{
  "name": "APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux",
  "slug": "apt36-style-clickfix-attack-spoofs-indian-ministry-to-target-windows-linux",
  "description": "A recent campaign attributed to APT36 has been observed spoofing India's Ministry of Defence to deliver cross-platform malware. The attackers used a ClickFix-style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted both Windows and Linux users, employing clipboard-based execution techniques. On Windows, the attack utilized mshta.exe to execute a heavily obfuscated HTA file, while on Linux, it attempted to execute a shell script. The tradecraft observed, including government-themed lures, HTA-based delivery, and decoy documents, aligns with known APT36 tactics. This activity demonstrates the continued evolution of ClickFix techniques in new contexts.",
  "published": "2025-05-06T17:41:33+00:00",
  "created_at": "2025-05-06T17:41:33+00:00",
  "modified_at": "2025-05-06T18:11:19+00:00",
  "created_at_opencti": "2025-05-06T17:41:33+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-06",
    "clickfix",
    "clipboard-based execution",
    "cross-platform",
    "ministry of defence",
    "mshta",
    "obfuscation",
    "social engineering",
    "spoofing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "185.117.90.212"
      },
      {
        "id": "",
        "name": "email.gov.in.avtzyu.store"
      },
      {
        "id": "",
        "name": "trade4wealth.in"
      },
      {
        "id": "",
        "name": "drdosurvey.info"
      },
      {
        "id": "",
        "name": "avtzyu.store"
      },
      {
        "id": "",
        "name": "email.gov.in.drdosurvey.info"
      },
      {
        "id": "",
        "name": "7087e5f768acaad83550e6b1b9696477089d2797e8f6e3f9a9d69c77177d030e"
      }
    ],
    "intrusion_sets": [
      {
        "id": "legacy:intrusion:db38cbc8d467beb6",
        "name": "APT36",
        "slug": "apt36"
      }
    ],
    "attack_patterns": [
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence",
    "https://otx.alienvault.com/pulse/681a65ede3e45431290ce415"
  ]
}