🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
In May 2025, multiple Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. But CloudSEK’s investigation reveals most of these breaches were exaggerated or fake—ranging from recycled data leaks to defacements that left no real impact. While DDoS attacks barely caused a few minutes of disruption, the real threat came from APT36, which used Crimson RAT malware to target Indian defense networks after the Pahalgam terror attack. This report separates fact from fiction—unmasking the hype, tactics, and real risks behind the India-Pakistan cyber conflict. Read the full analysis to know what truly happened.
Stay ahead of the bad guys and protect your brand reputation with CloudSEK XVigil's Social Media Discussions module
Schedule a DemoRecent hacktivist campaigns targeting Indian digital infrastructure have generated alarming headlines, but investigation reveals most claims are significantly overblown. Despite major hacktivist groups collectively claiming over 100+ successful breaches of government sites, educational institutions, and critical infrastructure in May 2025, analysis shows minimal actual impact—with alleged data leaks containing primarily public information, website defacements leaving no digital footprint, and supposed DDoS attacks against high-profile targets like the Prime Minister's Office causing negligible disruption. Meanwhile, the more sophisticated APT36 espionage group continues to pose a genuine threat through targeted Crimson RAT malware campaigns exploiting the April 2025 Pahalgam terror attack to infiltrate government and defense networks.
Top 5 Hacktivist Groups
Note: Many hacktivist groups use tools with limited impact, often causing brief 5–10 minute outages and exaggerating them with screenshots. These tactics haven’t evolved in over two years. While monitoring is important, basic DDoS hygiene is usually enough to mitigate such low-level threats and minimize their visibility.
Government entities in India were the primary targets of cyberattacks, with high-profile breaches reported across central government portals such as the Ministry of Defence, Ministry of External Affairs, and the Election Commission. Digital public services like UMANG, Digital Police, and the National Informatics Centre, as well as administrative websites including those of the President and Prime Minister, were also hit. The judicial system, including several high courts, faced disruptions. The education sector was notably affected, with attacks on universities, medical institutions, and testing agencies. Critical infrastructure was also targeted, including transportation systems like Indian Railways, communication networks such as India Post and RailTel, and financial institutions like Punjab National Bank and Indian Overseas Bank.
1. Significant Discrepancy in Claimed National Informatics Centre (NIC) Breach
Multiple hacktivist entities, including SYLHET GANG-SG and DieNet, prominently claimed the exfiltration of over 247 GB of data from India's National Informatics Centre (NIC) servers—a potentially devastating breach given NIC's role in government IT infrastructure. However, a subsequent analysis of a 1.5 GB sample released by the groups as "proof" revealed it consisted of publicly available marketing materials and media files, suggesting the alleged 247 GB compromise of critical government data is largely unsubstantiated by the evidence provided.
A claim made on May 8, 2025, by Team Azrael--Angel Of Death® regarding an alleged breach of the Election Commission of India, supposedly yielding over 1 million citizen records, exemplifies a common hacktivist tactic: the repackaging of previously disclosed data to create the illusion of a recent, high-impact compromise. On verifying the data, confirm that the data associated with this claim—though containing genuine PII like names, ages, phone numbers, and addresses—was originally leaked in 2023. Thus, the May 2025 announcement does not represent a new breach of the ECI by this group but rather an effort to generate alarm and publicity using old data concerning India's sensitive democratic institutions.
The hacktivist group KAL EGY 319 claimed a large-scale defacement operation between May 8-9, 2025, allegedly affecting around 40 Indian educational and medical websites, and subsequently announced a strategic pivot to new targets. Despite these assertions, the actual impact appears minimal. Investigation revealed that all named websites are currently functioning normally. This suggests that either the defacements were not fully executed as claimed, or did not result in any significant or complete compromise of the targeted online assets.
Between May 7-8, 2025, a coalition of hacktivist groups including Lực Lượng Đặc Biệt Quân Đội Điện Tử, Vulture, and GARUDA ERROR SYSTEM, announced Distributed Denial of Service (DDoS) attacks targeting high-profile Indian government websites. Targeted entities reportedly included the Prime Minister's Office (PMO), the President's office, and various key Ministries (Home, Defence, External Affairs, Health), alongside law enforcement portals. While the groups touted this as a well-organized operation, verification analysis indicates the websites in question are operating as usual. Any experienced downtime appears to have been negligible, potentially lasting less than five minutes, suggesting the attacks had no significant or sustained impact on the availability of these critical government services.
The hacktivist claim by SYLHET GANG-SG (attributing to Team insane Pakistan) on May 7, 2025, of accessing 1 million case details and FIR records from the Andhra Pradesh High Court database, significantly overstated the sensitivity of the information obtained. Analysis reveals the data primarily consists of publicly accessible case metadata. While this information is not inherently critical, the leak did also expose some password hashes, which poses a definite security risk to the court's systems and potentially linked accounts. Nevertheless, the narrative of a massive breach of private judicial records is not substantiated by the nature of the data released.
On May 7, 2025, Team Azrael--Angel Of Death® made a serious claim of compromising and leaking data pertaining to Indian Army personnel, including alleged RAW/CBI operatives. Such a breach, if genuine, would signify a major intelligence coup. However, thorough validation of the data presented by the group reveals no discernible link to actual Indian Army personnel. The dataset is characterized by significant inconsistencies, including mismatches between names, email addresses, and phone numbers. There is high confidence that the data is either fabricated or entirely misattributed, and does not represent a legitimate compromise of the claimed high-sensitivity targets.
Also on May 8, 2025, hacktivist groups Vulture and the Electronic Army Special Forces claimed responsibility for DDoS attacks specifically aimed at India's Computer Emergency Response Team (CERT-In) and the National Testing Agency (NTA). The timing of the alleged attack on the NTA was noted as potentially disruptive due to ongoing critical examination periods. These entities represent key organizations in India's cyber defense and educational infrastructure. However, despite the strategic nature of these claimed targets, validation confirmed that both the CERT-In and NTA websites were, and remained, up and running without any observable outage or degradation of service consistent with a successful DDoS attack. The claims of impacting these critical organizations appear unfounded based on their operational continuity.
Pakistan-Linked X(Twitter) Accounts Amplify Unverified Cyber Claims
P@kistanCyberForce is a social media account associated with a self-proclaimed Pakistani hacktivist group that makes unverified claims of breaching Indian entities such as the Manohar Parrikar Institute for Defence Studies and Analyses (idsa.in), Armoured Vehicles Nigam Limited (avnl.co.in), and the ECHS healthcare portal (echs-pcmdb.sourceinfosys.com).
CyberLegendX (@cyber4982), a social media account, has been issuing alerts claiming that the Pakistan Cyber Force is responsible for recent cyberattacks targeting Indian entities. The reported targets include a vehicle tracking platform (trackmaster.in/FMSAttachments/) and Bharti Airtel Ltd.’s. These actions are being portrayed as part of an ongoing India-Pakistan cyber conflict and a retaliatory move in response to Operation Sindoor. The attack on Airtel specifically exploited a BIG-IP service, while the breach of trackmaster.in was carried out via a known vulnerability, allowing the attacker to gain access and upload an image.
Social media accounts Taymiyyah Umer🦋 (@MAkhtar508), @Mubashirbilal00, and mirhakhan_99 have been sharing unverified claims allegedly linked to PAFCyberForce under the banner of OPERATION BUNYAN AL MARSOUS. These posts suggest that Pakistani cyber operatives have infiltrated various segments of Indian digital infrastructure—including civilian systems, hospitals, and sensitive sites—conducting surveillance and manipulating security feeds. The claims emphasize that no visible disruption was caused, portraying the operation as a calculated show of advanced capabilities and strategic restraint. Several 10’s of accounts are doing the same
@Amad__khan, who identifies himself as a Pakistani ethical hacker and programmer associated with CyberSec Revolution, has publicly claimed responsibility for a series of cyber intrusions targeting Indian digital infrastructure. According to his statements, the targets included the Indian Creative Institute, the Kavanal website, various other Indian websites, CCTV systems, routers, the Staff Selection Commission (SSC) and its candidates' data, the Ministry of External Affairs, the Delhi Police clearance certificate system, and the Ministry of Housing and Urban Affairs. His posts, which frequently feature pro-Pakistan rhetoric and references to cyber conflict between India and Pakistan, reflect a persistent anti-India narrative. He claims to carry out these attacks by either exploiting server vulnerabilities or using compromised credentials.
Crimson RAT is a .NET-based Remote Access Trojan that has long served as a key espionage tool for APT36—also known as Earth Karkaddan, Transparent Tribe, and several other aliases. This politically motivated threat group, believed to be linked to Pakistan, has a history of targeting Indian military, diplomatic, and educational institutions. Designed for stealth and persistence, Crimson RAT allows attackers to remotely execute commands, exfiltrate sensitive data, and maintain continuous access to compromised systems. In May 2025, reports revealed that APT36 leveraged this malware to exploit the emotional aftermath of the April 2025 Pahalgam terror attack, using it as a thematic lure to breach Indian government and defense networks through phishing and social engineering tactics.
APT36 employs a multi-pronged approach to deliver Crimson RAT, leveraging social engineering and phishing techniques to exploit human vulnerabilities. The campaign, launched within 48 hours of the April 22, 2025, Pahalgam terror attack, uses emotionally charged themes to maximize its impact. Here’s how the attack chain unfolds:
Phishing Emails with Malicious Attachments
The campaign begins with phishing emails that appear to come from credible sources, such as government officials or organizations. These emails often include attachments designed to look like official documents. Two primary delivery methods have been observed:
Disguised Malware Payload
The malicious macros in the PowerPoint file download Crimson RAT, which is cleverly disguised as an image file, such as WEISTT.jpg. This disguise helps evade initial detection by security software. Once downloaded, the image file launches an executable, such as jnmxrvt hcsm.exe, which is the actual Crimson RAT payload. This executable initiates the infection process, allowing the malware to take hold of the victim’s system.
Spoofed Domains and Infrastructure
APT36 has created a network of spoofed domains to support the campaign, including:
These domains, created as early as April 16, 2025, are hosted via providers such as Alexhost Srl, IP Connect Inc, and Shinjiru Technology. The infrastructure facilitates both credential phishing and malware delivery, making it a critical component of the attack chain.
Once Crimson RAT is executed on a victim’s system, it follows a structured process to establish communication with its command-and-control server and begin its espionage activities. The execution process is both stealthy and efficient, allowing attackers to maintain long-term access to compromised systems.
Initial Execution
The malware payload, disguised as an image file (e.g., WEISTT.jpg), is executed when the user interacts with the malicious attachment, typically by enabling macros in the PowerPoint file. The executable (e.g., jnmxrvt hcsm.exe) is launched, initiating the infection process..
Command-and-Control (C2) Connection
Crimson RAT connects to its hardcoded C2 server, identified as 93.127.133.58 (port 1097). Upon establishing the connection, the malware sends initial information about the victim’s system back to the C2 server, including:
This information helps attackers assess the value of the compromised system and tailor their subsequent actions.
Crimson RAT supports over 20 C2 tasks, making it a highly versatile tool for attackers. Some of its key capabilities include:
The malware supports a total of 22 commands, making it a robust tool for espionage.
Data Exfiltration
Once the malware has collected sensitive data, such as screenshots, files, or system information, it sends this data back to the C2 server for further analysis by the attackers. This process is designed to be discreet, minimizing the chances of detection by security software.
CrimsonRAT has been used by APT36 for ~6 years without much change to the TTPs and the type of campaigns. This poses a limited threat to organizations with mature security policies as the intended victims of this attack are common citizens/govt endpoints.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.