[ /report/486 // public // by @Unknown ]

APT36 Targets Indian Government, Defence & Aerospace

Generated 2026-05-16 · 7 TTPs · 33 IOCs · 1 actors

report_id: #486

// 01Executive summary

APT36 (TransparentTribe) is actively targeting Indian government, defence, and aerospace sectors through spear-phishing campaigns mimicking NICeMail services. These campaigns aim to steal credentials or deliver malicious payloads via malicious ISO/ZIP archives and links. Organizations must immediately enhance email security, implement advanced threat detection for suspicious attachments and links, and conduct user awareness training against credential phishing. Monitor for fraudulent domains, C2 activity leveraging web services like Google Drive and Telegram, and the presence of new Golang espionage tools or Python-based stealers to prevent data exfiltration and unauthorized access.

// 02Key metrics

// ttps
7
ATT&CK techniques
// iocs
33
indicators
// actors
1
threat groups
// kwords
10
keywords

// 03MITRE ATT&CK

// 04Threat actors

APT36

// 05Indicators of compromise

// ips3

  • 5.189.145.248
  • 81.180.93.5
  • 45.141.59.168

// domains22

  • date.fromtimestamp
  • path.stat
  • date.today
  • list1.append
  • email.gov.in
  • apsdelhicantt.in
  • oshi.at
  • clawsindia.in
  • www.twff247.cloud
  • files.tpt123.com
  • tpt123.com
  • infosec2.in
  • certdehli.in
  • twff247.cloud
  • winp247.cloud
  • zedcinema.com
  • tensupports.com
  • baseuploads.com
  • esttsec.in
  • mte3mji0ndi5nzq3mtq5njiymg.gvi8oo.pqq
  • accounts.mgovcloud.in.departmentofdefence.live
  • departmentofdefence.live

// urls8

  • https://api.telegram.org/bot6549212762:AA
  • https://api.telegram.org/
  • https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-
  • https://cyble.com/threat-actor-
  • https://cybersecuritynews.com/pakistani-threat-actors-
  • https://www.neosecurity.nl/blog/ey-data-leak-4tb-sql-server-backup
  • https://cybersecuritynews.com/ey-data-leak/
  • https://www.theregister.com/2025/10/29/ey_exposes_4tb_sql_database/

// sha2560

none

// md50

none

// emails0

none

// cves0

none

// 06Geographic coverage

// 07YARA rule

// Failed to generate YARA rule

// 08Keywords

{'keyword': 'file', 'score': 14.751} {'keyword': 'files', 'score': 10.3865} {'keyword': 'exe', 'score': 7.1869} {'keyword': 'malicious', 'score': 6.9487} {'keyword': 'com', 'score': 6.845} {'keyword': 'hxxps', 'score': 6.4084} {'keyword': 'data', 'score': 6.0066} {'keyword': 'sh', 'score': 5.9224} {'keyword': 'threat', 'score': 5.9184} {'keyword': 'windows', 'score': 5.5552}

// 09Attack chain

// 10Technical mitigations

// 12Export

// format: // sign in to export ./sign_in