Adversary Intelligence
7
mins read

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge

In May 2025, multiple Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. But CloudSEK’s investigation reveals most of these breaches were exaggerated or fake—ranging from recycled data leaks to defacements that left no real impact. While DDoS attacks barely caused a few minutes of disruption, the real threat came from APT36, which used Crimson RAT malware to target Indian defense networks after the Pahalgam terror attack. This report separates fact from fiction—unmasking the hype, tactics, and real risks behind the India-Pakistan cyber conflict. Read the full analysis to know what truly happened.

Pagilla Manohar Reddy
May 11, 2025
Green Alert
Last Update posted on
May 11, 2025
Ensure proactive Brand Risk Management by monitoring social media discussions.

Stay ahead of the bad guys and protect your brand reputation with CloudSEK XVigil's Social Media Discussions module

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

Recent hacktivist campaigns targeting Indian digital infrastructure have generated alarming headlines, but investigation reveals most claims are significantly overblown. Despite major hacktivist groups collectively claiming over 100+ successful breaches of government sites, educational institutions, and critical infrastructure in May 2025, analysis shows minimal actual impact—with alleged data leaks containing primarily public information, website defacements leaving no digital footprint, and supposed DDoS attacks against high-profile targets like the Prime Minister's Office causing negligible disruption. Meanwhile, the more sophisticated APT36 espionage group continues to pose a genuine threat through targeted Crimson RAT malware campaigns exploiting the April 2025 Pahalgam terror attack to infiltrate government and defense networks.

Top 5 Hacktivist Groups

  1. Nation Of Saviors [Discuss]: 32 Claimed Attacks
    • This group casts a wide net, claiming responsibility for disruptions and attacks against numerous Indian government portals (including central and state levels), financial institutions, and educational bodies.
    • Among their high-profile claims were alleged attacks against the CBI, the Election Commission of India (ECI), and the National Portal of India.
  2. KAL EGY 319: 31 Claimed Attacks
    • The group predominantly focused its efforts on India's educational and medical sectors.
    • KAL EGY 319 claimed a widespread defacement campaign, alleging that approximately 40 Indian websites, mainly belonging to colleges, universities, and healthcare-affiliated institutions, were compromised.
  3. SYLHET GANG-SG 🏴: 19 Claimed Attacks
    • This entity targeted a mix of Indian government portals, educational institutions, and news media outlets.
    • Significant claims included an alleged data breach of the Andhra Pradesh High Court system and eNational Informatics Centre (NIC).
  4. Lực Lượng Đặc Biệt Quân Đội Điện Tử (Electronic Army Special Forces) & Affiliates: 18 Claimed Attacks
    • This collective focused heavily on Indian courts, various central and state government websites, and digital public services.
    • Judicial websites, including district and high courts, along with law enforcement portals, featured prominently in their list of claimed targets.
  5. Vulture: 16 Claimed Attacks
    • Indian government websites and educational institutions were the main focus of this group's claimed activities.
    • Claims included attacks on the Digital Police portal, the official website of the President of India, and the Prime Minister's Office (PMO) website. Vulture was frequently mentioned in joint operation claims, indicating collaboration with other hacktivist entities.

Note: Many hacktivist groups use tools with limited impact, often causing brief 5–10 minute outages and exaggerating them with screenshots. These tactics haven’t evolved in over two years. While monitoring is important, basic DDoS hygiene is usually enough to mitigate such low-level threats and minimize their visibility.

Top Targeted Industries

Government entities in India were the primary targets of cyberattacks, with high-profile breaches reported across central government portals such as the Ministry of Defence, Ministry of External Affairs, and the Election Commission. Digital public services like UMANG, Digital Police, and the National Informatics Centre, as well as administrative websites including those of the President and Prime Minister, were also hit. The judicial system, including several high courts, faced disruptions. The education sector was notably affected, with attacks on universities, medical institutions, and testing agencies. Critical infrastructure was also targeted, including transportation systems like Indian Railways, communication networks such as India Post and RailTel, and financial institutions like Punjab National Bank and Indian Overseas Bank.

The graph illustrates the distribution of industries targeted by hacktivists.

Exposing False Claims: The Reality Behind Recent Hacktivist Allegations

1. Significant Discrepancy in Claimed National Informatics Centre (NIC) Breach

Multiple hacktivist entities, including SYLHET GANG-SG and DieNet, prominently claimed the exfiltration of over 247 GB of data from India's National Informatics Centre (NIC) servers—a potentially devastating breach given NIC's role in government IT infrastructure. However, a subsequent analysis of a 1.5 GB sample released by the groups as "proof" revealed it consisted of publicly available marketing materials and media files,  suggesting the alleged 247 GB compromise of critical government data is largely unsubstantiated by the evidence provided.

2. Hacktivists Repackage Historical ECI Data Leak as Fresh Attack

A claim made on May 8, 2025, by Team Azrael--Angel Of Death® regarding an alleged breach of the Election Commission of India, supposedly yielding over 1 million citizen records, exemplifies a common hacktivist tactic: the repackaging of previously disclosed data to create the illusion of a recent, high-impact compromise. On verifying the  data, confirm that the data associated with this claim—though containing genuine PII like names, ages, phone numbers, and addresses—was originally leaked in 2023. Thus, the May 2025 announcement does not represent a new breach of the ECI by this group but rather an effort to generate alarm and publicity using old data concerning India's sensitive democratic institutions.

3. KAL EGY 319 Mass Defacement Campaign

The hacktivist group KAL EGY 319 claimed a large-scale defacement operation between May 8-9, 2025, allegedly affecting around 40 Indian educational and medical websites, and subsequently announced a strategic pivot to new targets. Despite these assertions, the actual impact appears minimal. Investigation revealed that all named websites are currently functioning normally. This suggests that either the defacements were not fully executed as claimed, or did not result in any significant or complete compromise of the targeted online assets.

4. Coordinated DDoS Claims Against Top Indian Govt Sites Result in Minimal Disruption

Between May 7-8, 2025, a coalition of hacktivist groups including Lực Lượng Đặc Biệt Quân Đội Điện Tử, Vulture, and GARUDA ERROR SYSTEM, announced Distributed Denial of Service (DDoS) attacks targeting high-profile Indian government websites. Targeted entities reportedly included the Prime Minister's Office (PMO), the President's office, and various key Ministries (Home, Defence, External Affairs, Health), alongside law enforcement portals. While the groups touted this as a well-organized operation, verification analysis indicates the websites in question are operating as usual. Any experienced downtime appears to have been negligible, potentially lasting less than five minutes, suggesting the attacks had no significant or sustained impact on the availability of these critical government services.

5.Public Data and Some Hashes Leaked

The hacktivist claim by SYLHET GANG-SG (attributing to Team insane Pakistan) on May 7, 2025, of accessing 1 million case details and FIR records from the Andhra Pradesh High Court database, significantly overstated the sensitivity of the information obtained. Analysis reveals the data primarily consists of publicly accessible case metadata. While this information is not inherently critical, the leak did also expose some password hashes, which poses a definite security risk to the court's systems and potentially linked accounts. Nevertheless, the narrative of a massive breach of private judicial records is not substantiated by the nature of the data released.

6. Indian Army Data Leak Lacks Authentic Corroboration

On May 7, 2025, Team Azrael--Angel Of Death® made a serious claim of compromising and leaking data pertaining to Indian Army personnel, including alleged RAW/CBI operatives. Such a breach, if genuine, would signify a major intelligence coup. However, thorough validation of the data presented by the group reveals no discernible link to actual Indian Army personnel. The dataset is characterized by significant inconsistencies, including mismatches between names, email addresses, and phone numbers. There is high confidence that the data is either fabricated or entirely misattributed, and does not represent a legitimate compromise of the claimed high-sensitivity targets.

7. Claims of DDoS Against CERT-In and National Testing Agency

Also on May 8, 2025, hacktivist groups Vulture and the Electronic Army Special Forces claimed responsibility for DDoS attacks specifically aimed at India's Computer Emergency Response Team (CERT-In) and the National Testing Agency (NTA). The timing of the alleged attack on the NTA was noted as potentially disruptive due to ongoing critical examination periods. These entities represent key organizations in India's cyber defense and educational infrastructure. However, despite the strategic nature of these claimed targets, validation confirmed that both the CERT-In and NTA websites were, and remained, up and running without any observable outage or degradation of service consistent with a successful DDoS attack. The claims of impacting these critical organizations appear unfounded based on their operational continuity.

Pakistan-Linked X(Twitter) Accounts Amplify Unverified Cyber Claims

P@kistanCyberForce is a social media account associated with a self-proclaimed Pakistani hacktivist group that makes unverified claims of breaching Indian entities such as the Manohar Parrikar Institute for Defence Studies and Analyses (idsa.in), Armoured Vehicles Nigam Limited (avnl.co.in), and the ECHS healthcare portal (echs-pcmdb.sourceinfosys.com).

CyberLegendX (@cyber4982), a social media account, has been issuing alerts claiming that the Pakistan Cyber Force is responsible for recent cyberattacks targeting Indian entities. The reported targets include a vehicle tracking platform (trackmaster.in/FMSAttachments/) and Bharti Airtel Ltd.’s. These actions are being portrayed as part of an ongoing India-Pakistan cyber conflict and a retaliatory move in response to Operation Sindoor. The attack on Airtel specifically exploited a BIG-IP service, while the breach of trackmaster.in was carried out via a known vulnerability, allowing the attacker to gain access and upload an image.

Social media accounts Taymiyyah Umer🦋 (@MAkhtar508), @Mubashirbilal00, and mirhakhan_99 have been sharing unverified claims allegedly linked to PAFCyberForce under the banner of OPERATION BUNYAN AL MARSOUS. These posts suggest that Pakistani cyber operatives have infiltrated various segments of Indian digital infrastructure—including civilian systems, hospitals, and sensitive sites—conducting surveillance and manipulating security feeds. The claims emphasize that no visible disruption was caused, portraying the operation as a calculated show of advanced capabilities and strategic restraint. Several 10’s of accounts are doing the same

@Amad__khan, who identifies himself as a Pakistani ethical hacker and programmer associated with CyberSec Revolution, has publicly claimed responsibility for a series of cyber intrusions targeting Indian digital infrastructure. According to his statements, the targets included the Indian Creative Institute, the Kavanal website, various other Indian websites, CCTV systems, routers, the Staff Selection Commission (SSC) and its candidates' data, the Ministry of External Affairs, the Delhi Police clearance certificate system, and the Ministry of Housing and Urban Affairs. His posts, which frequently feature pro-Pakistan rhetoric and references to cyber conflict between India and Pakistan, reflect a persistent anti-India narrative. He claims to carry out these attacks by either exploiting server vulnerabilities or using compromised credentials.

Inside APT36's Crimson RAT: The Mechanics of a Sophisticated Cyber Espionage Tool

Crimson RAT is a .NET-based Remote Access Trojan that has long served as a key espionage tool for APT36—also known as Earth Karkaddan, Transparent Tribe, and several other aliases. This politically motivated threat group, believed to be linked to Pakistan, has a history of targeting Indian military, diplomatic, and educational institutions. Designed for stealth and persistence, Crimson RAT allows attackers to remotely execute commands, exfiltrate sensitive data, and maintain continuous access to compromised systems. In May 2025, reports revealed that APT36 leveraged this malware to exploit the emotional aftermath of the April 2025 Pahalgam terror attack, using it as a thematic lure to breach Indian government and defense networks through phishing and social engineering tactics.

How is Crimson RAT Delivered?

APT36 employs a multi-pronged approach to deliver Crimson RAT, leveraging social engineering and phishing techniques to exploit human vulnerabilities. The campaign, launched within 48 hours of the April 22, 2025, Pahalgam terror attack, uses emotionally charged themes to maximize its impact. Here’s how the attack chain unfolds:

Phishing Emails with Malicious Attachments

The campaign begins with phishing emails that appear to come from credible sources, such as government officials or organizations. These emails often include attachments designed to look like official documents. Two primary delivery methods have been observed:

  • PowerPoint Files: Emails contain PowerPoint add-on files (.ppam format) disguised as official reports, such as “Report & Update Regarding Pahalgam Terror Attack.ppam.” These files contain malicious macros that, when enabled by the user, initiate the malware download process.
  • PDF Documents: PDFs, such as “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf,” created on April 24, 2025, under the alias “Kalu Badshah,” embed malicious links. These links redirect users to fake login pages hosted on spoofed domains, such as jkpolice.gov.in.kashmirattack.exposed, which mimics the official Jammu & Kashmir Police website. These pages are designed to steal credentials.

Disguised Malware Payload

The malicious macros in the PowerPoint file download Crimson RAT, which is cleverly disguised as an image file, such as WEISTT.jpg. This disguise helps evade initial detection by security software. Once downloaded, the image file launches an executable, such as jnmxrvt hcsm.exe, which is the actual Crimson RAT payload. This executable initiates the infection process, allowing the malware to take hold of the victim’s system.

Spoofed Domains and Infrastructure

APT36 has created a network of spoofed domains to support the campaign, including:

  • iaf.nic.in.ministryofdefenceindia.org
  • email.gov.in.departmentofdefence.de
  • indianarmy.nic.in.departmentofdefence.de

These domains, created as early as April 16, 2025, are hosted via providers such as Alexhost Srl, IP Connect Inc, and Shinjiru Technology. The infrastructure facilitates both credential phishing and malware delivery, making it a critical component of the attack chain.

Screenshot showing the malicious PDF

How Does Crimson RAT Execute?

Once Crimson RAT is executed on a victim’s system, it follows a structured process to establish communication with its command-and-control server and begin its espionage activities. The execution process is both stealthy and efficient, allowing attackers to maintain long-term access to compromised systems.

Initial Execution

The malware payload, disguised as an image file (e.g., WEISTT.jpg), is executed when the user interacts with the malicious attachment, typically by enabling macros in the PowerPoint file. The executable (e.g., jnmxrvt hcsm.exe) is launched, initiating the infection process..

Command-and-Control (C2) Connection

Crimson RAT connects to its hardcoded C2 server, identified as 93.127.133.58 (port 1097). Upon establishing the connection, the malware sends initial information about the victim’s system back to the C2 server, including:

  • A list of running processes and their IDs
  • The machine hostname
  • The username

This information helps attackers assess the value of the compromised system and tailor their subsequent actions.

Malware Capabilities

Crimson RAT supports over 20 C2 tasks, making it a highly versatile tool for attackers. Some of its key capabilities include:

  • Screenshot Capture: Commands like cscreen,  scren, and thumb allow the malware to capture and exfiltrate screenshots of the victim’s screen, providing visual insights into user activities.
  • File Access and Downloads: Commands such as filsz, listf, and fldr enables the malware to list, access, and download files from the infected system, targeting sensitive documents.
  • System Persistence: The putsrt command ensures the malware remains active on the system even after reboots, allowing long-term access.
  • Remote Command Execution: Commands like runf, dowr, and udlt allow attackers to execute arbitrary commands, download additional payloads, or delete files on the victim’s system.

The malware supports a total of 22 commands, making it a robust tool for espionage.

Data Exfiltration

Once the malware has collected sensitive data, such as screenshots, files, or system information, it sends this data back to the C2 server for further analysis by the attackers. This process is designed to be discreet, minimizing the chances of detection by security software.

APT 36 TTPs:

Stage Technique ID Evidence Source
Initial Access Spear-phishing Attachment T1566.001 macro/OLE docs
Initial Access Spear-phishing Link T1566.002 fake Kashmir attack domains
Execution User Execution – Malicious File T1204.002 doc requires enable-content/double-click
Persistence Registry Run Keys T1547.001 *.dreb Run-key
Defense Evasion Obfuscated/Encrypted File T1027 Eazfuscator, string padding
Discovery File/Directory Discovery T1083 files/dirs commands
Collection Screen Capture T1113 cscreen/scren commands
Command & Control Application-Layer Protocol (TCP) T1071.001 direct TCP C2 on rotating ports
Exfiltration Exfiltration over C2 Channel T1041 files sent via C2 (afile/dowr)

CrimsonRAT has been used by APT36 for ~6 years without much change to the TTPs and the type of campaigns. This poses a limited threat to organizations with mature security policies as the intended victims of this attack are common citizens/govt endpoints.

References

Author

Pagilla Manohar Reddy

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

7

min read

Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge

In May 2025, multiple Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. But CloudSEK’s investigation reveals most of these breaches were exaggerated or fake—ranging from recycled data leaks to defacements that left no real impact. While DDoS attacks barely caused a few minutes of disruption, the real threat came from APT36, which used Crimson RAT malware to target Indian defense networks after the Pahalgam terror attack. This report separates fact from fiction—unmasking the hype, tactics, and real risks behind the India-Pakistan cyber conflict. Read the full analysis to know what truly happened.

Authors
Pagilla Manohar Reddy
Co-Authors
No items found.

Executive Summary

Recent hacktivist campaigns targeting Indian digital infrastructure have generated alarming headlines, but investigation reveals most claims are significantly overblown. Despite major hacktivist groups collectively claiming over 100+ successful breaches of government sites, educational institutions, and critical infrastructure in May 2025, analysis shows minimal actual impact—with alleged data leaks containing primarily public information, website defacements leaving no digital footprint, and supposed DDoS attacks against high-profile targets like the Prime Minister's Office causing negligible disruption. Meanwhile, the more sophisticated APT36 espionage group continues to pose a genuine threat through targeted Crimson RAT malware campaigns exploiting the April 2025 Pahalgam terror attack to infiltrate government and defense networks.

Top 5 Hacktivist Groups

  1. Nation Of Saviors [Discuss]: 32 Claimed Attacks
    • This group casts a wide net, claiming responsibility for disruptions and attacks against numerous Indian government portals (including central and state levels), financial institutions, and educational bodies.
    • Among their high-profile claims were alleged attacks against the CBI, the Election Commission of India (ECI), and the National Portal of India.
  2. KAL EGY 319: 31 Claimed Attacks
    • The group predominantly focused its efforts on India's educational and medical sectors.
    • KAL EGY 319 claimed a widespread defacement campaign, alleging that approximately 40 Indian websites, mainly belonging to colleges, universities, and healthcare-affiliated institutions, were compromised.
  3. SYLHET GANG-SG 🏴: 19 Claimed Attacks
    • This entity targeted a mix of Indian government portals, educational institutions, and news media outlets.
    • Significant claims included an alleged data breach of the Andhra Pradesh High Court system and eNational Informatics Centre (NIC).
  4. Lực Lượng Đặc Biệt Quân Đội Điện Tử (Electronic Army Special Forces) & Affiliates: 18 Claimed Attacks
    • This collective focused heavily on Indian courts, various central and state government websites, and digital public services.
    • Judicial websites, including district and high courts, along with law enforcement portals, featured prominently in their list of claimed targets.
  5. Vulture: 16 Claimed Attacks
    • Indian government websites and educational institutions were the main focus of this group's claimed activities.
    • Claims included attacks on the Digital Police portal, the official website of the President of India, and the Prime Minister's Office (PMO) website. Vulture was frequently mentioned in joint operation claims, indicating collaboration with other hacktivist entities.

Note: Many hacktivist groups use tools with limited impact, often causing brief 5–10 minute outages and exaggerating them with screenshots. These tactics haven’t evolved in over two years. While monitoring is important, basic DDoS hygiene is usually enough to mitigate such low-level threats and minimize their visibility.

Top Targeted Industries

Government entities in India were the primary targets of cyberattacks, with high-profile breaches reported across central government portals such as the Ministry of Defence, Ministry of External Affairs, and the Election Commission. Digital public services like UMANG, Digital Police, and the National Informatics Centre, as well as administrative websites including those of the President and Prime Minister, were also hit. The judicial system, including several high courts, faced disruptions. The education sector was notably affected, with attacks on universities, medical institutions, and testing agencies. Critical infrastructure was also targeted, including transportation systems like Indian Railways, communication networks such as India Post and RailTel, and financial institutions like Punjab National Bank and Indian Overseas Bank.

The graph illustrates the distribution of industries targeted by hacktivists.

Exposing False Claims: The Reality Behind Recent Hacktivist Allegations

1. Significant Discrepancy in Claimed National Informatics Centre (NIC) Breach

Multiple hacktivist entities, including SYLHET GANG-SG and DieNet, prominently claimed the exfiltration of over 247 GB of data from India's National Informatics Centre (NIC) servers—a potentially devastating breach given NIC's role in government IT infrastructure. However, a subsequent analysis of a 1.5 GB sample released by the groups as "proof" revealed it consisted of publicly available marketing materials and media files,  suggesting the alleged 247 GB compromise of critical government data is largely unsubstantiated by the evidence provided.

2. Hacktivists Repackage Historical ECI Data Leak as Fresh Attack

A claim made on May 8, 2025, by Team Azrael--Angel Of Death® regarding an alleged breach of the Election Commission of India, supposedly yielding over 1 million citizen records, exemplifies a common hacktivist tactic: the repackaging of previously disclosed data to create the illusion of a recent, high-impact compromise. On verifying the  data, confirm that the data associated with this claim—though containing genuine PII like names, ages, phone numbers, and addresses—was originally leaked in 2023. Thus, the May 2025 announcement does not represent a new breach of the ECI by this group but rather an effort to generate alarm and publicity using old data concerning India's sensitive democratic institutions.

3. KAL EGY 319 Mass Defacement Campaign

The hacktivist group KAL EGY 319 claimed a large-scale defacement operation between May 8-9, 2025, allegedly affecting around 40 Indian educational and medical websites, and subsequently announced a strategic pivot to new targets. Despite these assertions, the actual impact appears minimal. Investigation revealed that all named websites are currently functioning normally. This suggests that either the defacements were not fully executed as claimed, or did not result in any significant or complete compromise of the targeted online assets.

4. Coordinated DDoS Claims Against Top Indian Govt Sites Result in Minimal Disruption

Between May 7-8, 2025, a coalition of hacktivist groups including Lực Lượng Đặc Biệt Quân Đội Điện Tử, Vulture, and GARUDA ERROR SYSTEM, announced Distributed Denial of Service (DDoS) attacks targeting high-profile Indian government websites. Targeted entities reportedly included the Prime Minister's Office (PMO), the President's office, and various key Ministries (Home, Defence, External Affairs, Health), alongside law enforcement portals. While the groups touted this as a well-organized operation, verification analysis indicates the websites in question are operating as usual. Any experienced downtime appears to have been negligible, potentially lasting less than five minutes, suggesting the attacks had no significant or sustained impact on the availability of these critical government services.

5.Public Data and Some Hashes Leaked

The hacktivist claim by SYLHET GANG-SG (attributing to Team insane Pakistan) on May 7, 2025, of accessing 1 million case details and FIR records from the Andhra Pradesh High Court database, significantly overstated the sensitivity of the information obtained. Analysis reveals the data primarily consists of publicly accessible case metadata. While this information is not inherently critical, the leak did also expose some password hashes, which poses a definite security risk to the court's systems and potentially linked accounts. Nevertheless, the narrative of a massive breach of private judicial records is not substantiated by the nature of the data released.

6. Indian Army Data Leak Lacks Authentic Corroboration

On May 7, 2025, Team Azrael--Angel Of Death® made a serious claim of compromising and leaking data pertaining to Indian Army personnel, including alleged RAW/CBI operatives. Such a breach, if genuine, would signify a major intelligence coup. However, thorough validation of the data presented by the group reveals no discernible link to actual Indian Army personnel. The dataset is characterized by significant inconsistencies, including mismatches between names, email addresses, and phone numbers. There is high confidence that the data is either fabricated or entirely misattributed, and does not represent a legitimate compromise of the claimed high-sensitivity targets.

7. Claims of DDoS Against CERT-In and National Testing Agency

Also on May 8, 2025, hacktivist groups Vulture and the Electronic Army Special Forces claimed responsibility for DDoS attacks specifically aimed at India's Computer Emergency Response Team (CERT-In) and the National Testing Agency (NTA). The timing of the alleged attack on the NTA was noted as potentially disruptive due to ongoing critical examination periods. These entities represent key organizations in India's cyber defense and educational infrastructure. However, despite the strategic nature of these claimed targets, validation confirmed that both the CERT-In and NTA websites were, and remained, up and running without any observable outage or degradation of service consistent with a successful DDoS attack. The claims of impacting these critical organizations appear unfounded based on their operational continuity.

Pakistan-Linked X(Twitter) Accounts Amplify Unverified Cyber Claims

P@kistanCyberForce is a social media account associated with a self-proclaimed Pakistani hacktivist group that makes unverified claims of breaching Indian entities such as the Manohar Parrikar Institute for Defence Studies and Analyses (idsa.in), Armoured Vehicles Nigam Limited (avnl.co.in), and the ECHS healthcare portal (echs-pcmdb.sourceinfosys.com).

CyberLegendX (@cyber4982), a social media account, has been issuing alerts claiming that the Pakistan Cyber Force is responsible for recent cyberattacks targeting Indian entities. The reported targets include a vehicle tracking platform (trackmaster.in/FMSAttachments/) and Bharti Airtel Ltd.’s. These actions are being portrayed as part of an ongoing India-Pakistan cyber conflict and a retaliatory move in response to Operation Sindoor. The attack on Airtel specifically exploited a BIG-IP service, while the breach of trackmaster.in was carried out via a known vulnerability, allowing the attacker to gain access and upload an image.

Social media accounts Taymiyyah Umer🦋 (@MAkhtar508), @Mubashirbilal00, and mirhakhan_99 have been sharing unverified claims allegedly linked to PAFCyberForce under the banner of OPERATION BUNYAN AL MARSOUS. These posts suggest that Pakistani cyber operatives have infiltrated various segments of Indian digital infrastructure—including civilian systems, hospitals, and sensitive sites—conducting surveillance and manipulating security feeds. The claims emphasize that no visible disruption was caused, portraying the operation as a calculated show of advanced capabilities and strategic restraint. Several 10’s of accounts are doing the same

@Amad__khan, who identifies himself as a Pakistani ethical hacker and programmer associated with CyberSec Revolution, has publicly claimed responsibility for a series of cyber intrusions targeting Indian digital infrastructure. According to his statements, the targets included the Indian Creative Institute, the Kavanal website, various other Indian websites, CCTV systems, routers, the Staff Selection Commission (SSC) and its candidates' data, the Ministry of External Affairs, the Delhi Police clearance certificate system, and the Ministry of Housing and Urban Affairs. His posts, which frequently feature pro-Pakistan rhetoric and references to cyber conflict between India and Pakistan, reflect a persistent anti-India narrative. He claims to carry out these attacks by either exploiting server vulnerabilities or using compromised credentials.

Inside APT36's Crimson RAT: The Mechanics of a Sophisticated Cyber Espionage Tool

Crimson RAT is a .NET-based Remote Access Trojan that has long served as a key espionage tool for APT36—also known as Earth Karkaddan, Transparent Tribe, and several other aliases. This politically motivated threat group, believed to be linked to Pakistan, has a history of targeting Indian military, diplomatic, and educational institutions. Designed for stealth and persistence, Crimson RAT allows attackers to remotely execute commands, exfiltrate sensitive data, and maintain continuous access to compromised systems. In May 2025, reports revealed that APT36 leveraged this malware to exploit the emotional aftermath of the April 2025 Pahalgam terror attack, using it as a thematic lure to breach Indian government and defense networks through phishing and social engineering tactics.

How is Crimson RAT Delivered?

APT36 employs a multi-pronged approach to deliver Crimson RAT, leveraging social engineering and phishing techniques to exploit human vulnerabilities. The campaign, launched within 48 hours of the April 22, 2025, Pahalgam terror attack, uses emotionally charged themes to maximize its impact. Here’s how the attack chain unfolds:

Phishing Emails with Malicious Attachments

The campaign begins with phishing emails that appear to come from credible sources, such as government officials or organizations. These emails often include attachments designed to look like official documents. Two primary delivery methods have been observed:

  • PowerPoint Files: Emails contain PowerPoint add-on files (.ppam format) disguised as official reports, such as “Report & Update Regarding Pahalgam Terror Attack.ppam.” These files contain malicious macros that, when enabled by the user, initiate the malware download process.
  • PDF Documents: PDFs, such as “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf,” created on April 24, 2025, under the alias “Kalu Badshah,” embed malicious links. These links redirect users to fake login pages hosted on spoofed domains, such as jkpolice.gov.in.kashmirattack.exposed, which mimics the official Jammu & Kashmir Police website. These pages are designed to steal credentials.

Disguised Malware Payload

The malicious macros in the PowerPoint file download Crimson RAT, which is cleverly disguised as an image file, such as WEISTT.jpg. This disguise helps evade initial detection by security software. Once downloaded, the image file launches an executable, such as jnmxrvt hcsm.exe, which is the actual Crimson RAT payload. This executable initiates the infection process, allowing the malware to take hold of the victim’s system.

Spoofed Domains and Infrastructure

APT36 has created a network of spoofed domains to support the campaign, including:

  • iaf.nic.in.ministryofdefenceindia.org
  • email.gov.in.departmentofdefence.de
  • indianarmy.nic.in.departmentofdefence.de

These domains, created as early as April 16, 2025, are hosted via providers such as Alexhost Srl, IP Connect Inc, and Shinjiru Technology. The infrastructure facilitates both credential phishing and malware delivery, making it a critical component of the attack chain.

Screenshot showing the malicious PDF

How Does Crimson RAT Execute?

Once Crimson RAT is executed on a victim’s system, it follows a structured process to establish communication with its command-and-control server and begin its espionage activities. The execution process is both stealthy and efficient, allowing attackers to maintain long-term access to compromised systems.

Initial Execution

The malware payload, disguised as an image file (e.g., WEISTT.jpg), is executed when the user interacts with the malicious attachment, typically by enabling macros in the PowerPoint file. The executable (e.g., jnmxrvt hcsm.exe) is launched, initiating the infection process..

Command-and-Control (C2) Connection

Crimson RAT connects to its hardcoded C2 server, identified as 93.127.133.58 (port 1097). Upon establishing the connection, the malware sends initial information about the victim’s system back to the C2 server, including:

  • A list of running processes and their IDs
  • The machine hostname
  • The username

This information helps attackers assess the value of the compromised system and tailor their subsequent actions.

Malware Capabilities

Crimson RAT supports over 20 C2 tasks, making it a highly versatile tool for attackers. Some of its key capabilities include:

  • Screenshot Capture: Commands like cscreen,  scren, and thumb allow the malware to capture and exfiltrate screenshots of the victim’s screen, providing visual insights into user activities.
  • File Access and Downloads: Commands such as filsz, listf, and fldr enables the malware to list, access, and download files from the infected system, targeting sensitive documents.
  • System Persistence: The putsrt command ensures the malware remains active on the system even after reboots, allowing long-term access.
  • Remote Command Execution: Commands like runf, dowr, and udlt allow attackers to execute arbitrary commands, download additional payloads, or delete files on the victim’s system.

The malware supports a total of 22 commands, making it a robust tool for espionage.

Data Exfiltration

Once the malware has collected sensitive data, such as screenshots, files, or system information, it sends this data back to the C2 server for further analysis by the attackers. This process is designed to be discreet, minimizing the chances of detection by security software.

APT 36 TTPs:

Stage Technique ID Evidence Source
Initial Access Spear-phishing Attachment T1566.001 macro/OLE docs
Initial Access Spear-phishing Link T1566.002 fake Kashmir attack domains
Execution User Execution – Malicious File T1204.002 doc requires enable-content/double-click
Persistence Registry Run Keys T1547.001 *.dreb Run-key
Defense Evasion Obfuscated/Encrypted File T1027 Eazfuscator, string padding
Discovery File/Directory Discovery T1083 files/dirs commands
Collection Screen Capture T1113 cscreen/scren commands
Command & Control Application-Layer Protocol (TCP) T1071.001 direct TCP C2 on rotating ports
Exfiltration Exfiltration over C2 Channel T1041 files sent via C2 (afile/dowr)

CrimsonRAT has been used by APT36 for ~6 years without much change to the TTPs and the type of campaigns. This poses a limited threat to organizations with mature security policies as the intended victims of this attack are common citizens/govt endpoints.

References