APT36 Uses “Pahalgam Terror Attack” Lure in Targeted Phishing Against Indian Defense Personnel & Weaponized to Deliver Stealthy Backdoor CrimsonRAT
On April 24, 2025, threat actors linked to Pakistan-based Advanced Persistent Threat group APT36 (aka, Transparent Tribe) launched a targeted phishing campaign aimed at Indian government and defense personnel. The lure? A fabricated report about a recent “Pahalgam Terror Attack” at Jammu and Kashmir, India, weaponized to deliver a stealthy backdoor using CrimsonRAT and exfiltrate sensitive data.
This is a textbook example of how adversaries hijack real-world tension to fuel cyber espionage, and it’s packed with TTPs that cyber defenders should know.
🎯 The Bait: Social Engineering Wrapped in a National Security Theme
The attackers delivered a malicious file titled:
Report & Update Regarding Pahalgam Terror Attack.ppam
Disguised as an official PowerPoint macro-enabled add-in, the file abuses the .ppam format to drop and execute malware quietly. The phishing links mimic legitimate Indian government sites using lookalike domains:
- jkpolice[.]gov[.]in[.]kashmirattac[.]exposed
- iaf[.]nic[.]in[.]ministryofdefenceindia[.]org
These domains were registered on April 24, 2025, just before the campaign began, demonstrating quick execution and intent.
🔬 Payload Analysis: How the Infection Chain Works
Once opened, the macro within the .ppam file runs an Auto_Open subroutine. Here’s a breakdown of what it does:
- Scans installed PowerPoint add-ins
- Creates a hidden folder named: %UserProfile%\0ffice360-[seconds]
- Copies and extracts embedded binaries like oleObject2.bin
- Converts .bin to ZIP → Extracts → Renames a .jpg to .exe
- Executes payload → Drops and launches a compiled RAT
- Extracts a second decoy .pptx to the Downloads folder to divert attention
The core payload connects to a C2 at 93.127.133.58 (ASN DBM-ASN-KC, US) and is tagged as trojan.msil/filecrypter, consistent with CrimsonRAT, a known tool in APT36’s arsenal.
🕵️ Attribution: APT36 Transparent Tribe’s Signature
APT36, or Transparent Tribe, is widely believed to operate under the patronage of Pakistani intelligence. The group has a well-documented history of targeting Indian defense, diplomatic, and research personnel using social engineering lures centered around geopolitical events, military operations, and internal security incidents.
- Document-based malware
- Legitimate-looking domains
- Themes rooted in conflict, military operations, or regional crises
This campaign appears to have been timed to exploit fears and urgency related to a fabricated or exaggerated terror incident in Pahalgam, Jammu and Kashmir. Using official government themes and mimicked domains is a hallmark of Transparent Tribe’s operational playbook.
Takeaways for Threat Hunters
- File Format Abuse: .ppam is rarely used, making it ideal for bypassing detection.
- Dynamic C2 Infrastructure: Bulgaria and US-based hosting were used, watch for cross-region staging; such infrastructure choices point to the operational strategy of blending with obscure, offshore hosting providers to evade rapid takedown.
- Time-Based Directory Masking: Use of system time to evade signature-based rules.
- Post-Execution Distraction: The second decoy .pptx is a clever misdirection tactic.
🧩 IOCs
Malicious Domains:
- kashmirattack[.]exposed
- ministryofdefenceindia[.]org
IPs:
- 78.40.143.189 (Shinjiru Technology — BG, Bulgaria)
- 37.221.64.134 (Alexhost- BG, Bulgaria)
- 93.127.133.58 (DBM-ASN-KC, US)
Malicious File:
- Report & Update Regarding Pahalgam Terror Attack.ppam
This campaign reminds us how quickly APT actors can operationalize geopolitical narratives into targeted cyber campaigns. As threat hunters, staying ahead means staying contextual.
If you’re seeing similar TTPs in the wild or want to share insights, 💬 drop a comment or DM.
Let’s make the world secure, together.
D09r
