Cyber Incident Victim: Government of India

In mid-to-late 2022, the Pakistan-linked threat group APT36 (Transparent Tribe) conducted a malicious campaign targeting employees of Indian government organizations. The group employed malvertising tactics by abusing Google advertisements to distribute trojanized versions of Kavach, an Indian two-factor authentication solution. Attackers controlled third-party application stores to redirect users to attacker-registered domains hosting backdoored variants of government-related applications. APT36 registered multiple domains impersonating legitimate Indian government entities, including the National Informatics Center’s Kavach login page. These spoofed domains deployed credential-harvesting phishing pages that filtered victims based on geolocation, only redirecting Indian IP addresses to malicious servers while sending other users to legitimate sites. Stolen credentials were transmitted to remote servers controlled by the threat actors for further attacks against government infrastructure.

The campaign introduced a new modular data exfiltration tool named Limepad, designed to steal and upload victim data to attacker-controlled servers. Analysis by Zscaler researchers revealed Limepad’s use of custom Python libraries developed by APT36 to support its core functionality. Although the malware was in early development stages, its design indicated potential for establishing persistent access to compromised networks. APT36 maintained consistency in its attack chain, combining malvertising, credential harvesting, and phishing with evolving tools like CrimsonRAT, ObliqueRAT, and now Limepad. The group’s infrastructure spoofing and regional targeting demonstrated deliberate focus on compromising Indian government personnel and systems.