Recent hacktivist campaigns targeting Indian digital infrastructure have largely resulted in exaggerated claims with minimal real impact, while the persistent threat from APT36 using Crimson RAT malware continues to pose significant espionage risks. The analysis highlights the disparity between publicized hacktivist activity and verified outcomes, emphasizing ongoing risks to Indian government and defense networks. #IndianGovernment #APT36
Keypoints
- Over 100 hacktivist attacks were claimed in May 2025 against Indian government, educational, and critical infrastructure, but most had negligible impact or involved publicly available data.
- Top hacktivist groups include Nation Of Saviors, KAL EGY 319, SYLHET GANG-SG, Electronic Army Special Forces, and Vulture, each claiming multiple attacks with limited verified success.
- Claims of major data breaches like the National Informatics Centre (NIC) and Election Commission of India (ECI) were falsified or involved recycled, publicly known information.
- KAL EGY 319’s reported defacement campaign of educational and medical websites showed minimal actual disruption, with affected sites operating normally.
- Coordinated DDoS attacks targeting high-profile government sites such as the Prime Minister’s Office and CERT-In caused only short-lived, minor outages.
- Pakistani-linked social media accounts amplified unverified claims of cyberattacks against Indian civilian and government systems as part of ongoing cyber rivalry.
- APT36’s sophisticated Crimson RAT malware campaign exploited the April 2025 Pahalgam terror attack to infiltrate key Indian government and defense networks using phishing and spoofed domains.
MITRE Techniques
- (T1566.001) Spear-phishing Attachment: Crimson RAT was delivered via malicious macros embedded in PowerPoint add-on files triggered by user enabling content. //Phishing emails contain PowerPoint add-on files (.ppam) disguised as official reports with malicious macros.//
- (T1566.002) Spear-phishing Link: Malicious PDF documents included links to spoofed domains mimicking official government websites to steal credentials. //PDFs embed links to fake login pages hosted on jkpolice.gov.in.kashmirattack.exposed.//
- (T1204.002) User Execution – Malicious File: Execution of payload required users to enable macros or interact with malicious files to initiate infection. //doc requires enable-content/double-click.//
- (T1547.001) Registry Run Keys: Crimson RAT achieved persistence by creating run keys in the Windows registry to maintain malware across reboots. //*.dreb Run-key added for persistence.//
- (T1027) Obfuscated/Encrypted File: Malware code was obfuscated using tools like Eazfuscator and string padding to evade detection. //Use of Eazfuscator and string padding observed in payload.//
- (T1083) File/Directory Discovery: Malware gathered information about system files and directories as part of reconnaissance. //Commands like files/dirs used to explore system.//
- (T1113) Screen Capture: Crimson RAT captured screenshots of victim activity to collect intelligence. //cscreen, scren, and thumb commands used for screenshot capture.//
- (T1071.001) Application-Layer Protocol (TCP): Malware communicated with its command-and-control server over direct TCP connections on rotating ports. //Direct TCP C2 connections established to 93.127.133.58:1097.//
- (T1041) Exfiltration over C2 Channel: Stolen data was sent back to the attackers via the established command-and-control channel. //Files and screenshots were exfiltrated through C2 commands afile/dowr.//
Indicators of Compromise
- File Names (malicious payload): WEISTT.jpg (disguised RAT payload), jnmxrvt hcsm.exe (executable Crimson RAT)
- Domains (phishing infrastructure): jkpolice.gov.in.kashmirattack.exposed (spoofed police site), iaf.nic.in.ministryofdefenceindia.org, email.gov.in.departmentofdefence.de (spoofed government domains)
- IP Addresses (command-and-control): 93.127.133.58 (C2 server for Crimson RAT communication on port 1097)
- Hashes (passwords leaked): Exposed password hashes linked to Andhra Pradesh High Court case metadata leak
Views: 76