Menu
Browse

Cyber Threat Actor: Pakistan

Actor Type Location Known Incidents
 Icon
Nation State
Pakistan
1 incident
Profile

The threat actor is tracked under the alias “Pakistan” and is known to operate from Pakistani territory. Public reporting consistently links this actor to cyber operations directed against Indian targets, describing the group as Pakistan‑linked or Pakistan‑based hackers. The actor’s activity has been observed in multiple campaigns that span website defacement, espionage against defense contractors, and the theft of military personnel data.

Targeting focuses on Indian government institutions, critical infrastructure, and defense‑related sectors. Article 2 notes that hackers from Pakistan struck over 90 Indian government websites and attempted to breach financial systems and power‑grid management networks following the Pulwama attack. Article 3 describes a spear‑phishing campaign aimed at Mazagon Dock Shipbuilders Limited, a public sector undertaking that builds warships and submarines for the Indian Navy, indicating an interest in stealing naval design and manufacturing data. Article 4 reports a campaign that specifically targeted Indian military employees, seeking ID scans, salary information, passport scans, taxation details, personal photos, and confidential army tactics and training materials. These incidents show a strategic mix of espionage to acquire sensitive defense and governmental information and disruptive actions intended to create chaos or undermine confidence in Indian systems.

The actor’s typical tactics, techniques, and procedures include spear‑phishing emails bearing malicious Excel files with obfuscated macros and junk code, as seen in the Mazagon Dock attack where the macro used a registry hijack via eventvwr.exe to bypass UAC and dropped a KeyBase variant that collected keystrokes, screenshots, and browser history before communicating with a command‑and‑control server after a sleep period. In the Operation C‑Major campaign detailed in Article 4, the actor exploited an Adobe Reader vulnerability to deliver spyware, with the stolen data exfiltrated to a C2 server located in Pakistan. Infrastructure used in these operations has included compromised university sites in Indonesia to host malware payloads and the use of Bangladeshi network hop points to launch attacks, while the ultimate C2 infrastructure has been traced to Pakistani hosting providers and domains such as tripleshop.id.

Attribution to Pakistan is supported by multiple sources: Article 2 directly identifies the perpetrators as hackers from Pakistan; Article 3 traces the spoofed sender to a Pakistan‑based freight company, Combined Freight (PVT) Limited, and notes the C2 domain and server reside in Pakistan; Article 4 characterizes the activity as a Pakistan‑linked cyber‑espionage campaign and references the recovery of C2 server IP addresses located in Pakistan. Collectively, these references establish a clear Pakistani nexus for the actor’s operations, with evidence pointing to state‑aligned or state‑supported groups rather than purely criminal actors. No further speculation about size, revenue, or internal structure is warranted based on the supplied material.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
4 sources