This threat campaign, attributed to the Advanced Persistent Threat group APT36, employs a sophisticated ClickFix-style attack chain targeting both Windows and Linux platforms. The attackers spoof India's Ministry of Defence by mimicking official government press releases and leveraging compromised Indian (.in) domains for hosting malicious payloads. The infection vector relies heavily on social engineering and spoofing tactics to lure victims into executing malware. On Windows systems, the attack uses mshta.exe to run a heavily obfuscated HTML Application (HTA) file, a technique that leverages the Windows utility mshta.exe to execute malicious scripts without triggering traditional executable detection. On Linux systems, the campaign attempts to execute shell scripts, indicating cross-platform targeting capabilities. The attackers utilize clipboard-based execution techniques, which may involve manipulating clipboard contents to execute commands or payloads stealthily. The campaign also uses decoy documents to distract or mislead victims while the malware executes in the background. The observed tactics align with known APT36 tradecraft, including the use of government-themed lures, obfuscation, and multi-stage infection chains. The domains involved (e.g., avtzyu.store, drdosurvey.info, trade4wealth.in) are used for payload staging and command and control (C2) communication. The attack techniques correspond to MITRE ATT&CK tactics such as T1059 (Command and Scripting Interpreter), T1547 (Boot or Logon Autostart Execution), T1071 (Application Layer Protocol), T1036 (Masquerading), T1021 (Remote Services), T1083 (File and Directory Discovery), T1102 (Web Service), T1218.005 (Mshta), T1204 (User Execution), T1059.001 (PowerShell), T1566 (Phishing), T1059.004 (Unix Shell), T1027 (Obfuscated Files or Information), T1518 (Software Discovery), and T1105 (Ingress Tool Transfer). This campaign demonstrates the evolution of ClickFix techniques beyond traditional Windows environments into cross-platform attacks, increasing the complexity and potential reach of the threat.

For European organizations, the direct targeting of Indian government entities might suggest a lower immediate risk; however, the cross-platform nature of this campaign and the use of compromised domains could enable spillover infections or secondary targeting. European organizations with business ties to India, or those using similar Windows and Linux environments, could be at risk from phishing campaigns mimicking government or defense-related communications. The clipboard-based execution and use of mshta.exe pose risks of stealthy malware execution that can bypass some endpoint protections. If successful, the malware could compromise confidentiality by exfiltrating sensitive data, impact integrity by modifying or injecting malicious code, and affect availability by deploying additional payloads or backdoors. The use of obfuscated scripts and multi-stage infection chains complicates detection and response efforts. Additionally, the campaign’s use of compromised domains and masquerading techniques could facilitate lateral movement or persistence within networks. European defense contractors, government agencies, and organizations involved in Indo-European collaborations or supply chains may face increased risk due to the strategic importance of defense-related information. The campaign’s medium severity rating reflects the moderate complexity and targeted nature of the attack, but the evolving tactics and cross-platform capabilities warrant vigilance.

1. Implement strict email filtering and phishing detection mechanisms that specifically look for spoofed government domains and unusual domain patterns, including subdomains of compromised .in domains. 2. Deploy endpoint detection and response (EDR) solutions capable of monitoring and blocking mshta.exe executions, especially those invoking obfuscated HTA files. 3. Enforce application whitelisting policies to restrict execution of unauthorized scripts and HTA files on both Windows and Linux systems. 4. Monitor clipboard activity for suspicious command injections or unusual clipboard content changes, using advanced behavioral analytics where possible. 5. Conduct targeted user awareness training focusing on recognizing government-themed phishing lures and social engineering tactics, emphasizing the risks of executing attachments or links from unexpected sources. 6. Regularly audit and restrict the use of scripting interpreters like PowerShell, mshta.exe, and shell scripts, applying the principle of least privilege. 7. Monitor network traffic for connections to known malicious domains (e.g., avtzyu.store, drdosurvey.info) and block or investigate such communications. 8. Maintain up-to-date threat intelligence feeds to detect emerging APT36 indicators and update detection signatures accordingly. 9. Implement multi-factor authentication (MFA) and robust access controls to limit lateral movement if initial compromise occurs. 10. Conduct regular incident response drills simulating similar attack vectors to improve detection and containment capabilities.