Pakistan-Linked APT36 Targets Indian Government and Academic Institutions with Advanced Malware Campaign

Cybersecurity researchers have uncovered an ongoing spear-phishing campaign attributed to the Pakistan-linked advanced persistent threat group APT36, also known as Transparent Tribe, targeting Indian government bodies and academic institutions. The operation involves the deployment of two custom malware families, dubbed ReadOnly and WriteOnly, designed to establish long-term persistence, conduct covert surveillance, and exfiltrate sensitive data from compromised systems.

Spear-Phishing as the Initial Access Vector

The campaign relies heavily on highly targeted spear-phishing emails crafted to appear legitimate and contextually relevant to the recipients. These messages often impersonate official government communications, academic correspondence, or policy-related documents, increasing the likelihood of user interaction.

Attached files or embedded links deliver malicious payloads disguised as routine documents. Once opened, the files execute hidden scripts that initiate the infection chain without immediately alerting the victim.

Deployment of ReadOnly and WriteOnly Malware

Following initial compromise, attackers deploy the ReadOnly and WriteOnly malware implants, each serving a specific operational role. ReadOnly focuses on reconnaissance and data collection, silently harvesting system information, user credentials, and stored documents.

WriteOnly, in contrast, is designed for command execution and payload delivery. It allows attackers to push additional tools, update malware components, and execute arbitrary commands on infected machines, giving them sustained control over compromised environments.

Persistent Surveillance and Stealth Techniques

Both malware families are engineered for persistence and stealth. They leverage registry modifications, scheduled tasks, and masquerading techniques to blend into legitimate system processes. Communication with command-and-control servers is often encrypted or obfuscated, reducing the likelihood of detection by conventional security tools.

The implants are capable of remaining dormant for extended periods, activating only when specific conditions are met. This low-noise approach enables attackers to maintain access while minimizing forensic footprints.

Data Theft and Intelligence Collection

The primary objective of the campaign appears to be intelligence gathering. Infected systems are monitored for sensitive documents, emails, and credentials related to government operations, academic research, and policy development.

The malware supports selective exfiltration, allowing attackers to prioritize high-value data while avoiding excessive network traffic that could trigger alarms. Screen captures, keystroke logging, and clipboard monitoring further enhance visibility into victim activity.

Potential Cryptocurrency Hijacking Capabilities

Researchers have also identified functionality that could enable cryptocurrency-related abuse. The malware can monitor clipboard activity and browser sessions, potentially allowing attackers to hijack wallet addresses, steal private keys, or redirect cryptocurrency transactions.

This capability suggests that, while espionage remains the primary motivation, the group may also pursue opportunistic financial gain when access permits.

Focus on Government and Academic Targets

The campaign demonstrates a clear focus on Indian government agencies and academic institutions, sectors that hold strategic value due to their access to policy discussions, research initiatives, and sensitive infrastructure details.

Universities and research centers are particularly attractive targets, as they often collaborate with government bodies while maintaining more open digital environments, making them easier to infiltrate.

Attribution and Historical Context

The tools, infrastructure, and operational patterns observed in this campaign closely align with APT36’s previously documented activities. The group has a long history of targeting South Asian entities, especially in India, using socially engineered lures tied to government, defense, and education themes.

Security analysts assess with high confidence that the same threat actor is behind this latest operation, reflecting a continuation rather than a deviation in strategic objectives.

Risks to Critical Infrastructure and National Security

Compromise of government and academic systems carries broader implications beyond data theft. Persistent access could be leveraged to map internal networks, identify vulnerabilities, and potentially enable future disruptive or destructive actions.

Exposure of sensitive research, policy planning documents, and credentials could undermine national security interests and critical infrastructure resilience.

Defensive Measures and Mitigation

Organizations are urged to strengthen email security controls, including advanced phishing detection and attachment sandboxing. User awareness training remains critical, particularly for staff handling sensitive or policy-related information.

Endpoint monitoring solutions capable of detecting anomalous behavior, combined with regular threat hunting, can help identify hidden implants before significant damage occurs. Segmentation of sensitive systems and strict access controls further limit attacker movement.

Conclusion

The latest APT36 campaign highlights the persistent and evolving cyber-espionage threat facing Indian government and academic institutions. By combining sophisticated spear-phishing with modular malware capable of surveillance, data theft, and potential cryptocurrency abuse, the attackers demonstrate a clear intent to maintain long-term access and strategic advantage. As geopolitical tensions increasingly manifest in cyberspace, robust defenses and heightened vigilance remain essential to counter such advanced threats.