A Pak-linked cyber-espionage group has mounted a wave of intrusions targeting a wide range of institutions, striking ministries, defence contractors, critical infrastructure, diplomatic missions.
New Delhi: A Pakistan-linked cyber-espionage group known as Transparent Tribe, or APT36, has mounted a fresh wave of intrusions against a wide range of Indian institutions, striking ministries, defence contractors, critical infrastructure, and diplomatic missions abroad.
The campaign, uncovered by multiple cybersecurity firms including CYFIRMA, CloudSEK, and Hunt.io, has been active through July and August 2025 and is described as one of the most expansive operations attributed to the group in recent years.
Investigators say the victims this time were not confined to defence alone but spanned central government ministries and departments where officials rely on the Bharat Operating System Solutions (BOSS) Linux platform, the Ministry of Defence and its aerospace and missile-linked contractors, the Ministry of External Affairs, Indian diplomatic posts overseas, and key sectors such as the railways and oil and gas operators.
Individual government employees who depend on Kavach, the mandatory two-factor authentication system that protects official accounts and emails, were also specifically targeted.
The attacks began with carefully crafted phishing emails that appeared to be internal meeting invitations or communications from senior offices. The attachments looked like harmless PDF documents but were in fact laced with malware.
Once opened, the files quietly installed malicious software while simultaneously displaying a genuine-looking decoy document to the recipient, ensuring that suspicion was not raised. The technique is not new, but what marks this campaign as different is its adaptation for both Windows and BOSS Linux, demonstrating the attackers’ determination to breach Indian systems regardless of the operating environment.
After being installed in the machine, the malware enabled the attackers to steal files, harvest login credentials, monitor user activity, and maintain persistence even after reboots.
Researchers have linked the operation to the Poseidon backdoor, a tool previously used by the Transparent Tribe to give long-term access inside government and defence networks.
Poseidon is designed to perform system reconnaissance, exfiltrate sensitive data, and in some cases facilitate movement into other parts of a network. Analysts also found the malware contained anti-detection features intended to frustrate investigation by security teams.
In parallel to these malware-based intrusions, Transparent Tribe continued its longstanding focus on Kavach, India’s two-factor authentication system.
Officials were lured to fake login pages designed to mimic the Kavach portal. By entering their email IDs, passwords, and one-time security codes, victims unknowingly handed attackers full access to secure accounts. This method, first observed in 2022, has been used repeatedly and remains an active part of the group’s playbook in 2025.
The cyber intelligence hacking group has been linked to campaigns against Indian military and government bodies for nearly a decade, but this operation demonstrates a widening net. By embedding itself across ministries, defence and aerospace programs, external affairs, transport, and energy networks, the group is not only collecting intelligence but also positioning itself inside critical services that underpin national security.
Transparent Tribe (also tracked as APT36, Mythic Leopard, Earth Karkaddan, ProjectM) is a long-running, Pakistan-aligned cyber-espionage group active since around 2013, consistently assessed to operate in support of Islamabad’s strategic interests. Its hallmark campaigns focus on India—especially government ministries, armed forces, diplomatic missions, defence-linked academia, and think-tanks—with occasional spillover into Afghanistan. The group is known for planting malware families on Windows and Android based systems with the aim of intelligence collection against Indian political, defence, and diplomatic targets, making them one of the most persistent Pakistan-based advanced persistent threats tracked in South Asia.
