Fake govt sites, real RATs, and a disturbing pattern

These sites didn’t just stop at stealing credentials. Some of the files were PowerPoint attachments carrying .ppam macros that quietly downloaded the Crimson RAT — a remote access trojan that can take screenshots, access files, execute commands, and maintain stealthy control of infected machines.

Seqrite’s team spotted the malware disguised as an image file called WEISTT.jpg, which actually launched an executable named jnmxrvt hcsm.exe. The report said all three versions of this RAT were compiled just one day before the actual terror strike.

The phishing emails came wrapped in official-looking files titled things like “Action Points & Response by Govt Regarding Pahalgam Terror Attack”. On clicking, victims were led to fake websites like jkpolice[.]gov[.]in[.]kashmirattack[.]exposed, which closely mimicked real domains of the Jammu & Kashmir Police.

Spoofed defence domains to trick officials

The hackers didn’t stop at one fake site. A whole cluster of spoofed domains came up just days after the terror attack, including:

iaf[.]nic[.]in[.]ministryofdefenceindia[.]org

email[.]gov[.]in[.]departmentofdefence[.]de

indianarmy[.]nic[.]in[.]departmentofdefence[.]de

All were hosted via infrastructure tied to shady hosting providers like Alexhost Srl, IP Connect Inc, and Shinjiru Technology. It’s a known tactic by APT36, a group also tracked under the name Transparent Tribe, to piggyback off geopolitical incidents and national tragedies.

‘Espionage is the motive’

“This group has a pattern. They wait for a moment when everyone is distracted, hit with emotional bait, and sneak into systems that matter,” Seqrite Labs wrote in its detailed advisory. The target is not quick cash, but deep access, surveillance, stealing passwords, and snooping on sensitive data.

And this isn’t new. APT36 has a history of using themes like the Kashmir conflict or military skirmishes to lure high-value Indian targets. But the speed of this campaign, within 48 hours of the Pahalgam attack, shows how fast cyber espionage adapts to physical-world events.

Read More:

New Apple Stores coming to Bengaluru and Noida?