216.73.216.133

APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

· Published 06/05/2025 19:41 · Modified 06/05/2025 20:11

Export JSON

Essential information

Published
06/05/2025 19:41
Modified
06/05/2025 20:11
Tags
2025-05-06 clickfix clipboard-based execution cross-platform ministry of defence mshta obfuscation social engineering spoofing
Related entities
7 observables, 1 intrusion sets (apt), 13 techniques (mitre), 3 others

Description

A recent campaign attributed to APT36 has been observed India's to deliver malware. The attackers used a -style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted both Windows and Linux users, employing techniques. On Windows, the attack utilized .exe to execute a heavily obfuscated HTA file, while on Linux, it attempted to execute a shell script. The tradecraft observed, including government-themed lures, HTA-based delivery, and decoy documents, aligns with known APT36 tactics. This activity demonstrates the continued evolution of techniques in new contexts.

External references