This threat describes a sophisticated phishing campaign attributed to the Pakistan-linked advanced persistent threat (APT) group APT36, also known as Transparent Tribe. The campaign specifically targets Indian government and defense organizations by leveraging typo-squatted domains that closely mimic legitimate Indian government platforms. These spoofed domains are used to deceive victims into divulging sensitive credentials. A notable technique employed by the attackers is real-time harvesting of one-time passwords (OTPs), which allows them to bypass multi-factor authentication (MFA) protections that are typically considered robust. The attackers use advanced social engineering tactics, including creating a false sense of legitimacy by referencing trusted authorities and mimicking secure communication flows, to increase the likelihood of victim engagement. Infrastructure analysis links the campaign to Pakistani IP addresses and possible staging through Zah Computers, indicating a well-resourced and strategically motivated adversary. The campaign's use of credential harvesting combined with MFA bypass techniques significantly increases the risk of unauthorized access to official email accounts and sensitive government communications. The campaign is ongoing as of the latest published date (August 2025) and is considered medium severity due to its targeted nature and potential impact on national security. Indicators of compromise include specific IP addresses (169.148.144.250, 37.221.64.202) and domains (virtualeoffice.cloud, mgovcloud.in) associated with the phishing infrastructure. The campaign employs multiple MITRE ATT&CK techniques such as T1566.001 (Spearphishing), T1113 (Screen Capture), and T1083 (File and Directory Discovery), highlighting a multi-faceted approach to reconnaissance, credential theft, and persistence.

For European organizations, the direct impact of this campaign is limited given its targeting of Indian government entities. However, the techniques demonstrated—especially real-time OTP harvesting to bypass MFA—represent a significant evolution in phishing tactics that could be adopted globally, including in Europe. European government agencies and defense contractors should be aware that similar threat actors or copycat campaigns could emerge targeting their sectors. The compromise of official email accounts in India could also have indirect geopolitical and intelligence implications affecting European diplomatic and security interests. Additionally, the use of typo-squatted domains and sophisticated social engineering underscores the need for heightened vigilance in email security and user awareness training across European public sector organizations. The campaign also highlights the risk posed by nation-state actors leveraging regional conflicts to conduct cyber espionage and credential theft, which could escalate tensions and impact European cybersecurity posture.

1. Implement advanced email filtering solutions capable of detecting and blocking typo-squatted domains and spearphishing attempts, including heuristic and AI-based detection methods. 2. Deploy real-time monitoring and alerting for suspicious login attempts, especially those involving MFA bypass indicators such as rapid OTP submission failures or unusual geographic login patterns. 3. Conduct targeted user awareness training focusing on recognizing sophisticated phishing tactics, including the risks of OTP sharing and verifying domain authenticity. 4. Enforce strict domain-based message authentication, reporting, and conformance (DMARC), SPF, and DKIM policies to reduce email spoofing risks. 5. Utilize threat intelligence feeds to block known malicious IPs and domains associated with this campaign and similar threat actors. 6. Employ multi-layered authentication methods beyond OTPs, such as hardware security keys (FIDO2/WebAuthn) that are resistant to real-time interception. 7. Regularly audit and restrict permissions on email accounts and critical systems to minimize lateral movement potential if credentials are compromised. 8. Collaborate with national cybersecurity agencies to share intelligence and coordinate responses to nation-state phishing campaigns. 9. Implement anomaly detection on email traffic to identify unusual communication patterns that may indicate compromise or data exfiltration.