APT36 : Multi-Vector Execution Malware Campaign Targeting Indian Government Entities – CYFIRMA

MITRE Techniques

• [T1566.001 ] Phishing: Spearphishing Attachment – Initial delivery via a socially engineered ZIP archive masquerading as examination-related documents (‘malicious ZIP archive masquerading as examination-related documents’).
• [T1204.002 ] User Execution: Malicious File – Victim interaction with deceptive double-extension shortcut files triggers execution (‘deceptive double-extension shortcut file (e.g., Approved Documents 2026.pdf.lnk)’).
• [T1059 ] Command and Scripting Interpreter – Use of batch scripts and PowerShell to stage and execute payloads (‘%comspec% /c start /MIN ~myscsd.bat.’).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The .lnk invokes cmd to run a minimized batch file to hide activity (‘%comspec% /c start /MIN ~myscsd.bat.’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBA macros auto-execute and perform extraction and reconstruction (‘Auto_Open() function when the malicious PowerPoint add-in is opened.’).
• [T1203 ] Exploitation for Client Execution – Macro-driven extraction and reconstruction of embedded OLE objects into a runnable executable (‘reconstructs the malicious executable’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys – Malware establishes persistence by adding itself to the user’s startup registry key (‘establishes persistence by adding itself to the current user’s Windows startup registry key.’).
• [T1546 ] Event Triggered Execution – Use of Office add-in auto-execution and file shortcuts to trigger payload execution (‘Auto_Open() function when the malicious PowerPoint add-in is opened.’).
• [T1543 ] Create or Modify System Process – Launching linked executables and creating processes to run payload components (‘launches the linked executable using start’).
• [T1027 ] Obfuscated Files or Information – Use of string obfuscation, randomized names, and junk code insertion to hinder analysis (‘obfuscation and junk code insertion’).
• [T1564 ] Hide Artifacts – Use of hidden staging directory (“~”) and hidden attributes to conceal files (‘a hidden folder named “~”’).
• [T1036 ] Masquerading – Deceptive filenames and double extensions used to masquerade malicious files as legitimate documents (‘deceptive double-extension filename, “Approved Documents 2026.pdf.lnk,”’).
• [T1553.005 ] Mark-of-the-Web Bypass – PowerShell Unblock-File is used to remove Mark-of-the-Web and allow execution without warning (‘PowerShell Unblock-File to remove the “Mark of the Web” security flag’).
• [T1140 ] Deobfuscate/Decode Files or Information – Macro renames the add-in as a ZIP and extracts embedded objects to reconstruct payloads (‘copies itself and renames the file as a ZIP archive…extracts embedded OLE objects’).
• [T1070.004 ] File Deletion – Anti-forensic self-deleting behavior via a generated executable that removes .exe files and then deletes itself (‘Self-deleting executable (fimsrwvar.exe) to remove traces’).
• [T1012 ] Query Registry – Malware checks and updates registry values as part of persistence logic (‘checks the existing value and updates it if necessary’).
• [T1033 ] System Owner/User Discovery – Use of environment variables and user profile paths to create per-user staging directories (‘uses the %USERPROFILE% environment variable’).
• [T1057 ] Process Discovery – Ability to enumerate and monitor running processes on the infected host (‘Process enumeration’).
• [T1082 ] System Information Discovery – Macro checks OS version to select compatible payload variants (‘detect the operating system version’).
• [T1083 ] File and Directory Discovery – Drive and filesystem enumeration to locate targets and stage files (‘Drive enumeration’ / ‘File system browsing’).
• [T1087 ] Account Discovery – Capabilities to enumerate accounts for situational awareness (‘Account Discovery’).
• [T1518 ] Software Discovery – Enumeration of installed software for targeting and evasion (‘Software Discovery’).
• [T1135 ] Network Share Discovery – Ability to discover network shares within the environment (‘Network Share Discovery’).
• [T1113 ] Screen Capture – Capability to capture screenshots and send them to the operator (‘Screenshot capture’).
• [T1005 ] Data from Local System – Remote file exfiltration support (chunked upload) from local file system (‘Remote file exfiltration (chunked upload)’).
• [T1071 ] Application Layer Protocol – C2 command exchange over network channels with hardcoded commands in the binary (‘Multiple commands are hardcoded within the binary, which are issued by the server to trigger specific actions’).
• [T1095 ] Non-Application Layer Protocol (Raw TCP) – Malware establishes a raw TCP connection directly to the C2 server for command and control (‘establishes a direct raw TCP connection to the command-and-control (C2) server’).
• [T1573 ] Encrypted Channel – C2 communication design includes channel protections for command/response (binary lists network indicator and fallback domain ‘93.127.130.89?sharemxme126.net’).
• [T1041 ] Exfiltration Over C2 Channel – Exfiltration of data and command results back to operators over the C2 channel (‘execution results are transmitted back over the same channel’ / ‘file upload (chunked exfiltration)’).