APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

SUMMARY :

A recent campaign attributed to APT36 has been observed spoofing India's Ministry of Defence to deliver cross-platform malware. The attackers used a ClickFix-style infection chain, mimicking government press releases and leveraging a compromised .in domain for payload staging. The campaign targeted both Windows and Linux users, employing clipboard-based execution techniques. On Windows, the attack utilized mshta.exe to execute a heavily obfuscated HTA file, while on Linux, it attempted to execute a shell script. The tradecraft observed, including government-themed lures, HTA-based delivery, and decoy documents, aligns with known APT36 tactics. This activity demonstrates the continued evolution of ClickFix techniques in new contexts.

OPENCTI LABELS :

social engineering,obfuscation,clickfix,cross-platform,spoofing,mshta,ministry of defence,clipboard-based execution


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux