Between July and August 2025, India experienced a coordinated surge of cyberattacks originating from multiple countries including Pakistan, Bangladesh, Russia, Indonesia, and likely China. These attacks targeted critical Indian infrastructure sectors such as judicial systems, defense, and transportation. The threat actors employed a diverse range of tactics including data breaches, distributed denial-of-service (DDoS) attacks, website defacements, phishing campaigns, and malware infections. The malware components referenced include suspicious executables such as smss.exe, sysaid.exe, fshost64.exe, svchost.exe, and manc.exe, which may be masquerading as legitimate Windows processes to evade detection. The attack techniques align with MITRE ATT&CK tactics and techniques such as persistence (T1547), discovery (T1082), command and control (T1071), credential access (T1112), defense evasion (T1027), and execution (T1059), among others. The attackers exploited multiple vectors including phishing (T1566) and exploitation of public-facing applications (T1190). The attacks also involved retaliatory hacktivist actions by Indian groups under the banner 'Operation Vasudev Strike', illustrating the complex geopolitical and hacktivist dynamics at play. Indicators of compromise include multiple malware hashes, IP addresses, and suspicious domains used for command and control or phishing infrastructure. Although no known exploits in the wild or CVE identifiers are associated, the campaign demonstrates a sophisticated, multi-nation hacktivist operation blending cybercrime and political motives to undermine national security and public trust in India’s digital infrastructure.

For European organizations, the direct impact of this threat is currently limited given the primary targeting of Indian government and critical infrastructure sectors. However, the multinational nature of the attack and the use of globally accessible malware and phishing infrastructure pose indirect risks. European entities with business ties, supply chain dependencies, or digital interconnections with Indian judicial, defense, or transport sectors could face spillover effects such as phishing campaigns or malware infections leveraging similar tactics. Additionally, the use of common malware techniques and infrastructure could be adapted or redirected against European targets in future campaigns. The reputational damage and erosion of trust in digital services due to such large-scale hacktivist operations also resonate globally, potentially influencing European public sector cybersecurity postures. Moreover, European organizations involved in geopolitical intelligence, cybersecurity defense, or diplomatic relations with the affected regions should be vigilant for related threat actor activity and information operations.

1. Implement advanced email security solutions with robust phishing detection and sandboxing capabilities to identify and block spear-phishing attempts similar to those used in this campaign. 2. Employ endpoint detection and response (EDR) tools capable of detecting suspicious process masquerading (e.g., smss.exe, svchost.exe variants) and anomalous persistence mechanisms (T1547). 3. Conduct regular threat hunting exercises focusing on the identified malware hashes and network indicators such as suspicious domains and IP addresses linked to the campaign. 4. Harden public-facing applications and services against exploitation (T1190) through timely patching, web application firewalls, and vulnerability scanning. 5. Enforce strict network segmentation and least privilege access controls to limit lateral movement and reduce the impact of potential breaches. 6. Maintain up-to-date threat intelligence feeds to monitor evolving hacktivist tactics and infrastructure, enabling proactive defense. 7. Conduct user awareness training emphasizing recognition of phishing and social engineering tactics employed by hacktivists. 8. Collaborate with national and international cybersecurity agencies to share intelligence and coordinate responses to multinational hacktivist threats.