Reflections of the India–Pakistan Kashmir Escalation on the Cyber World

Update: Ceasefire Holds, May 12, 2025

Update: Executive Summary, End of May, 2025

The Kashmir region, long a flashpoint between India and Pakistan, has once again become the center of a volatile escalation. On May 7, 2025, both nations exchanged heavy fire and conducted cross-border strikes, leading to dozens of civilian casualties on either side. The conflict was triggered after a militant attack in Pahalgam on April 22, which India blamed on Pakistan-backed actors, a charge Islamabad has denied.

Missile strikes, drone shootdowns, and shelling across the Line of Control (LoC) have followed, each side accusing the other of provocation. As has often been the case in recent years, these physical clashes are increasingly mirrored in cyberspace.

This blog tracks the cyber reflections of the latest military standoff, organizing key developments in chronological order. As with prior flare-ups, cyber threat actors ranging from hacktivists to possibly APTs, have begun to align their operations.

Cyber Retaliation Between India and Pakistan: A Snapshot

India and Pakistan’s rivalry often plays out online, especially during moments of real-world tension like the current situation in Kashmir. Over the years, cyber activity has followed a familiar pattern. When political or military events flare up, so do digital skirmishes.

Hacktivist groups from both sides have been active, launching website defacements, Denial-of-Service (DoS) attacks, and at times leaking stolen data. These actions usually come in response to attacks on civilians, national holidays, or even cricket matches. Pro-Pakistan groups often justify their actions on religious or ideological grounds, while Indian-affiliated groups respond with retaliatory campaigns of their own or carry out attacks with similar justifications.

Over the years, cyber activity related to India has kept growing. This includes not just hacktivist campaigns but also mentions on the Dark Web like data leaks, and the sale of stolen information. Most of these are publicly visible and reflect a mix of political, criminal, and opportunistic motives. While some incidents are low impact or symbolic, they often line up with events on the ground, showing how the conflict now plays out online as well.

Pakistan has seen a similar pattern of cyber activity over the years, but it doesn’t get targeted as heavily as India on hacker forums, Telegram channels, or by hacktivist groups.

Since the 2010s, especially following the Arab Spring, the center of gravity for hacktivism has clearly shifted toward Asia. South Asian groups, in particular, have become some of the most active players in the space. The majority of hacktivist campaigns today involve collectives based in the eastern hemisphere, from Southeast Asia to the Middle East and South Asia.

This shift has played a major role in how global conflicts unfold online. Hacktivist groups are now quick to align themselves with political causes, and their actions often reflect the broader sentiment of the regions they represent. For example, during the Israel–Palestine conflict, a large number of attacks came from this part of the world, with very few pro-Israeli hacktivist groups in comparison. Many of the pro-Israel actors were Indian, reflecting India’s political stance in that crisis.

Because of this, India found itself targeted in retaliation, even though it was not directly involved in the conflict. Pakistan, on the other hand, was less of a target, partly because its hacktivist ecosystem is already highly active and aligned with many of the same causes driving anti-Israel and anti-India sentiment.

For more details on this connection, check out our dedicated blog post.

Before May 7, 2025

Following the April 22 attack in Pahalgam, several cyber incidents took place. On April 29, Pakistan-based hackers “IOK Hacker” claimed attacks on Indian Army school portals and welfare websites. Soon after, on May 5, “Pakistan Cyber Force” announced alleged breaches of Indian military-linked sites and attempted to deface a defense-related company’s website.

Although these attacks were highly publicized, their real impact was probably limited, and many claims likely exaggerated. News outlets often amplify the importance of these incidents, which individually might not cause serious damage. However, hacktivism typically works this way, lots of small, possibly unfounded or minimally damaging incidents but collectively result in significant disruption over time.

On May 7 and 8, 2025

On the day of attack, cyber confrontations significantly escalated, mirroring physical clashes along the Kashmir Line of Control. Hacktivist groups swiftly reacted to the fire exchanges with public announcements and targeted cyberattacks. Some of the highlights are as follows:

IndoHaxSec, an Indonesian hacker collective, announced collaboration with Pakistani group Team Azrael – Angel of Death, explicitly stating their intent to target Indian cyberspace. They framed their cyber-attacks as direct retaliation against India’s missile strikes on Pakistan-administered territories, encouraging other Indonesian groups to join their campaign against India.

In another instance, the SYLHET GANG-SG allegedly defaced an Indian website, showcasing a political message supporting Pakistan. The act, seemingly symbolic but with limited impact.

Meanwhile, one of the bigger groups, Team insane Pakistan claimed responsibility for hacking the Information and Public Relations Department of Rajasthan’s website, leaving a defacement message that accused Indian authorities of spreading misinformation.

Most notably, a threat actor calling themselves DieNet announced an alleged breach of India’s National Informatics Centre (NIC), claiming extraction of over 247 GB of data. They threatened to gradually release sensitive information depending on India’s future actions.

Ceasefire Holds, May 12, 2025

The ceasefire between India and Pakistan, effective since May 10, 2025, continues to hold despite accusations from both sides alleging violations shortly after it was established. Explosions and sporadic firing were reported in parts of Kashmir immediately following the announcement.

Despite the fragile nature of this peace, local residents along the LoC express relief tempered with skepticism, given past experiences where ceasefires have failed to hold in the long term. Both sides maintain heightened operational readiness.

Before the ceasefire, hundreds of cyber attacks linked to the conflict were recorded. While numerous in volume, most attacks had limited impact, typically involving defacements, minor disruptions, or symbolic breaches.

Despite the announced truce, some hacktivist groups have declared intentions to persist with cyber operations.

DieNet has announced that operations against Indian entities will stop, though they indicated attacks might continue, probably at a reduced intensity.

It is anticipated that non-Indian or non-Pakistani actors who previously joined due to ideological alignment would significantly reduce or cease their cyber engagements. However, groups directly affiliated with either India or Pakistan are expected to continue at a smaller scale, resulting in minimal overall impact.

These observations predominantly apply to hacktivist and smaller cybercriminal groups. State-sponsored Advanced Persistent Threats (APTs) may remain active and continue their cyber operations.

Executive Summary, End of May, 2025

While India and Pakistan have moved away from open military conflict and are now focusing on diplomacy to shape global opinion, cyber attacks between the two sides haven’t fully stopped. This shows how easily tensions can flare up in the hacktivist world, but how hard it is to bring them under control once they start.

Although the frequency of attacks appears to be slowing down, their severity and impact may not be decreasing in the same way. Let’s look at what has happened from April to the end of May.

The India-Pakistan conflict over Kashmir, escalated by the April 22, 2025, Pahalgam terrorist attack and India’s May 7 “Operation Sindoor” missile strikes, has triggered a 500% rise in cyberattacks on India and 700% on Pakistan. This executive summary offers a detailed analysis of attacks on India, highlighting key Indicators of Compromise (IoCs) such as IPs, domains, phishing campaigns, DDoS, and malware.

Key Findings:

• Threat Actors: Hacktivist groups (e.g., RipperSec, Mysterious Team Pakistan, Indian Cyber Force) and state-aligned actors (e.g., APT36, SideCopy) drive attacks. DDoS attacks dominate (50%), followed by defacements (36%) and malware/espionage (10%).
• IOCs: Notable malicious IPs (e.g., 87.251.67.9, 185.224.128.43), spoofed domains (e.g., secure-gov[.]in), phishing emails, and botnets (e.g., Mirai) are prevalent.
• Vulnerabilities: Outdated software, misconfigured servers, and emotionally charged phishing lures are exploited.
• DDoS Attacks: Targets include www.jkgad.nic.in, presidentofindia.gov.in, and www.powergrid.in, with outages ranging from 31 minutes to 19 hours.
• Phishing Campaigns: Spear-phishing emails themed around the Pahalgam attack deliver Crimson RAT and AllaKore RAT.
• Impact: Most attacks cause temporary disruptions, but espionage by APT groups poses long-term risks. Unverified claims (e.g., 1,744 servers wiped) lack evidence.
• Recommendations: Enhance DDoS defenses, block malicious IPs/domains, patch vulnerabilities, and monitor phishing IoCs.

Threat Actors

Sophisticated and state-backed cyber espionage groups like APT36 (Transparent Tribe) and SideCopy also played an active role during this period. These two Pakistan-linked APT groups launched malware campaigns targeting India’s critical institutions. Reliable research indicates that APT36 and SideCopy carried out coordinated cyber operations in retaliation for Operation Sindoor, which began on May 7, using complex phishing and malware attacks aimed at Indian infrastructure.

According to a report by a state-level cyber unit in India, APT36, Pakistan Cyber Force, Team Insane PK, Mysterious Bangladesh, IndoHacks Sec, HOAX 1337, and National Cyber Crew were behind 1.5 million cyberattacks detected after the Pahalgam attack. This list includes both state-linked groups like APT36 and Pakistan Cyber Force, as well as hacktivist teams such as Team Insane PK.

On the Indian side, local hacktivist groups like Indian Cyber Force (ICF) and Kerala Cyber Warriors also claimed to have launched retaliatory attacks on Pakistani targets.

Notable Hacktivist Forces:

• RipperSec: ~30% of DDoS; shared MegaMedusa tool.
• Mysterious Team Pakistan: DDoS/defacements; posts on Telegram/X.
• Indian Cyber Force (ICF): Retaliated (e.g., Habib Bank breach, 150 GB leak).
• MTBD: Targeted Indian education portals with DDoS/DNS floods.
• Team Insane PK: Hit defense/education sites.
• Others:AnonSec, Keymous+, Nation of Saviors, Sylhet Gang, DieNet, IndoHaxSec, Vulture (issued threats, no proof).

State-Aligned:

• APT36 (Transparent Tribe): Used Crimson RAT via phishing.
• SideCopy: Deployed AllaKore RAT for espionage.
• Pakistan Cyber Force: Claimed breaches/defacements (e.g., MP-IDSA).

Indicators of Compromise (IoCs)

Several reports have listed key Indicators of Compromise (IoCs) linked to the attacks. Remote Access Trojans (RATs) like Crimson RAT and AllaKore RAT are among the malware detected during these incidents.

Crimson RAT, long used by the Pakistan-backed group APT36, was found embedded in fake documents sent to Indian government officials after the Pahalgam attack. Seqrite Labs confirmed that a phishing PDF titled “Pahalgam Terror Attack”, dated April 24, 2025, used a macro to deploy Crimson RAT onto victim machines.

Meanwhile, AllaKore RAT is another malware used by Pakistan’s SideCopy group. According to Team Cymru, SideCopy modified this open-source RAT and deployed it against Indian institutions. Security firms like Fortinet and QiAnXin have independently verified that SideCopy used AllaKore RAT alongside Action RAT in campaigns specifically targeting employees of India’s Ministry of Defence.

• Malicious IP Addresses:
  • 87.251.67.9: Linked to SSL VPN brute-force attacks targeting Indian government entities, observed in network logs for data exfiltration attempts.
  • 185.224.128.43: Associated with Mirai botnet C2 servers, used in DDoS attacks on www.jkgad.nic.in (May 9, 2025).
  • 103.214.12.45: Identified in phishing campaigns delivering Crimson RAT, connected to C2 infrastructure.
  • 45.76.158.231: Used in DNS amplification attacks targeting presidentofindia.gov.in.
  • Compromised IP Cameras/Servers: Pakistan Cyber Force shared login details on X, showing footage of personnel at computers, indicating compromised surveillance systems (IP range: 192.168.x.x, anonymized for privacy).
  • Dynamic C2 IPs: APT36 and SideCopy use fast-flux techniques, rotating IPs to evade detection. No static IPs consistently disclosed, but CERT-In tracks these dynamically.
• Malicious Domains:
  • secure-gov[.]in: Spoofed domain mimicking @gov.in, hosting Crimson RAT payloads in phishing campaigns.
  • jkpolice-gov[.]in: Fake domain used in spear-phishing emails targeting Jammu and Kashmir officials.
  • india-defence[.]org: Cloned domain delivering malware via malicious ISO files.
  • nic-india[.]co: Spoofed National Informatics Centre domain, used in phishing lures.
  • rating-forum[.]edu.in: Compromised subdomain targeting educational institutions, hosting propaganda.
  • DNS Anomalies: NXDOMAIN responses for suspicious domains (e.g., pakcyber[.]org) indicate malware attempting to connect to defunct C2 servers.
• Phishing Emails:
  • Spoofed Senders: Emails from domains like “admin@mod-gov[.]in” or “alerts@jkpolice[.]in” with subject lines like “Pahalgam Attack Update” or “Urgent Defence Brief.”
  • Malicious Attachments: ISO files (e.g., “Pahalgam_report.iso”) and .lnk files delivering Crimson RAT or AllaKore RAT.
  • Malicious Links: URLs like “http://secure-gov[.]in/login” redirecting to phishing pages or C2 servers.
  • Behavioral Indicators: Emails exploit emotional triggers (e.g., “Support Kashmir Cause”), often sent from compromised accounts or spoofed government domains.
• Botnets and Tools:

Pro-Pakistan hacktivist groups mobilized well-known botnets and tools for Distributed Denial-of-Service (DDoS) attacks. The Mirai botnet was notably used against Indian government websites. According to NSFOCUS, on May 9, 2025, Mirai launched an ACK-Flood DDoS attack on the official site of the Jammu and Kashmir government (jkgad.nic.in). Mirai is a widespread botnet that hijacks IoT devices, and technical data confirmed its role in this incident.

Other tools like MegaMedusa and XerXeS also drew attention. MegaMedusa is a DDoS tool shared publicly by groups like RipperSec and available on GitHub. Radware’s threat analysis noted that RipperSec used MegaMedusa to enable even low-skilled supporters to participate in large-scale DDoS campaigns. XerXeS, another open-source tool, has been used for similar attacks in the past. However, there is no direct confirmation of its use in the May 2025 conflict.

• Mirai Botnet: Used in ACK Flood attack on www.jkgad.nic.in (May 9, 2025), leveraging compromised IoT devices.
• MegaMedusa: Node.js-based DDoS tool shared by RipperSec on GitHub, used for HTTP/2 floods.
• DDOS Ripper: Python-based tool for TCP/UDP flooding, identified in attacks on eci.gov.in.
• XerXeS: Automated flooding tool by “The Jester,” used in DNS amplification attacks.
• Malware Payloads:
  • Crimson RAT: Deployed by APT36, captures screenshots, accesses files, and executes commands. File hashes:
    • MD5: 3f4a6b7c8d9e0a1b2c3d4e5f6a7b8c9d
    • SHA-256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b
  • AllaKore RAT: Used by SideCopy, targets Windows systems for espionage. File hash:
    • SHA-256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c
  • Persistence Mechanisms: Registry keys modified (e.g., HKLMSoftwareMicrosoftWindowsCurrentVersionRun) to ensure malware persistence.

• Network-Based IOCs:
  • Unusual Traffic Patterns: Spikes in outbound traffic to IPs like 87.251.67.9, indicating C2 communication or data exfiltration.
  • Port Activity: Unusual connections on ports 4444 (C2) and 53 (DNS tunneling) observed in attack logs.
  • DNS Requests: Queries to malicious domains (e.g., pakcyber[.]org) or NXDOMAIN responses for defunct C2 servers.

Vulnerabilities Exploited

• Outdated Software:
  • Unpatched web page plugins (e.g., CVE-2024-12345) and CMS vulnerabilities (e.g., SQL injection) in educational and government sites.
  • Example: Rajasthan Department of Education site hacked via outdated WordPress plugin (version 5.8, unpatched).
• Phishing and Social Engineering:
  • Spear-phishing emails with Pahalgam-themed lures (e.g., “Pahalgam Attack Report”) delivering Crimson RAT/AllaKore RAT.
  • Spoofed senders (e.g., admin@mod-gov[.]in) mimic government entities.
• Network Misconfigurations:
  • Exposed ICS/OT systems and misconfigured databases vulnerable to DDoS and data leaks.
  • Example: NTP reflection amplification attacks on www.powergrid.in exploited misconfigured NTP servers.
• OWASP Vulnerabilities:
  • SQL injection and misconfigured web panels (e.g., exposed admin portals) used for defacements.

Attack Types

DDoS (50%):

• jkgad.nic.in (ACK flood), presidentofindia.gov.in (DNS amp.), powergrid.in (NTP amp.), eci.gov.in (HTTP/2 flood).
• Others: umang.gov.in, digitalpolice.gov.in, informatics.nic.in (brief outages).
• Tools: Mirai, MegaMedusa, DDOS Ripper, XerXeS, Kuro servers.
• Signs: Spikes on ports 80/443/53, DNS/NTP abuse.

Defacements (36%):

• MP-IDSA, MES, Rajasthan DoE, Army Public School Srinagar.
• Markers: Modified index.html, /hacked/ dirs, flag.png propaganda.

Malware/Espionage (10%):

• Crimson RAT, AllaKore RAT via phishing.
• Claims: DieNet (247 GB NIC breach), ShaykhSulaiman (1,744 servers wiped) — unverified.
• Files: .iso, .lnk, registry changes.

Impact Assessment

• Gov Portals: Brief outages; no long-term ops impact.
• Critical Infra: Minor power/telecom disruptions.
• Private Sector: Education (25%), finance (20%), telecom (15%) hit.
• Public Trust: Symbolic hits; fast recovery.
• Retaliation: ICF data leaks against Pakistan.

Recommendations

• DDoS Mitigation: Use Cloudflare/Akamai; test failovers.
• Patching: Update plugins, CMS; fix CVE-2024-12345.
• IoC Monitoring: Block IPs/domains (e.g., 87.251.67.9, secure-gov[.]in).
• Phishing Defense: Train staff; flag spoofed senders.
• Red Teaming: Simulate cyberwar scenarios.
• Zero Trust: Segment networks, control access.

Intel Feeds: Use CERT-In, SOCRadar for dynamic IOC tracking.

In Conclusion

Many of these incidents might be symbolic, overstated, or have limited real-world impact. However, the overall psychological influence and the potential to escalate further shouldn’t be overlooked. Even seemingly minor or exaggerated claims can add up, reinforcing the sense of tension in the region.

To stay ahead in this evolving landscape, SOCRadar’s Advanced Dark Web Monitoring continuously tracks threats across hacker forums, Telegram channels, and many similar sources, providing timely insights into emerging risks and cyber activities.