Pakistani state-sponsored threat actors APT36, also known as Transparent Tribe, have launched a sophisticated phishing campaign targeting Indian government organizations using a fraudulent domain impersonating the National Informatics Centre’s email services.
The attack infrastructure leverages social engineering tactics to compromise sensitive government systems and steal classified information from defense and administrative entities.
The campaign employs a deceptive domain “accounts.mgovcloud[.]in.departmentofdefence[.]live” designed to mimic legitimate NIC eEmail Services, which are widely used across Indian government departments for official communications.
By creating this convincing facade, the threat actors attempt to harvest credentials from government officials who believe they are accessing authentic email services.
The parent domain “departmentofdefence[.]live” further reinforces the illusion of legitimacy by referencing India’s Department of Defence, a high-value target for intelligence gathering operations.
Technical Infrastructure and Command-and-Control Operations
The attack infrastructure reveals a multi-layered command-and-control network operated by APT36. Security researchers have identified two primary IP addresses associated with this campaign: 81.180.93[.]5 and 45.141.59[.]168.
The first IP address hosts a Stealth Server C2 operating on port 8080, which allows attackers to maintain persistent access to compromised systems while evading detection by traditional security monitoring tools.
This non-standard port configuration helps the malicious traffic blend with legitimate web communications, making network-based detection more challenging.
The use of Stealth Server technology indicates an advanced level of operational security employed by APT36.
This command-and-control framework enables threat actors to remotely execute commands, exfiltrate stolen data, and deploy additional malware payloads to compromised government networks.
The dual-IP infrastructure provides redundancy and resilience, ensuring that if one server is identified and blocked, the attackers maintain alternative communication channels with infected systems.
APT36’s Persistent Threat to Indian National Security
APT36 has maintained a consistent focus on Indian government, military, and diplomatic targets since its emergence.
The group’s tactics typically involve spear-phishing campaigns, malicious document attachments, and credential harvesting operations designed to gain initial access to secure networks. This latest campaign demonstrates the group’s evolving capabilities in domain spoofing and infrastructure obfuscation.
Indian government cybersecurity teams are urged to implement enhanced email authentication protocols, conduct user awareness training on phishing identification, and establish network monitoring for connections to the identified malicious infrastructure.
Organizations should immediately block the identified domains and IP addresses, review authentication logs for suspicious access attempts, and implement multi-factor authentication across all government email services to mitigate credential theft risks.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
