Cybersecurity researchers have uncovered a sophisticated attack campaign leveraging a fraudulent website that impersonates the Indian Post Office to deliver malware to both Windows and Android users.
The fake website, hosted at postindia[.]site, employs device detection techniques to serve tailored malicious payloads based on the victim’s operating system, demonstrating the threat actor’s technical sophistication and calculated approach.
When accessed via desktop browsers, the malicious site attempts to gain clipboard access and prompts users to download a PDF containing “ClickFix” instructions.
These instructions guide victims to press Win+R and paste a PowerShell command, potentially compromising their systems with malware.
Mobile visitors, meanwhile, are prompted to download an APK file named “indiapost.apk” that requests extensive permissions to access sensitive data.
.webp)
Cyfirma researchers identified the campaign in March 2025 during routine threat monitoring activities.
Their analysis revealed metadata suggesting the attack originated from Pakistan-based threat actors, specifically APT36 (also known as Transparent Tribe), a group with a history of targeting Indian entities since at least 2013.
Technical examination of the PDF’s metadata showed it was created in October 2024 within Pakistan’s time zone (+5:00), with the author labeled as “PMYLS” – an abbreviation for Pakistan’s Prime Minister Youth Laptop Scheme.
This evidence, combined with the tactics employed, led researchers to attribute the campaign to APT36 with moderate confidence.
The attackers employed strategic infrastructure, including IP address 88[.]222[.]245[.]211, which resolves to the suspicious domain email[.]gov[.]in[.]gov-in[.]mywire[.]org, a known tactic of Pakistan-based APT groups attempting to impersonate Indian government entities.
Infection Mechanism Analysis
The campaign’s infection technique is particularly notable for its multi-platform approach.
.webp)
The website’s HTML code contains a JavaScript function that detects whether visitors are using mobile or desktop devices and serves appropriate content accordingly:-
.webp)
function detectDevice() {
const isMobile = /iPhone|iPad|iPod|Android/.test(navigator.userAgent);
if (isMobile) {
dialogTitle.textContent = "Get Our App";
actionButton.href = "https://postindia.site/download/indiapost.apk";
} else {
dialogTitle.textContent = "Download Tracking Information";
actionButton.href = "https://drive.usercontent.google.com/download?id=1RSILmV3HDR6APXKWEPXrg2MRP1d2xwmb&export=download";
}
}The Android malware demonstrates sophisticated evasion tactics by changing its icon to mimic a Google Accounts app and employs persistence mechanisms through the BootReceiver function.
It requests numerous permissions including contacts access, location tracking, and clipboard monitoring, while implementing techniques to bypass battery optimization restrictions to maintain continuous operation.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
