The attackers employed strategic infrastructure, including IP address 88[.]222[.]245[.]211, which resolves to the suspicious domain email[.]gov[.]in[.]gov-in[.]mywire[.]org, a known tactic of Pakistan-based APT groups attempting to impersonate Indian government entities. The fake website, hosted at postindia[.]site, employs device detection techniques to serve tailored malicious payloads based on the victim’s operating system, demonstrating the threat actor’s technical sophistication and calculated approach. Cybersecurity researchers have uncovered a sophisticated attack campaign leveraging a fraudulent website that impersonates the Indian Post Office to deliver malware to both Windows and Android users. Their analysis revealed metadata suggesting the attack originated from Pakistan-based threat actors, specifically APT36 (also known as Transparent Tribe), a group with a history of targeting Indian entities since at least 2013. Technical examination of the PDF’s metadata showed it was created in October 2024 within Pakistan’s time zone (+5:00), with the author labeled as “PMYLS” – an abbreviation for Pakistan’s Prime Minister Youth Laptop Scheme. It requests numerous permissions including contacts access, location tracking, and clipboard monitoring, while implementing techniques to bypass battery optimization restrictions to maintain continuous operation. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When accessed via desktop browsers, the malicious site attempts to gain clipboard access and prompts users to download a PDF containing “ClickFix” instructions. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Mobile visitors, meanwhile, are prompted to download an APK file named “indiapost.apk” that requests extensive permissions to access sensitive data. The Android malware demonstrates sophisticated evasion tactics by changing its icon to mimic a Google Accounts app and employs persistence mechanisms through the BootReceiver function. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 27 Mar 2025 08:30:18 +0000