APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux
Essential information
- Published
- 06/05/2025 19:41
- Modified
- 06/05/2025 20:11
- Tags
- 2025-05-06 clickfix clipboard-based execution cross-platform ministry of defence mshta obfuscation social engineering spoofing
- Related entities
- 7 observables, 1 intrusion sets (apt), 13 techniques (mitre), 3 others
Description
A recent campaign attributed to APT36 has been observed spoofing India's Ministry of Defence to deliver cross-platform malware. The attackers used a ClickFix-style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted both Windows and Linux users, employing clipboard-based execution techniques. On Windows, the attack utilized mshta.exe to execute a heavily obfuscated HTA file, while on Linux, it attempted to execute a shell script. The tradecraft observed, including government-themed lures, HTA-based delivery, and decoy documents, aligns with known APT36 tactics. This activity demonstrates the continued evolution of ClickFix techniques in new contexts.