-\r\n18\r\n45.141.59.167\r\nAS 213373 (IP\r\nConnect Inc)\r\nemail[.]gov[.]in[.]departmentofdefence[.]de\r\n2025-04-\r\n10\r\n45.141.58.224\r\nAS 213373 (IP\r\nConnect Inc)\r\nemail[.]gov[.]in[.]briefcases[.]email\r\n2025-04-\r\n06\r\n45.141.58.224\r\n78.40.143.98\r\nAS 213373 (IP\r\nConnect Inc)\r\nAS 45839 (Shinjiru\r\nTechnology)\r\nemail[.]gov[.]in[.]modindia[.]link\r\n2025-03-\r\n02\r\n84.54.51.12\r\nAS 200019 (Alexhost\r\nSrl)\r\nemail[.]gov[.]in[.]defenceindia[.]ltd\r\n2025-03-\r\n20\r\n45.141.58.224\r\n45.141.58.33\r\nAS 213373 (IP\r\nConnect Inc)\r\nemail[.]gov[.]in[.]indiadefencedepartment[.]link\r\n2025-02-\r\n25\r\n45.141.59.167\r\nAS 213373 (IP\r\nConnect Inc)\r\nemail[.]gov[.]in[.]departmentofspace[.]info\r\n2025-04-\r\n20\r\n45.141.58.224\r\nAS 213373 (IP\r\nConnect Inc)\r\nemail[.]gov[.]in[.]indiangov[.]download\r\n2025-04-\r\n06\r\n45.141.58.33\r\n78.40.143.98\r\nAS 213373 (IP\r\nConnect Inc)\r\nAS 45839 (Shinjiru\r\nTechnology)\r\nindianarmy[.]nic[.]in[.]departmentofdefence[.]de\r\n2025-04-\r\n10\r\n176.65.143.215 AS 215208\r\nindianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org\r\n2025-04-\r\n16\r\n176.65.143.215 AS 215208\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 7 of 12\n\nemail[.]gov[.]in[.]indiandefence[.]work\r\n2025-03-\r\n10\r\n45.141.59.72\r\nAS 213373 (IP\r\nConnect Inc)\r\nemail[.]gov[.]in[.]indiangov[.]download\r\n2025-04-\r\n06\r\n78.40.143.98\r\nAS 45839 (Shinjiru\r\nTechnology)\r\nemail[.]gov[.]in[.]drdosurvey[.]info\r\n2025-03-\r\n19\r\n192.64.118.76\r\nAS 22612\r\n(NAMECHEAP-NET)\r\nThis kind of attack is typical in hacktivism, where the goal is to create chaos or spread a political message by\r\nexploiting sensitive or emotionally charged issues. In this case, the threat actor is exploiting existing tensions\r\nsurrounding Kashmir to maximize the impact of their campaign and extract intelligence around these issues.\r\nThe suspicious domains are part of a phishing and disinformation infrastructure consistent with tactics previously\r\nused by APT36 (Transparent Tribe) that has a long history of targeting:\r\nIndian military personnel\r\nGovernment agencies\r\nDefense and research organizations\r\nActivists and journalists focused on Kashmir\r\nPPAM for initial access has been used since many years to embed malicious executables as OLE objects. Domain\r\nimpersonation to create deceptive URLs that mimic Indian government, or military infrastructure has been seen\r\nconsistently since last year. They often exploit sensitive topics like Kashmir conflict, border skirmishes, and\r\nmilitary movements to create lures for spear-phishing campaigns. Hence these campaigns are attributed to APT36\r\nwith high confidence, to have involved delivering Crimson RAT, hidden behind fake documents or malicious links\r\nembedded in spoofed domains.\r\nPotential Impact: Geopolitical and Cybersecurity Implications\r\nThe combination of a geopolitical theme and cybersecurity tactics suggests that this document is part of a broader\r\ndisinformation campaign. The reference to Kashmir, a region with longstanding political and territorial disputes,\r\nindicates the attacker’s intention to exploit sensitive topics to stir unrest or create division.\r\nAdditionally, using PDF files as a delivery mechanism for malicious links is a proven technique aiming to\r\ninfluence public perception, spread propaganda, or cause disruptions. Here’s how the impact could manifest:\r\nDisruption of Sensitive Operations: If an official or government worker were to interact with this\r\ndocument, it could compromise their personal or organizational security.\r\nInformation Operations: The document could lead to the exposure of sensitive documents or the\r\ndissemination of false information, thereby creating confusion and distrust among the public.\r\nEspionage and Data Breaches: The phishing attempt could ultimately lead to the theft of sensitive data or\r\nthe deployment of malware within the target’s network, paving the way for further exploitation.\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 8 of 12\n\nRecommendations\r\nEmail \u0026 Document Screening: Implement advanced threat protection to scan PDFs and attachments for embedded\r\nmalicious links or payloads.\r\nRestrict Macro Execution: Disable macros by default, especially from untrusted sources, across all endpoints.\r\nNetwork Segmentation \u0026 Access Controls: Limit access to sensitive systems and data; apply the principle of least\r\nprivilege.\r\nUser Awareness \u0026 Training: Conduct regular training on recognizing phishing, disinformation, and geopolitical\r\nmanipulation tactics.\r\nIncident Response Preparedness: Ensure a tested response plan is in place for phishing, disinformation, or\r\nsuspected nation-state activity.\r\nThreat Intelligence Integration: Leverage geopolitical threat intel to identify targeted campaigns and proactively\r\nblock indicators of compromise (IOCs).\r\nMonitor for Anomalous Behaviour: Use behavioural analytics to detect unusual access patterns or data exfiltration\r\nattempts.\r\nIOCs\r\nPhishing Documents\r\nc4fb60217e3d43eac92074c45228506a\r\n172fff2634545cf59d59c179d139e0aa\r\n7b08580a4f6995f645a5bf8addbefa68\r\n1b71434e049fb8765d528ecabd722072\r\nc4f591cad9d158e2fbb0ed6425ce3804\r\n5f03629508f46e822cf08d7864f585d3\r\nf5cd5f616a482645bbf8f4c51ee38958\r\nfa2c39adbb0ca7aeab5bc5cd1ffb2f08\r\n00cd306f7cdcfe187c561dd42ab40f33\r\nca27970308b2fdeaa3a8e8e53c86cd3e\r\nPhishing Domains\r\njkpolice[.]gov[.]in[.]kashmirattack[.]exposed\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 9 of 12\n\niaf[.]nic[.]in[.]ministryofdefenceindia[.]org\r\nemail[.]gov[.]in[.]ministryofdefenceindia[.]org\r\nemail[.]gov[.]in[.]departmentofdefenceindia[.]link\r\nemail[.]gov[.]in[.]departmentofdefence[.]de\r\nemail[.]gov[.]in[.]briefcases[.]email\r\nemail[.]gov[.]in[.]modindia[.]link\r\nemail[.]gov[.]in[.]defenceindia[.]ltd\r\nemail[.]gov[.]in[.]indiadefencedepartment[.]link\r\nemail[.]gov[.]in[.]departmentofspace[.]info\r\nemail[.]gov[.]in[.]indiangov[.]download\r\nindianarmy[.]nic[.]in[.]departmentofdefence[.]de\r\nindianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org\r\nemail[.]gov[.]in[.]indiandefence[.]work\r\nemail[.]gov[.]in[.]indiangov[.]download\r\nemail[.]gov[.]in[.]drdosurvey[.]info\r\nPhishing URLs\r\nhxxps://iaf[.]nic[.]in[.]ministryofdefenceindia[.]org/publications/default[.]htm\r\nhxxps://jkpolice[.]gov[.]in[.]kashmiraxxack[.]exposed/service/home\r\nhxxps://email[.]gov[.]in[.]ministryofdefenceindia[.]org/service/home/\r\nhxxps://email[.]gov[.]in[.]departmentofdefenceindia[.]link/service/home/\r\nhxxps://email[.]gov[.]in[.]departmentofdefence[.]de/service/home/\r\nhxxps://email[.]gov[.]in[.]indiangov[.]download/service/home/\r\nhxxps://indianarmy[.]nic[.]in[.]departmentofdefence[.]de/publications/publications-site-main/index[.]html\r\nhxxps://indianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org/publications/publications-site-main/index[.]htm\r\nhxxps://email[.]gov[.]in[.]briefcases[.]email/service/home/\r\nhxxps://email[.]gov[.]in[.]modindia[.]link/service/home/\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 10 of 12\n\nhxxps://email[.]gov[.]in[.]defenceindia[.]ltd/service/home/\r\nhxxps://email[.]gov[.]in[.]indiadefencedepartment[.]link/service/home/\r\nhxxps://email[.]gov[.]in[.]departmentofspace[.]info/service/home/\r\nhxxps://email[.]gov[.]in[.]indiandefence[.]work/service/home/\r\nPPAM/XLAM\r\nd946e3e94fec670f9e47aca186ecaabe\r\ne18c4172329c32d8394ba0658d5212c2\r\n2fde001f4c17c8613480091fa48b55a0\r\nc1f4c9f969f955dec2465317b526b600\r\nCrimson RAT\r\n026e8e7acb2f2a156f8afff64fd54066\r\nfb64c22d37c502bde55b19688d40c803\r\n70b8040730c62e4a52a904251fa74029\r\n3efec6ffcbfe79f71f5410eb46f1c19e\r\nb03211f6feccd3a62273368b52f6079d\r\n93.127.133.58 (Ports – 1097, 17241, 19821, 21817, 23221, 27425)\r\n104.129.27.14 (Ports – 8108, 16197, 19867, 28784, 30123)\r\nMITRE ATT\u0026CK\r\nReconnaissance T1598.003 Phishing for Information: Spearphishing Link\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nInitial Access T1566.001 Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.001\r\nT1059.005\r\nUser Execution: Malicious Link\r\nCommand and Scripting Interpreter: Visual Basic\r\nPersistence T1547.001\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 11 of 12\n\nDiscovery\r\nT1033\r\nT1057\r\nT1082\r\nT1083\r\nSystem Owner/User Discovery\r\nProcess Discovery\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nCollection\r\nT1005\r\nT1113\r\nData from Local System\r\nScreen Capture\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nAuthors:\r\nSathwik Ram Prakki\r\nRhishav Kanjilal\r\nSource: https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nhttps://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/" ], "report_names": [ "advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434691, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c790cb00174eef53fe61d31ac4a5d26768d65871.pdf", "text": "https://archive.orkl.eu/c790cb00174eef53fe61d31ac4a5d26768d65871.txt", "img": "https://archive.orkl.eu/c790cb00174eef53fe61d31ac4a5d26768d65871.jpg" } }