Executive Summary

Recent threat intelligence and open-source reporting confirm a significant escalation in cyber-espionage campaigns orchestrated by Pakistan-linked Advanced Persistent Threat (APT) groups, most notably APT36 (also known as Transparent Tribe), targeting Indian government, defense, and academic entities. These campaigns, active through 2024 and into 2025, leverage advanced spear-phishing, weaponized Windows shortcut (.LNK) files, ISO payloads, and custom malware families to achieve persistent access, data exfiltration, and surveillance. The threat actors demonstrate a high degree of operational maturity, including the use of fileless malware, environmental awareness, and abuse of trusted Windows binaries. The primary objective is long-term intelligence collection, with no evidence of destructive activity or immediate financial motivation. This report provides a comprehensive technical analysis of the campaign, the threat actor’s profile, observed tactics, techniques, and procedures (TTPs), exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The principal threat actor behind these campaigns is APT36, also tracked as Transparent Tribe, Earth Karkaddan, Green Havildar, Mythic Leopard, COPPER FIELDSTONE, Storm-0156, ProjectM, and TMP.Lapis. APT36 has been active since at least 2013 and is widely attributed to Pakistan-based interests, with a focus on geopolitical intelligence collection against Indian government, military, and research sectors. The group is known for its persistent targeting of Indian entities, evolving tradecraft, and the use of both Windows and Android malware. Recent campaigns, such as "Gopher Strike" and "Sheet Attack," have demonstrated the group’s ability to rapidly adapt to security controls, employ multi-stage infection chains, and utilize cloud-based command and control (C2) infrastructure, including Google Sheets, Firebase, and private GitHub repositories. There is also operational overlap with other Pakistan-linked groups, such as Cosmic Leopard.

Technical Analysis of Malware/TTPs

APT36’s recent campaigns employ a sophisticated infection chain beginning with spear-phishing emails. These emails often contain ZIP archives with malicious .LNK files masquerading as legitimate documents, such as "Online JLPT Exam Dec 2025.pdf.lnk." Upon execution, these shortcut files launch mshta.exe or PowerShell to retrieve and execute remote payloads, often delivered as ISO images containing further malicious components.

Key malware families and tools observed include GOGITTER (a Golang-based downloader), GITSHELLPAD (a Golang-based backdoor leveraging GitHub for C2), GOSHELL (a loader for Cobalt Strike Beacon), and custom remote access trojans (RATs) such as ki2mtmkl.dll and iinneldc.dll. The malware exhibits advanced persistence mechanisms, including scheduled tasks, registry modifications, and startup folder shortcuts. Notably, the malware adapts its persistence strategy based on the presence of specific antivirus products, such as Kaspersky, Quick Heal, Avast, AVG, and Avira.

The C2 infrastructure is highly resilient, utilizing encrypted communications over HTTP/S, dynamic DNS, and cloud services. The actors have been observed using domains such as adobe-acrobat[.]in, innlive[.]in, and drjagrutichavan[.]com, as well as leveraging Google Sheets and Firebase for data exfiltration and command issuance. The malware is capable of exfiltrating a wide range of data, including files (Office, PDF, text, database), screenshots, clipboard contents, and system information. Clipboard monitoring is particularly notable, as it may facilitate cryptocurrency theft or data manipulation.

The campaigns also target Android devices using custom spyware such as CapraRAT, which can access SMS, call logs, location data, and the device’s microphone and camera. Infection vectors for mobile devices include malicious apps masquerading as legitimate government or utility applications.

The threat actors employ a range of MITRE ATT&CK techniques, including T1566.001 (Spearphishing Attachment), T1059 (Command and Scripting Interpreter), T1218.005 (Mshta), T1059.001 (PowerShell), T1547.001 (Startup Folder), T1036 (Masquerading), T1027 (Obfuscated Files), T1071.001 (Web Protocol), and T1041 (Exfiltration Over C2 Channel).

Exploitation in the Wild

The campaigns have been observed targeting Indian government ministries, military organizations, research institutions, and universities. Infection chains typically begin with highly localized spear-phishing emails, often referencing government exams, defense projects, or urgent official notices. The use of double-extension files (e.g., ".pdf.lnk") and fake update dialogs (e.g., Adobe Acrobat Reader DC) increases the likelihood of user execution.

Once initial access is achieved, the malware establishes persistence, profiles the victim environment, and exfiltrates sensitive data. The actors demonstrate environmental awareness, delivering payloads only to Indian IP addresses and Windows user agents. The use of cloud-based C2 channels, such as Google Sheets and Firebase, complicates detection and takedown efforts.

Recent campaigns, such as "Gopher Strike" and "Sheet Attack," have introduced Golang-based malware, multi-stage infection chains, and the use of GitHub repositories for payload delivery and C2. Public reporting from CYFIRMA, The Hacker News, and Recorded Future confirms ongoing exploitation and the evolution of TTPs.

Victimology and Targeting

The primary targets of these campaigns are Indian government entities, including ministries, defense organizations, research institutions, and academic bodies. There is evidence of collateral targeting in Afghanistan and other countries, but the focus remains on Indian strategic sectors. The actors employ highly localized phishing lures, often referencing current events, government projects, or employment opportunities within sensitive organizations such as the Defence Research and Development Organisation (DRDO).

Victims are typically high-value individuals with access to sensitive information, including government officials, military personnel, researchers, and university staff. The campaigns are designed for long-term intelligence collection, with no evidence of destructive activity or ransomware deployment.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by APT36 and similar threat actors. Key recommendations include blocking known indicators of compromise (IOCs), such as malicious file hashes, domains, and IP addresses, at both perimeter and endpoint security solutions. Restrict the execution of .LNK, HTA, PowerShell, and VBScript files from user-writable directories, and configure Windows to display full file extensions to reduce the risk of double-extension masquerading.

Monitor for abnormal process chains, such as mshta.exe, powershell.exe, or wscript.exe spawned by shortcut files, and integrate YARA rules and behavioral signatures for APT36 campaigns into SIEM and EDR platforms. Apply least-privilege principles, restrict the use of scripting engines where not required, and ensure regular patching of Windows OS and scripting components.

For mobile devices, deploy mobile threat defense solutions capable of detecting and blocking spyware such as CapraRAT. Educate users on the risks of installing applications from untrusted sources and the dangers of phishing emails. Regularly update threat intelligence feeds with the latest IOCs and TTPs associated with APT36.

References

The following sources provide additional technical detail and context for the campaigns described in this report:

The Hacker News: Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities (Jan 2026)

CYFIRMA: APT36 Multi-Stage LNK Malware Campaign (Dec 2025)

MITRE ATT&CK: Transparent Tribe (APT36)

The Record by Recorded Future: Pakistan-linked hackers target Indian government, universities in new spying campaign (Jan 2026)

Brandefense: Operation C-Major (APT36) (Nov 2025)

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations stay ahead of emerging threats and ensure the resilience of their digital ecosystem. For more information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.