APT36 Hackers Targeting Indian Government Organizations to Harvest Login Information

A sophisticated phishing campaign attributed to the Pakistan-linked APT36 group has emerged as a significant threat to Indian government infrastructure. First detected in early August 2025, this operation utilises typo-squatted domains that mimic official government login portals. Unsuspecting users who enter their email IDs and passwords are redirected to counterfeit pages replicating the National Informatics Centre’s Kavach authentication interface, complete with legitimate logos and layouts. By harvesting one-time passwords (OTPs) in real time, the attackers bypass multi-factor authentication, gaining unfettered access to sensitive email accounts. Cyfirma analysts identified the primary malicious domain, registered on July 14, 2025, which resolves to IP addresses flagged for phishing. Supporting infrastructure, including additional domains registered in March and May 2025, follows a uniform naming convention and hosting pattern, indicating a coordinated campaign. The domains resolve to IPs in both Amazon cloud infrastructure and Pakistan-based servers, suggesting either compromised third-party services or direct staging by threat actors.

Victims report that after entering their credentials on the initial phishing page, they are immediately prompted for the Kavach OTP on a second page. This prompt faithfully reproduces the multi-factor authentication workflow, reducing suspicion and facilitating real-time OTP harvesting. Once captured, the credentials and OTPs are transmitted over port 443 to the attacker’s command-and-control (C2) infrastructure, enabling live account takeover. If unmitigated, this could expose classified communications, undermine operational security, and lead to broader national security breaches. The phishing infrastructure employs both spear-phishing emails and typo-squatted domains to achieve initial access. Spear-phishing emails contain links that redirect victims to malicious landing pages hosted on domains such as Mgovcloud.in and Virtualeoffice.cloud. Upon successful credential theft, APT36 uses registry run keys and scheduled tasks to maintain persistence on compromised systems. A custom Visual Basic script deployed via these registry keys establishes periodic callbacks to the attacker’s C2 server, downloading additional payloads and exfiltrating local files.