APT36 Targets Indian Government and Strategic Entities With Multi-Stage LNK Malware Campaign

By Ash K
APT36 Targets Indian Government and Strategic Entities With Multi-Stage LNK Malware Campaign

CYFIRMA has uncovered a highly targeted cyber espionage campaign attributed to APT36, also known as Transparent Tribe, a Pakistan aligned threat actor with a long operational history focused on Indian governmental, academic, and strategic organisations. The campaign demonstrates a notable evolution in delivery techniques, using a weaponised Windows shortcut (LNK) file that convincingly masquerades as a legitimate PDF document while silently executing malicious code.

The operation reflects a deliberate focus on stealth, persistence, and long term intelligence collection rather than immediate disruption, aligning closely with APT36’s historic tradecraft.

Campaign overview

The attack begins with a phishing campaign delivering malicious LNK files to targeted users. These files are carefully crafted to appear as legitimate PDF documents related to official or academic themes, increasing the likelihood of execution.

What makes this campaign particularly effective is the embedding of full, genuine PDF content inside the malicious shortcut. When opened, the document displays expected content, giving victims no immediate reason to suspect compromise.

Deceptive LNK execution technique

Upon execution, the LNK file invokes trusted Windows utilities such as mshta.exe, PowerShell, and cmd.exe to initiate the infection chain. This approach allows the malware to execute largely in memory, significantly reducing on disk artefacts and evading traditional signature based detection.

The use of native Windows binaries, often referred to as living off the land techniques, enables the malware to blend seamlessly into normal system activity.

Multi-stage infection chain

The initial LNK execution triggers a multi stage process that progressively deploys additional components. Each stage performs a specific function, such as environment reconnaissance, payload retrieval, and persistence establishment.

This modular approach allows the attackers to adapt behaviour based on the victim environment and to limit exposure of the full capability set during early stages.

Indicators of compromise

The following indicators have been observed in connection with this campaign and can be used to support detection and threat hunting efforts.

Basic technical details

  • Target technologies: Windows Operating System
  • Threat type: Phishing campaign
  • File type: LNK (Windows Shortcut)
  • Observed first: 2025-12-15
  • Impact: Data exfiltration

Known malicious filenames

  • Online JLPT Exam Dec 2025.pdf.lnk
  • Online JLPT Exam Dec 2025.zip
  • jip.hta

Observed MD5 hashes

  • 30fdd797535a0f367ea2809426760020
  • ceb715db68419958ac05e6c05dc5c7f0
  • 6baf7121594b84177eec4420875908cf

Capabilities of the malware

The malware deployed in this campaign functions as a fully featured Remote Access Trojan designed to provide persistent and covert control over infected systems. Its capabilities extend well beyond simple reconnaissance.

Stealthy execution: The malware leverages trusted Windows binaries and in memory execution to minimise forensic artefacts and evade endpoint security tools.

Command and control: It establishes persistent, encrypted communication with attacker controlled servers, allowing operators to issue commands and receive responses in real time.

System profiling: Detailed host information is collected, including operating system version, username, installed applications, and active antivirus products.

Remote command execution: Attackers can execute arbitrary shell commands and receive command output remotely.

File management: The RAT supports full file system interaction, including listing, uploading, downloading, renaming, deleting, and moving files and directories.

Data theft: Sensitive documents such as Office files, PDFs, text files, and database files are harvested and exfiltrated to attacker infrastructure.

Surveillance: Capabilities include screenshot capture, remote desktop viewing, and clipboard monitoring.

Clipboard manipulation: The malware can steal and overwrite clipboard contents, a technique that can be abused for credential or cryptocurrency theft.

Process control: Running processes can be enumerated and selectively terminated to disable security tools or interfere with user activity.

Persistence: Persistence mechanisms are dynamically adapted based on detected antivirus solutions, enabling long term access while minimising detection.

Targeted sectors and intent

The campaign is focused on Indian government bodies, academic institutions, and organisations linked to strategic research. These targets offer access to sensitive policy discussions, research material, and internal communications of intelligence value.

The emphasis on stealth and persistence indicates a clear espionage motive rather than financial gain.

Why this campaign is significant

The use of LNK files with embedded legitimate content represents a sophisticated social engineering tactic that directly targets user trust. Combined with fileless execution and adaptive persistence, the campaign poses a serious detection challenge for traditional security controls.

This activity demonstrates how advanced threat actors continue to refine low exploit, high deception techniques to achieve sustained access.

Defensive considerations

Organisations are advised to restrict execution of LNK files delivered via email or downloaded from external sources, enhance monitoring of native Windows utilities for suspicious behaviour, and conduct targeted awareness training focused on document based lures.

Behavioural detection, command line logging, and outbound network monitoring are critical for identifying such threats.

Further research

Additional technical analysis and indicators related to this campaign are available in CYFIRMA’s detailed research report, which provides deeper insight into the infection chain and infrastructure used by APT36.

Read more at: https://www.cyfirma.com/research/apt36-multi-stage-lnk-malware-campaign-targeting-indian-government-entities/

Conclusion

The APT36 LNK malware campaign highlights the continued threat posed by state aligned espionage groups operating in South Asia. By combining convincing social engineering with stealthy, modular malware, the attackers significantly increase their success rate while reducing the likelihood of detection.

For Indian government and strategic entities, the campaign serves as a reminder that advanced threats often rely on human trust rather than complex exploits, making layered defence and user vigilance essential.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.