A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India’s Ministry of Defence to distribute cross-platform malware targeting both Windows and Linux systems.
Uncovered by threat intelligence researchers at Hunt.io, this operation employs a ClickFix-style infection chain, mimicking official government press release portals to lure unsuspecting users into executing malicious payloads.
The attackers have meticulously cloned the Ministry’s website, using infrastructure spoofing and visual deception to lower suspicion and enhance the credibility of their malicious site, identified as email.gov.in.drdosurvey[.]info.
.png
)
The attack begins with a deceptive landing page that closely replicates the structure and layout of the legitimate Ministry of Defence press release archive, crafted using the publicly available website cloning tool HTTrack, with metadata indicating the clone was created in early March 2025.
Technical Details of the Multi-Platform Attack
On this spoofed portal, only a single active link for March 2025 is functional, guiding users into a tailored ClickFix social engineering trap.
Depending on the victim’s operating system, the attack redirects to specific PHP pages-/captcha/windows.php for Windows and /captcha/linux.php for Linux.
Windows users encounter a faux “For Official Use Only (FOUO)” warning overlay with a blurred background of a legitimate government site, followed by a clipboard command executing a remote payload via mshta.exe from trade4wealth[.]in, delivering a .NET-based loader connecting to a malicious IP (185.117.90[.]212).
Linux users are presented with a CAPTCHA lure featuring a misspelled “I’m not a rebot” button, silently copying a shell command to download and execute a script (mapeal.sh), though currently benign.
According to Hunt Report, both flows use decoy content-like cloned press releases-to maintain the illusion of legitimacy during malware execution.
The campaign’s tradecraft, including government-themed lures, HTA payloads, and typosquatting, aligns with patterns historically linked to APT36 (Transparent Tribe), a Pakistan-aligned threat actor known for targeting Indian government entities, suggesting medium-confidence attribution to this group.
This attack underscores the evolving reuse of familiar ClickFix techniques with subtle innovations, emphasizing the need for vigilance against clipboard-based execution, spoofed subdomains, and shallow website clones.
Below are the key Indicators of Compromise (IOCs) associated with this campaign for defenders to monitor and mitigate potential threats.
Indicators of Compromise (IOCs)
| Type | Value | Details |
|---|---|---|
| IP Address | 192.64.118[.]76 | Linked to email[.]gov[.]in[.]drdosurvey[.]info |
| IP Address | 185.117.90[.]212 | Linked to email[.]gov[.]in[.]avtzyu[.]store |
| File (HTA) | sysinte.hta | SHA-256: 7087e5f768acaad83550e6b1b9696477089d2797e8f6e3f9a9d69c77177d030e |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
