Listen to this Post

A New Espionage Operation Comes to Light
A newly uncovered cyber-espionage campaign highlights how threat actors continue to refine deception and stealth to infiltrate high-value targets. CYFIRMA researchers have revealed a sophisticated operation attributed to APT36, also known as Transparent Tribe, a Pakistan-linked advanced persistent threat group with a long history of targeting Indian government, defense, and academic institutions. This campaign stands out not because of raw technical novelty alone, but because of how convincingly it blends social engineering with fileless malware techniques to quietly seize control of victim systems.
A Familiar Threat Actor With Evolving Tactics
APT36 has been active for years, repeatedly surfacing in intelligence-gathering operations rather than financially motivated attacks. Its objectives typically revolve around surveillance, credential theft, and long-term system access. In this latest operation, the group demonstrates a deeper understanding of both user behavior and modern defensive environments, signaling a continued evolution in tradecraft rather than a one-off experiment.
Social Engineering Through a Timely Academic Lure
The attack chain begins with spear-phishing emails that appear highly relevant to a specific audience. Victims receive ZIP archives titled “Online JLPT Exam Dec 2025.zip,” a lure carefully chosen to attract students, educators, and academic professionals. By referencing a well-known Japanese language proficiency test and an upcoming exam date, the attackers increase the likelihood that recipients will trust and open the attachment without hesitation.
A PDF That Isn’t What It Seems
Inside the ZIP archive sits a deceptively named file: “Online JLPT Exam Dec 2025.pdf.lnk.” At first glance, it appears to be a standard PDF document. In reality, it is a Windows shortcut (LNK) file engineered to masquerade as a harmless document. This subtle trick exploits the fact that many users do not notice file extensions, especially when icons and filenames are crafted to look legitimate.
Oversized LNK Files as a Trust Mechanism
Unlike normal shortcut files that are typically only a few kilobytes in size, this malicious LNK exceeds 2 MB. The reason is deliberate. The attackers embed a full, genuine PDF within the shortcut, allowing the file to open a decoy document while simultaneously launching the malicious process in the background. This dual behavior reduces suspicion, as users see what they expect while the compromise unfolds silently.
Living Off the Land With mshta.exe
When the LNK file is executed, it abuses a legitimate Windows binary: mshta.exe. This trusted system utility is designed to execute HTML Application (HTA) files, and because it is native to Windows, it often bypasses strict application controls. The shortcut instructs mshta.exe to retrieve a remote HTA script hosted on the domain innlive[.]in, marking the true beginning of the malware execution chain.
Invisible Execution and Fileless Techniques
The fetched HTA loader runs invisibly, without displaying any windows or alerts to the user. It decrypts and executes multiple payloads directly in memory, avoiding the need to write malicious files to disk. This fileless execution technique is particularly effective against traditional antivirus solutions that rely heavily on signature-based detection of known malicious files.
Staged Payload Delivery in Memory
The attack does not stop at a single payload. The loader retrieves two encrypted objects named ReadOnly and WriteOnly. These components work together, with WriteOnly ultimately executing a malicious DLL in memory. This staged approach adds complexity and resilience, making it harder for security tools to analyze or interrupt the infection process.
Remote Access Trojans at the Core
The final payloads, identified as ki2mtmkl.dll and iinneldc.dll, function as full-featured Remote Access Trojans. Once loaded, they grant attackers comprehensive control over the compromised system. From this point forward, the victim’s machine effectively becomes a surveillance node within APT36’s intelligence-gathering infrastructure.
Encrypted Command-and-Control Communication
Upon activation, the malware establishes encrypted communication with its command-and-control server at IP address 2.56.10[.]86 over TCP port 8621. During this initial handshake, the malware exfiltrates detailed system information, including the username, operating system version, and installed antivirus products. This reconnaissance allows attackers to tailor their next steps with precision.
Surveillance and Data Theft Capabilities
Once connected to its operators, the RAT can execute remote shell commands, capture screenshots, monitor clipboard activity, and manage files on the infected system. It actively searches for sensitive documents, including Office files and PDFs, which are often rich sources of confidential information in government and academic environments.
Environment-Aware Persistence as a Key Feature
One of the most notable aspects of this campaign is its adaptive persistence mechanism. Rather than relying on a single method to maintain access, the malware queries Windows Management Instrumentation (WMI) to detect which security products are installed. Based on the results, it dynamically adjusts its persistence strategy.
Tailored Behavior Against Antivirus Software
If Kaspersky antivirus is detected, the malware stores its payloads in C:\Users\Public
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




