Hackers Deploy Pahalgam Attack-Themed Lures Against Indian Government Personnel

Indian Government and Defence personnel are the latest targets in a sophisticated cyber espionage campaign orchestrated by the Pakistan-linked APT group Transparent Tribe (APT36).

The Seqrite Labs APT team reports a surge in phishing attacks themed around the recent “Pahalgam Terror Attack” (April 22, 2025), with adversaries leveraging fake government domains and spear-phishing documents to harvest credentials and deploy remote access trojans.

Transparent Tribe launched their campaign within days of the incident, weaponizing the heightened sensitivity and official urgency associated with the Kashmir region.

Malicious PDFs-bearing names like “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf” and “Report Update Regarding Pahalgam Terror Attack.pdf”-were created as early as April 24, 2025, and attributed to the author “Kalu Badshah”.

These documents masquerade as government reports or meeting notes and are often laced with embedded URLs redirecting recipients to convincing phishing pages impersonating legitimate Indian government portals.

One such domain, jkpolice[.]gov[.]in[.]kashmirattack[.]exposed, closely mimics the official Jammu & Kashmir Police site, seeking to harvest credentials of @gov.in and @nic.in account holders.

Attackers Accelerate Post-Terror Event Phishing Using Fake Government Domains

Investigations revealed the campaign’s agility, with multiple document variants crafted to bait targets with references to ongoing government responses, defense meetings, and high-profile communications, covering a broad spectrum from Ministry of Defence notices to DRDO meeting records and even diplomatic agendas.

Additionally, a PowerPoint add-in file (Report & Update Regarding Pahalgam Terror Attack.ppam) with embedded macros has been used to extract decoy documents and trigger payload delivery based on the victim’s Windows environment.

The ultimate objective: deploy the well-known Crimson RAT, concealed under misleading filenames such as “WEISTT.jpg,” with internal identifiers crafted to evade detection.

For command and control, Crimson RAT leverages hardcoded C2 infrastructure, with an actual decoded endpoint at 93.127.133[.]58, supporting 22 different operational commands.

These functionalities range from system reconnaissance and file exfiltration to screenshot capture and persistence installation, providing ample flexibility for espionage and long-term foothold within targeted networks.

All observed RAT payloads share a compilation timestamp immediately predating the Pahalgam terror event, highlighting meticulous planning by the adversaries.

Domain infrastructure analysis shows that phishing domains were rapidly registered, with most coming online within 24-48 hours of document creation.

These domains impersonate Indian government, military, and research entities, and resolve to IPs associated with bulletproof hosting providers and ASNs previously tied to APT36 operations.

The overlap of geopolitical themes and advanced persistent threat tactics marks this operation as both an information operation and a cyber-espionage vector.

By exploiting the national sensitivities around Kashmir, attackers aim not just to breach systems but to fan misinformation, disrupt operations, and gather strategic intelligence.

The use of PDFs and Office add-ins for initial access, together with rapidly evolving lure documents, aligns with Transparent Tribe’s established playbook observed in previous campaigns targeting Indian government, military, and research sectors.

Recommended mitigations include rigorous attachment scanning, macro restrictions, strict network access controls, targeted user awareness training, and integration with up-to-date threat intelligence to proactively block identified IOCs.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates