{ "id": "817b024f-7018-4ba2-8687-94e130716b2d", "created_at": "2026-04-06T00:09:41.087974Z", "updated_at": "2026-04-10T03:36:50.391312Z", "deleted_at": null, "sha1_hash": "cac96c624b42001d5dc17bd45c5b1ef4daf3c0a0", "title": "Firewalls and Frontlines: The India-Pakistan Cyber Battlefield Crisis - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1645611, "plain_text": "Firewalls and Frontlines: The India-Pakistan Cyber Battlefield\r\nCrisis - CYFIRMA\r\nArchived: 2026-04-05 12:37:26 UTC\r\nPublished On : 2025-06-05\r\nEXECUTIVE SUMMARY\r\nAt CYFIRMA, we are committed to offering up-to-date insights into prevalent threats and tactics employed by\r\nmalicious actors, targeting both organizations and individuals. In early 2025, tensions between India and Pakistan\r\ncoincided with an unprecedented wave of cyber operations by non-state hacktivist groups triggered by a terrorist\r\nattack in Kashmir, and India’s subsequent cross-border retaliation. These operations – often defacements,\r\ndistributed-denial-of-service (DDoS) attacks, and claimed data breaches – primarily targeted government, defense,\r\nand critical infrastructure networks. Although many proved to have limited impact, the intensity and visibility of\r\nthese cyber campaigns added a volatile new dimension to the crisis and raised concerns about sustained escalation,\r\nunderscoring the need for vigilance in protecting critical systems and managing escalation dynamics across both\r\ndomains.\r\nINTRODUCTION\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 1 of 14\n\nIndia and Pakistan have a long history of physical and cyber confrontation, and as both countries are nuclear\r\npowers and possess advanced cyber resources, the stakes are high.\r\nThe late April 2025 terrorist attack on Indian civilians in Kashmir precipitated a rapid intensification of hostilities.\r\nIn response, India conducted precision missile strikes across the Line of Control into Pakistan and Pakistan-administered Kashmir, prompting a forceful counter-response in the air and on the ground. This was further\r\nparalleled by aggressive cyber actions, and within days of the initial attack, hacktivist groups on both sides –\r\nmotivated by political, social, or religious ideologies – began launching retaliatory campaigns online.\r\nThis report examines the background, key actors, tactics, and observed impacts of the hacktivist escalation during\r\nthis crisis and draws on open-source intelligence and security analysis to provide a comprehensive, balanced\r\noverview of the cyber dimension of the conflict.\r\nBACKGROUND AND TIMELINE OF EVENTS\r\nOn April 22, 2025, a militant attack on tourists in Pahalgam (Jammu and Kashmir) killed dozens of civilians. India\r\naccused Pakistan-backed elements of sponsoring the attack, and diplomatic relations subsequently deteriorated:\r\nborder crossings were closed, diplomatic expulsions occurred, and both militaries entered high-alert status, with\r\nhacktivist activity accelerating within approximately 48 hours of the Pahalgam incident.\r\nDozens of pro-Pakistan-aligned hacktivist groups – many with roots in South Asia and Southeast Asia – claimed\r\nonline operations against Indian targets, and the volume of cyberattacks on Indian networks grew sharply through\r\nthe last week of April, peaking around April 30. This early wave of attacks involved website defacements, DDoS\r\ncampaigns, and alleged data breaches, and were often framed as retaliatory gestures for the Kashmir violence.\r\nThe physical conflict escalated in May with a coordinated series of Indian missile strikes inside Pakistan and\r\nPakistan-administered Kashmir, with Pakistan apparently retaliating by reporting the destruction of Indian aircraft.\r\nHacktivist groups quickly convened around the hashtag “#OpIndia”, and between May 7 and May 10, the\r\nintensity of attacks grew with some threat-monitoring teams reporting that the daily rate of DDoS attacks against\r\nIndian sites had soared 100-fold.\r\nA ceasefire on May 10 brought large-scale kinetic exchanges to a temporary halt, but cyber operations continued\r\nuntil May 11, demonstrating a lag between military and hacktivist operations, or a “feedback loop” between\r\nbattlefield events and online skirmishes.\r\nKEY ACTORS AND GROUPS\r\nA wide array of actors participated in the cyber front, including loosely organized hacktivist collectives, individual\r\npatriotic hackers, and possibly state-affiliated operators.\r\nPro-Pakistan hacktivist groups: Many of these have roots in neighbouring countries, with notable names such as\r\nAnonSec and Keymous+, as well as Islamically-oriented groups like the Islamic Hacker Army, and regional\r\ncollectives, such as Sylhet Gang, RipperSec (based in Bangladesh), Arabian Hosts, Red Wolf Cyber, and Team\r\nInsane PK. Some groups carried nationalistic or religious brandings, whereas others used generic names like\r\n“Electronic Army Special Forces” or “Nation of Saviors.” An Iranian-affiliated group named “Vulture” publicly\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 2 of 14\n\nannounced support for Pakistan, and a well-known threat actor historically associated with Pakistan, APT36 (aka\r\nTransparent Tribe), was also active. Analysts suggest it used more sophisticated malware (Crimson RAT) to target\r\nIndian infrastructure, although its relation to hacktivism is murky: many of these groups publicly claimed\r\nresponsibility for attacks on Indian websites, often sharing graphics or statements on social media or Telegram\r\nchannels, but in practice, these groups ranged from highly skilled to opportunistic.\r\nPro-India hacktivist groups: In turn, Indian hackers and sympathetic groups launched counterattacks, including\r\nIndian Cyber Force, Indian Cyber Defender, Unknown Cyber Cult, Kerala Cyber Xtractors, and others. These\r\ngroups reported launching DDoS attacks against Pakistani targets and, in some cases, claimed to hack Pakistani\r\ngovernment and institutional websites. Their stated goals were defensive or retaliatory, aimed at deterring pro-Pakistani hackers (for example, one group asserted that it breached data on Pakistani financial and tax websites,\r\nbut such claims often lacked external validation.\r\nBoth governments also focused on cyber defense. India temporarily restricted access to its national stock\r\nexchange’s website in anticipation of cyberattacks, and Pakistani authorities warned critical infrastructure\r\noperators to be vigilant. State-sponsored actors likely monitored the situation, though the bulk of public activity\r\ncame from non-state groups. In summary, key actors included diverse hacktivist collectives on both sides, backed\r\nor encouraged by nationalistic narratives, with tacit engagement from security agencies focusing on defense.\r\nOPERATIONS AND TACTICS\r\nCyber operations during the conflict were characterized by their visibility and publicity rather than deep technical\r\nsophistication. Approximately half of the documented incidents were DDoS attacks aimed at making websites\r\noffline, and about a third were defacements—where attackers altered the visible content of a site with propaganda\r\nmessages or taunts. Smaller numbers of incidents involved alleged data breaches (but these were often of limited\r\nscope) and attempted network intrusions.\r\nDDoS Attacks: Hacktivists utilized both volumetric floods (overwhelming traffic attacks) and targeted\r\napplication-layer floods. In some reported cases, they used reflection/amplification methods (like NTP or DNS\r\namplification) to magnify their traffic. Application-layer attacks mimicked legitimate user behavior to exhaust\r\nserver resources, with targets including government portals, defense agency sites, public healthcare systems, and\r\nmunicipal services. While many DDoS waves lasted minutes to hours, a few continued for much longer; for\r\ninstance, monitoring data indicated the official Indian Defense Ministry site endured a sustained DDoS for over 19\r\nhours on May 10. Such prolonged attacks often forced defenders to shut out foreign traffic or temporarily offline\r\ncritical web services to mitigate the impact.\r\nWebsite Defacements: Websites (particularly small institutional and local government pages) had their\r\nhomepages corrupted with political slogans or graphics, typically displaying messages sympathizing with\r\nKashmir, or framing India-Pakistan events as a religious struggle. Many defacements were low-level (exploiting\r\nweak content management systems) and more about propaganda than extracting data. They served to broadcast the\r\nhacktivists’ messages widely, even if they did not disrupt services for long.\r\nExploited Vulnerabilities:\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 3 of 14\n\nCVE-2024-4577 (PHP CGI Argument Injection): This vulnerability allows attackers to execute arbitrary\r\ncode on servers running vulnerable versions of PHP in CGI mode. Exploiting this, attackers could gain\r\nunauthorized access to web servers, facilitating defacements and further intrusions.\r\nPHP File Upload Plugin Weaknesses: many websites utilized outdated or misconfigured PHP file upload\r\nplugins, lacking proper validation and security checks. Attackers exploited these weaknesses to upload\r\nmalicious scripts, such as web shells, enabling them to manipulate website content or execute further\r\nattacks.\r\nData Breach Claims: Some groups claimed to have exfiltrated databases or sensitive files from target systems,\r\nhowever, most of these claims could not be independently verified (or purported stolen data appeared to be old,\r\nincomplete, or recycled from prior incidents). It is possible these claims were intended more as psychological\r\nwarfare—to suggest penetration—than actual extensive breaches. For example, one Pakistani hacktivist group\r\nclaimed to have stolen student records from an Indian university, but there was no confirmation beyond the\r\nhackers’ announcement.\r\nOther Tactics: Beyond overt attacks, there were attempts at social engineering and credential phishing, though\r\nthese are harder to track publicly. A few groups also experimented with ransomware or deploying malware like\r\nstealer Trojans, but again, none of these more advanced operations achieved headline successes during the crisis\r\nperiod. In summary, hacktivist operations favored high-visibility disruptions (DDoS, defacement) that could be\r\nexecuted quickly, while more covert attacks remained limited or ineffective.\r\nANALYSIS AND EVIDENCE\r\nPhishing:\r\nAs part of the broader cyber escalation following Operation Sindoor, threat actors launched a sophisticated\r\ncredential phishing campaign targeting Indian government personnel. The below screenshot reveals a forged\r\ndocument impersonating the National Informatics Centre (NIC), falsely claiming a migration of services to a\r\ncloud infrastructure labeled “mgovcloud.” The message promotes features like antivirus scanning and secure\r\nstorage to instill trust while embedding a malicious link designed to harvest NIC login credentials. By exploiting\r\ntrust in official branding and urgent-sounding language, such social engineering tactics aim to compromise access\r\nto sensitive data, including operational updates on high-impact national security events, such as the Pahalgam\r\nterror attack. These attacks signify the increased weaponization of misinformation and spoofing in modern cyber\r\nwarfare.\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 4 of 14\n\nSpoofed Indian Government Portal Used in a Phishing Campaign\r\nFake NIC Cloud Migration Notice Used to Lure Government Officials into Credential Theft\r\nDDoS Attacks\r\nThese campaigns began with highly sophisticated phishing lures, including documents impersonating Indian\r\nauthorities (such as the NIC) and government portals (e.g. “gov.in”) urging personnel to migrate to fake platforms\r\nvia malicious links. These social engineering techniques exploited institutional trust to gain unauthorized access to\r\nsensitive defense and administrative systems.\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 5 of 14\n\nSimultaneously, multiple Telegram-based threat groups (such as Keymous+, Keymous+, AnonSec, Nation of\r\nSaviors, and Sylhet Gang) issued public claims of cyberattacks against critical organizations, including:\r\nThe Ministry of Defense\r\nIndian Army, Navy, and Air Force domains\r\nCERT-In, NCIIPC, C-DAC, IPS portals\r\nHAL, BDL, and Mazagon Dock Shipbuilders\r\nIndian embassies and nuclear infrastructure\r\nThe attackers provided “proofs” through Check-Host links showing outages, supported by screenshots. These\r\ncampaigns often included Arabic messaging and heavily used hashtags like #OpIndia to amplify their\r\npsychological impact.\r\nData Breach\r\nPro-Indian cyber group CyberForceX executed a targeted breach of Pakistani educational and civic databases,\r\nincluding an attack on an educational institution that exposed sensitive information. This breach not only\r\nhighlights a tit-for-tat cyber escalation but also underscores growing cyberwarfare sophistication and the\r\nexploitation of weakly protected databases in geopolitical cyber conflicts.\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 6 of 14\n\nOne breach, publicly flaunted by Keymous+, took just 1.3 minutes, suggesting automated tools or previously\r\nexploited vulnerabilities were used. Screenshots shared by these groups reveal JSON and Excel-formatted data\r\ndumps, and terminal outputs confirming once again access to backend databases. These breaches pose serious\r\nrisks of identity theft, phishing, and misuse of personal data, indicating a well-coordinated effort to undermine\r\nIndia’s public digital infrastructure.\r\nClaims of data breach from Indian services allegedly leaked, including booking records and user information\r\nWebsite Defacement\r\nThe Pakistani group “lxrdk1773n” targeted an Indian educational institution’s website, accusing Indian systems of\r\ncriminality. Their message employs psychological warfare tactics, claiming to reveal “cracks” in Indian\r\ncybersecurity while undermining public trust in government institutions. In retaliation, the Indian Cyber Mafia\r\nresponded by defacing a Pakistani government website, escalating the conflict with more aggressive threats\r\nincluding references to military action and promises of widespread digital destruction across Pakistan. This\r\nexchange illustrates the characteristic pattern identified in threat intelligence reports where both sides engage in\r\nwebsite defacements as low-cost, high-visibility attacks designed more for psychological impact and propaganda\r\nthan technical sophistication. The defacements serve dual purposes: demonstrating the technical capability to\r\npenetrate adversary systems while delivering nationalist messaging that amplifies existing political tensions\r\nbetween the two nations. These incidents reflect the broader hacktivist surge where groups leverage cyber\r\noperations as extensions of conventional geopolitical rivalry, using digital platforms to wage information warfare\r\nand assert dominance in cyberspace.\r\nIndian Cyber Mafia:\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 7 of 14\n\nWebsite defacement by Indian Cyber Mafia on a Pakistani government website\r\nlxrdk1773n:\r\nWebsite defacement by Pakistani hacktivist “lxrdk1773n” on an Indian educational domain\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 8 of 14\n\nMalware\r\nThe Pakistan-linked threat actors SideCopy and APT36 (also known as Transparent Tribe) are actively conducting\r\nsophisticated cyber espionage campaigns utilizing a diverse arsenal of attack vectors. These groups are leveraging\r\nweaponized PDF documents containing malicious payloads, Microsoft Office files embedded with macro-based\r\nmalware deploy RATs, Executable and Linkable Format (ELF) binaries targeting Linux systems, and advanced\r\nMythic Command and Control (C2) frameworks for persistent network access and data exfiltration operations.\r\nExample of a Fake Decoy\r\nThis VBA macro script appears to be part of a malware payload delivery mechanism that executes when triggered\r\nwithin an Office document. It begins by setting up a file system and shell objects to handle file operations and\r\nexecute commands. The macro dynamically generates a directory path in the user’s Downloads folder based on\r\nthe current time, which helps avoid detection and overwriting issues. It creates a folder and names a new file using\r\na randomized string with replaced extensions to disguise its true nature. The script copies multiple files, such as\r\nendoscks, word/media/image1.png, word/media/image2.png, and others, into the new directory using the\r\nCopyHere method, effectively staging the payload. Later, it uses the Shell function to silently execute one of the\r\nPNG files, which may be a disguised executable. Finally, the script opens a Word document from the copied files\r\nprogrammatically using Documents.Open, likely to run embedded malicious content or further macros.\r\nThroughout, the code uses string manipulation and stealth techniques to obfuscate its true purpose and evade\r\nantivirus detection.\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 9 of 14\n\nInitial Stage of Malicious Macro Code: File Creation, Folder Structuring, and Payload Staging\r\nExecution Phase of Macro: Stealth Launch and Document Triggering\r\nCONCLUSION\r\nThe 2025 India–Pakistan crisis illustrates the increasingly complex nature of modern conflicts. In parallel with\r\nmissiles and diplomatic maneuvers, a sprawling hacktivist escalation unfolded online, with dozens of\r\nideologically-driven groups rapidly mobilized to “fight” in cyberspace – flooding websites, posting propaganda on\r\nbreached pages, and broadcasting claims of digital victories. Even if most technical breakthroughs were meager,\r\nthe sheer scale of the campaign broke new ground, with critical infrastructure – from government portals to stock\r\nexchanges – coming under attack.\r\nThis hybrid escalation underscores several key points. First, open-source evidence shows that non-state actors can\r\nquickly co-opt a national crisis into a global cyber movement, crossing borders and blurring lines between\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 10 of 14\n\nactivism and warfare. Second, while hacktivist methods are often unsophisticated, their capacity to amplify\r\ntensions and sow uncertainty should not be underestimated, as even “fake” breaches can shake confidence and\r\nforce costly precautionary measures. Third, the crisis demonstrated how traditional deterrence logic becomes more\r\ncomplicated when such actors are involved: neither nation can fully control or predict all the online entities\r\nclaiming to act on its behalf.\r\nGoing forward, both India and Pakistan face the challenge of securing their networks against a wider array of\r\nthreats, including ideological activists whose calculus is not tied to official state policies. The recent events serve\r\nas a reminder that in today’s internet-connected world, low-cost cyber operations will continue to intersect with\r\nconventional diplomacy and warfare. For policy-makers and defenders alike, the lesson is clear: robust cyber\r\ndefenses, rapid information-sharing, and de-escalation channels are as essential as battlefield readiness. Only by\r\nacknowledging the role of these hacktivist fronts can future escalation be managed more effectively, preventing\r\nlocal conflicts from spiraling unpredictably in the digital realm.\r\nINDICATORS OF COMPROMISE (IOCs)\r\nNo Indicators of Compromise (IOCs) Type\r\n1   162[.]240[.]157[.]77    IP Address\r\n2   194[.]85[.]251[.]8   IP Address\r\n3   87[.]120[.]125[.]191 IP Address\r\n4   94[.]154[.]35[.]94   IP Address\r\n5   jkpolice[.]gov[.]in[.]kashmirattack[.]exposed   Domain\r\n6   iaf[.]nic[.]in[.]ministryofdefenceindia[.]org   Domain\r\n7   email[.]gov[.]in.departmentofdefence[.]de  Domain\r\n8   indianarmy[.]nic[.]in.departmentofdefence[.]de Domain\r\n9   Action Points \u0026 Response by Govt Regarding Pahalgam Terror Attack.pdf File Name\r\n10  Report Update Regarding Pahalgam Terror Attack.pdf   File Name\r\n11  Report \u0026 Update Regarding Pahalgam Terror Attack.ppam    File Name\r\n12  Army_Job_Application_Form.pdf  File Name\r\n13  tasksche.exe File Name\r\n14  Live War Updates App.apk File Name\r\n15  WEISTT.jpg  File Name\r\n16  jnmxrvt hcsm.exe File Name\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 11 of 14\n\n17  026e8e7acb2f2a156f8afff64fd54066 MD5 Hash\r\n18 c13c66e580478ffe6f784170bf60e04c95cc9cc476e59bbe0cae38b60baa7ab8 SHA256 Hash\r\n19  27bbffa557fc469f8798961bb55e7d84 Malware\r\n20  jkpolice[.]gov[.]in[.]kashmirattack[.]exposed   Domain\r\n21  iaf[.]nic[.]in[.]ministryofdefenceindia[.]org   Domain\r\n22  email[.]gov[.]in[.]ministryofdefenceindia[.]org Domain\r\n23  email[.]gov[.]in[.]departmentofdefenceindia[.]link  Domain\r\n24  email[.]gov[.]in[.]departmentofdefence[.]de Domain\r\n25  email[.]gov[.]in[.]briefcases[.]email   Domain\r\n26  email[.]gov[.]in[.]modindia[.]link  Domain\r\n27  email[.]gov[.]in[.]defenceindia[.]ltd   Domain\r\n28  email[.]gov[.]in[.]indiadefencedepartment[.]link    Domain\r\n29  email[.]gov[.]in[.]departmentofspace[.]info Domain\r\n30  email[.]gov[.]in[.]indiangov[.]download Domain\r\n31  indianarmy[.]nic[.]in[.]departmentofdefence[.]de    Domain\r\n32  indianarmy[.]nic[.]in[.]ministryofdefenceindia[.]org    Domain\r\n33  email[.]gov[.]in[.]indiandefence[.]work Domain\r\n34  email[.]gov[.]in[.]indiangov[.]download Domain\r\n35  email[.]gov[.]in[.]drdosurvey[.]info    Domain\r\n36  d946e3e94fec670f9e47aca186ecaabe MD5 Hash\r\n37  e18c4172329c32d8394ba0658d5212c2  MD5 Hash\r\n38  2fde001f4c17c8613480091fa48b55a0 MD5 Hash\r\n39  c1f4c9f969f955dec2465317b526b600 MD5 Hash\r\n40  026e8e7acb2f2a156f8afff64fd54066 MD5 Hash\r\n41  fb64c22d37c502bde55b19688d40c803 MD5 Hash\r\n42  70b8040730c62e4a52a904251fa74029  MD5 Hash\r\n43  3efec6ffcbfe79f71f5410eb46f1c19e MD5 Hash\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 12 of 14\n\n44  b03211f6feccd3a62273368b52f6079d MD5 Hash\r\n45  93[.]127[.]133[.]58 IP Address\r\n46  104[.]129[.]27[.]14 IP Address\r\n47  c4fb60217e3d43eac92074c45228506a  MD5 Hash\r\n48  172fff2634545cf59d59c179d139e0aa MD5 Hash\r\n49  7b08580a4f6995f645a5bf8addbefa68 MD5 Hash\r\n50  1b71434e049fb8765d528ecabd722072 MD5 Hash\r\n51  c4f591cad9d158e2fbb0ed6425ce3804 MD5 Hash\r\n52  5f03629508f46e822cf08d7864f585d3 MD5 Hash\r\n53  f5cd5f616a482645bbf8f4c51ee38958 MD5 Hash\r\n54  fa2c39adbb0ca7aeab5bc5cd1ffb2f08 MD5 Hash\r\n55  00cd306f7cdcfe187c561dd42ab40f33 MD5 Hash\r\n56  ca27970308b2fdeaa3a8e8e53c86cd3e MD5 Hash\r\n57  37[.]221[.]64[.]134  IP Address\r\n58  78[.]40[.]143[.]188 IP Address\r\n59  indiandefence[.]services Domain\r\n60  ministryofdefenceindia[.]org Domain\r\n61  ministryofdefenseindia[.]link  Domain\r\n62  storagecloud[.]download Domain\r\n63  virtualeoffice[.]cloud Domain\r\n64  cloudshare[.]digital   Domain\r\n65  22ce9042f6f78202c6c346cef1b6e532 MD5 Hash\r\n66  e31ac765d1e97698bc1efe443325e497 MD5 Hash\r\n67  1d493e326d91c53e0f2f4320fb689d5f MD5 Hash\r\n68  59211a4e0f27d70c659636746b61945a MD5 Hash\r\n69  210[.]115[.]211[.]106 IP Address\r\n70  7ab6bb1763b6faf61d29757070c730c0 MD5 Hash\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 13 of 14\n\n71  50a35a2a139fefb11fcfe0153b996e76 MD5 Hash\r\n72  4fe71eba46781f1d51f71809884edf19 MD5 Hash\r\nSource: https://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nhttps://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.cyfirma.com/research/firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis/" ], "report_names": [ "firewalls-and-frontlines-the-india-pakistan-cyber-battlefield-crisis" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6ec2cd63-307d-4281-86da-5dc199e932af", "created_at": "2025-08-07T02:03:24.821494Z", "updated_at": "2026-04-10T02:00:03.843522Z", "deleted_at": null, "main_name": "GOLD BLADE", "aliases": [ "Earth Kapre ", "Red Wolf ", "RedCurl " ], "source_name": "Secureworks:GOLD BLADE", "tools": [ "RedLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "f72f2981-0dc4-4d96-857c-a725a143a538", "created_at": "2024-03-21T02:00:04.724563Z", "updated_at": "2026-04-10T02:00:03.602417Z", "deleted_at": null, "main_name": "Earth Kapre", "aliases": [ "RedCurl", "Red Wolf", "GOLD BLADE" ], "source_name": "MISPGALAXY:Earth Kapre", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79e95381-8008-48dc-b981-fd66e1c46ca6", "created_at": "2022-10-25T16:07:24.110478Z", "updated_at": "2026-04-10T02:00:04.869039Z", "deleted_at": null, "main_name": "RedCurl", "aliases": [ "Earth Kapre", "Red Wolf" ], "source_name": "ETDA:RedCurl", "tools": [ "Impacket", "LaZagne" ], "source_id": "ETDA", "reports": null }, { "id": "5245f2ea-fd7e-4b43-ada3-d9eb41923dd2", "created_at": "2024-11-03T02:00:03.635546Z", "updated_at": "2026-04-10T02:00:03.731596Z", "deleted_at": null, "main_name": "RipperSec", "aliases": [], "source_name": "MISPGALAXY:RipperSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9fe6924d-bce6-4b56-9717-fe611932baec", "created_at": "2026-03-24T02:00:04.642588Z", "updated_at": "2026-04-10T02:00:03.993986Z", "deleted_at": null, "main_name": "Keymous+", "aliases": [ "keymous", "Keymous Plus" ], "source_name": "MISPGALAXY:Keymous+", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434181, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cac96c624b42001d5dc17bd45c5b1ef4daf3c0a0.pdf", "text": "https://archive.orkl.eu/cac96c624b42001d5dc17bd45c5b1ef4daf3c0a0.txt", "img": "https://archive.orkl.eu/cac96c624b42001d5dc17bd45c5b1ef4daf3c0a0.jpg" } }