India's alleged cyberattacks by hacktivists may be exaggerated as the APT36 espionage threat looms larger
In the aftermath of the Pahalgam terror attack in Indian-administered Kashmir in April 2025, a sophisticated phishing campaign was launched against Indian government and defence networks. The perpetrators, believed to be the cyber espionage group APT36, which is suspected to have links with Pakistan, aimed to steal sensitive information.
The campaign, which has been the subject of much hype, has been found to be more symbolic in nature rather than causing significant disruptions. CloudSEK analysts have stated that the data allegedly stolen, including from the Andhra Pradesh High Court, consisted mostly of case metadata already available online.
APT36 employs the Crimson Rat remote access Trojan, a high-risk espionage tool known for its stealth, persistence, and targeting of defence networks. Once installed, Crimson Rat connects to a command server, allowing remote attackers to exfiltrate files, capture screenshots, and execute over 20 different commands on infected systems.
The process designed by APT36 to transfer data is discreet, minimizing the chances of detection by security software. The group uses emotionally charged lures to deliver the Crimson Rat malware through phishing emails disguised as government briefings in PowerPoint or PDF formats.
However, upon closer inspection, many of the claimed attacks, including breaches of the Indian Army and Election Commission, have been exposed as either outdated or outright fabricated. Defaced websites were restored within minutes, leaked data turned out to be public or recycled, and Distributed Denial of Service (DDoS) attacks caused negligible downtime.
The recent APT36 campaign highlights the need for increased vigilance against more covert and capable actors like APT36 in India. Much of the hype around the supposed breaches has been fueled by Pakistan-linked accounts on social media platforms, such as P@kistanCyberForce and CyberLegendX.
Despite claims of 247 GB of sensitive government data being exfiltrated from India's National Informatics Centre, the leaked 'proof' amounted to just 1.5 GB of public media files. This underscores the importance of verifying information and maintaining a cautious approach in the face of cyber threats.
In conclusion, while the APT36 phishing campaign has not resulted in significant disruptions, it serves as a reminder of the ongoing threats to Indian cybersecurity. As the landscape of cyber warfare continues to evolve, it is crucial for India to remain vigilant and proactive in safeguarding its digital assets.
