A new phishing campaign linked to Pakistan-based APT36 has been identified as a significant threat to Indian government systems. First discovered in August 2025, this operation uses typo-squatted domains to mimic official Indian login portals.
When users enter their email credentials, they are redirected to fake pages that closely resemble the National Informatics Centre’s Kavach authentication system. These replicas include authentic-looking logos and layouts, making them convincing to the average user.
The attackers go further by capturing real-time one-time passwords (OTPs), effectively bypassing multi-factor authentication (MFA) and gaining full access to sensitive government email accounts.
Stealth Infrastructure and Delivery Tactics
Cybersecurity researchers from Cyfirma traced the campaign back to a malicious domain registered on July 14, 2025, which points to IPs already known for phishing activities. Supporting domains created in March and May 2025 follow a uniform structure, indicating a coordinated effort.
These domains resolve to both Amazon Web Services infrastructure and servers located in Pakistan, suggesting either the use of compromised third-party services or direct control by the threat group.
Encrypted HTTPS traffic is used for communication with a command-and-control (C2) server at 37.221.64[.]202, enabling the attackers to avoid basic detection methods.
Victims report that after entering their login credentials, they are prompted on a second page for their Kavach OTP. This second step convincingly mimics the official MFA process, lowering suspicion and allowing attackers to collect OTPs instantly.
All stolen information is sent over port 443 to the attacker’s infrastructure, resulting in real-time account takeovers. If this campaign continues unmitigated, it could expose classified data, disrupt government operations, and pose serious national security risks.
Infection Flow and Persistence Mechanism
Initial access is gained through a combination of spear-phishing emails and typo-squatted domains. Common examples of malicious domains used include:
- mgovcloud.in
- virtualeoffice.cloud
After stealing credentials, APT36 installs registry run keys and creates scheduled tasks to ensure persistence on compromised machines. They also deploy a custom Visual Basic script that contacts the C2 server at intervals, downloads additional payloads, and exfiltrates files from the victim’s system.
Detection Rule: YARA Signature
To help defenders detect this threat, Cyfirma published a YARA rule with known indicators of compromise (IOCs):
rule APT36_Phishing_Indicators {
meta:
author = “Cyfirma Research”
description = “Detects IOCs for APT36 phishing infrastructure”
last_updated = “2025-07-30”
strings:
$ip1 = “99.83.175.80”
$ip2 = “37.221.64.202”
$domain1 = “mgovcloud.in”
$domain2 = “virtualeoffice.cloud”
condition:
any of ($ip*) or any of ($domain*)
}
This rule helps identify network traffic or files associated with the campaign, enabling organizations to proactively block malicious domains and IPs, and to raise alerts for attempted breaches.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
