Date: 06/25/2025
Severity: Critical
Summary
APT36, or Transparent Tribe, is a Pakistan-based threat group targeting Indian defense personnel via advanced phishing campaigns. They send emails with malicious PDFs mimicking government documents, leading to fake National Informatics Centre (NIC) login pages. Clicking the fake login triggers a download of a ZIP file containing disguised malware. This highlights APT36’s focus on credential theft and the need for strong email security and user awareness.
Indicators of Compromise (IOC) List
Domains\URLs : | SuperPrimeServices.com Advising-Receipts.com FunDay24.ru slotgacorterbaru.xyz servisyeni.xyz chillchad.xyz ggpoker.xyz boldcatchpoint.shop zhangthird.shop vipwin.buzz wholly-well.info rapio.site 55cc.info megasofteware.net worrr19.sbs kp85.cyou mczacji.top 59292406.xyz |
IP Address : | 76.223.54.146 188.114.97.7 13.248.169.48 84.32.84.32 217.114.10.11 207.244.126.106 172.67.148.140 198.252.111.31 15.197.148.33 162.254.38.217 104.21.41.144 |
Hash : | f03ac870cb91c00b51ddf29b6028d9ddf42477970eafa7c556e3a3d74ada25c9
55b7e20e42b57a32db29ea3f65d0fd2b2858aaeb9307b0ebbcdad1b0fcfd8059
55972edf001fd5afb1045bd96da835841c39fec4e3d47643e6a5dd793c904332
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | domainname like "SuperPrimeServices.com" or url like "SuperPrimeServices.com" or siteurl like "SuperPrimeServices.com" or domainname like "Advising-Receipts.com" or url like "Advising-Receipts.com" or siteurl like "Advising-Receipts.com" or domainname like "FunDay24.ru" or url like "FunDay24.ru" or siteurl like "FunDay24.ru" or domainname like "59292406.xyz" or url like "59292406.xyz" or siteurl like "59292406.xyz" or domainname like "vipwin.buzz" or url like "vipwin.buzz" or siteurl like "vipwin.buzz" or domainname like "worrr19.sbs" or url like "worrr19.sbs" or siteurl like "worrr19.sbs" or domainname like "ggpoker.xyz" or url like "ggpoker.xyz" or siteurl like "ggpoker.xyz" or domainname like "rapio.site" or url like "rapio.site" or siteurl like "rapio.site" or domainname like "megasofteware.net" or url like "megasofteware.net" or siteurl like "megasofteware.net" or domainname like "boldcatchpoint.shop" or url like "boldcatchpoint.shop" or siteurl like "boldcatchpoint.shop" or domainname like "zhangthird.shop" or url like "zhangthird.shop" or siteurl like "zhangthird.shop" or domainname like "slotgacorterbaru.xyz" or url like "slotgacorterbaru.xyz" or siteurl like "slotgacorterbaru.xyz" or domainname like "55cc.info" or url like "55cc.info" or siteurl like "55cc.info" or domainname like "servisyeni.xyz" or url like "servisyeni.xyz" or siteurl like "servisyeni.xyz" or domainname like "chillchad.xyz" or url like "chillchad.xyz" or siteurl like "chillchad.xyz" or domainname like "wholly-well.info" or url like "wholly-well.info" or siteurl like "wholly-well.info" or domainname like "kp85.cyou" or url like "kp85.cyou" or siteurl like "kp85.cyou" or domainname like "mczacji.top" or url like "mczacji.top" or siteurl like "mczacji.top" |
IP Address : | dstipaddress IN ("207.244.126.106","188.114.97.7","15.197.148.33","13.248.169.48","76.223.54.146","172.67.148.140","84.32.84.32","217.114.10.11","198.252.111.31","162.254.38.217","104.21.41.144") or srcipaddress IN ("207.244.126.106","188.114.97.7","15.197.148.33","13.248.169.48","76.223.54.146","172.67.148.140","84.32.84.32","217.114.10.11","198.252.111.31","162.254.38.217","104.21.41.144") |
Hash : | sha256hash IN ("55b7e20e42b57a32db29ea3f65d0fd2b2858aaeb9307b0ebbcdad1b0fcfd8059","55972edf001fd5afb1045bd96da835841c39fec4e3d47643e6a5dd793c904332","f03ac870cb91c00b51ddf29b6028d9ddf42477970eafa7c556e3a3d74ada25c9")
|
Reference:
https://www.cyfirma.com/research/apt36-phishing-campaign-targets-indian-defense-using-credential-stealing-malware/