Threat Overview

The Security Operations Center (SOC) has identified a new threat report published by CyberHunter_NL on May 6, 2025. The report details an Advanced Persistent Threat (APT) campaign linked to APT36, which is spoofing the Indian Ministry of Defence and targeting both Windows and Linux users.

Threat Report Details

The threat report, titled ‘APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users,’ provides comprehensive insights into the tactics, techniques, and procedures (TTPs) employed by APT36. The report is highly reliable with a confidence level of 100% and a reliability rating of ‘A – Completely reliable.’ It includes 63 connected elements, offering an in-depth analysis of the threat landscape.

Short Description of the Actor Group

APT36, also known as Transparent Tribe, is a state-sponsored threat actor group believed to be operating out of Pakistan. This group has been active since at least 2013 and primarily targets Indian military and government entities. Their campaigns often involve sophisticated phishing attacks, malware deployment, and data exfiltration.

Short Description of the Report

The report focuses on a new campaign dubbed ‘ClickFix,’ where APT36 is spoofing the Indian Ministry of Defence to lure victims into downloading malicious payloads. The campaign targets both Windows and Linux users, indicating a broader scope and increased sophistication in their operations. The malware used in this campaign is designed to evade detection by security tools and maintain persistence on compromised systems.

Threat Analysis

The ClickFix campaign employs several tactics to bypass traditional security measures:

1. Phishing Emails: APT36 sends highly convincing phishing emails that appear to originate from the Indian Ministry of Defence. These emails contain malicious attachments or links that, when opened, download and execute the malware on the victim’s system.

2. Malware Payloads: The malware used in this campaign is designed to target both Windows and Linux operating systems. It includes backdoor capabilities, allowing the attackers to gain remote access to compromised systems, exfiltrate sensitive data, and perform other malicious activities.

3. Command and Control (C&C) Communication: The malware establishes communication with a C&C server controlled by APT36. This server is used to receive instructions from the attackers and send back stolen data.

4. Persistence Mechanisms: The malware employs various persistence mechanisms to ensure it remains on the compromised system even after reboots or attempts at removal. These include registry modifications, scheduled tasks, and hidden files.

Recommendations for Mitigation

To protect against this threat, organizations should implement the following recommendations:

1. User Awareness Training: Educate employees about the risks of phishing attacks and how to identify suspicious emails. Regular training sessions can help users recognize and avoid falling victim to these scams.

2. Email Filtering: Implement advanced email filtering solutions that can detect and block phishing attempts before they reach user inboxes. These solutions should use machine learning algorithms and threat intelligence feeds to stay updated on the latest phishing tactics.

3. Endpoint Protection: Deploy robust endpoint protection software that includes antivirus, anti-malware, and intrusion detection capabilities. Ensure that all systems are regularly updated with the latest security patches and signatures.

4. Network Monitoring: Use network monitoring tools to detect unusual traffic patterns or communication with known malicious C&C servers. Implementing Security Information and Event Management (SIEM) solutions can help in real-time threat detection and response.

5. Incident Response Plan: Develop and maintain an incident response plan that outlines the steps to take in case of a security breach. Regularly test this plan through tabletop exercises and simulations to ensure readiness.

6. Multi-Factor Authentication (MFA): Enforce MFA for all users, especially those with access to sensitive data or systems. This adds an extra layer of security, making it harder for attackers to gain unauthorized access.

7. Regular Backups: Perform regular backups of critical data and store them in a secure, offsite location. Ensure that backups are tested regularly to verify their integrity and availability.

8. Patch Management: Implement a patch management program to ensure that all systems and software are kept up-to-date with the latest security patches. Prioritize patching for known vulnerabilities that could be exploited by attackers.

By following these recommendations, organizations can significantly reduce the risk of falling victim to the APT36 ClickFix campaign and other similar threats. Staying vigilant and proactive in cybersecurity measures is crucial in today’s ever-evolving threat landscape.