{"id":7851,"date":"2025-10-22T10:00:29","date_gmt":"2025-10-22T10:00:29","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/22\/pakistani-threat-actors-targeting-indian-govt-with-email-mimic-as-nic-eemail-services\/"},"modified":"2025-10-22T10:00:29","modified_gmt":"2025-10-22T10:00:29","slug":"pakistani-threat-actors-targeting-indian-govt-with-email-mimic-as-nic-eemail-services","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/22\/pakistani-threat-actors-targeting-indian-govt-with-email-mimic-as-nic-eemail-services\/","title":{"rendered":"Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as \u2018NIC eEmail Services\u2019"},"content":{"rendered":"<p>    Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as \u2018NIC eEmail Services\u2019<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated phishing campaign orchestrated by Pakistan-linked threat actors has been discovered targeting Indian government entities by impersonating the National Informatics Centre\u2019s email services.<\/p>\n<p>The operation, attributed to APT36, also known as TransparentTribe, leverages social engineering tactics to compromise sensitive government infrastructure through deceptive email communications designed to appear as legitimate NIC eEmail Services correspondence.<\/p>\n<p>The campaign employs carefully crafted <a href=\"https:\/\/cybersecuritynews.com\/threats-actors-deliver-rhadamanthys-stealer\/\">phishing lures<\/a> that mimic official government communication channels, exploiting the trust associated with NIC\u2019s established email infrastructure.<\/p>\n<p>By masquerading as authentic government correspondence, the threat actors aim to trick officials into divulging credentials or downloading malicious payloads.<\/p>\n<p>This targeting strategy demonstrates the group\u2019s deep understanding of Indian government communication protocols and their continued focus on intelligence gathering operations against Indian administrative and defense sectors.<\/p>\n<p>Cyber Team analysts <a href=\"https:\/\/x.com\/Cyberteam008\/status\/1978823152118407431\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> the malicious infrastructure supporting this campaign, uncovering a network of fraudulent domains and command-and-control servers designed to facilitate credential harvesting and data exfiltration.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Pakistan&#8217;s <a href=\"https:\/\/twitter.com\/hashtag\/APT36?src=hash&amp;ref_src=twsrc%5Etfw\">#APT36<\/a> \/ <a href=\"https:\/\/twitter.com\/hashtag\/TransparentTribe?src=hash&amp;ref_src=twsrc%5Etfw\">#TransparentTribe<\/a> Targeting Indian Govt. with theme &#8220;NIC eEmail Services&#8221;<\/p>\n<p>Infra:<br \/>accounts.mgovcloud[.]in.departmentofdefence[.]live<br \/>departmentofdefence[.]live<br \/>81.180.93[.]5 \u2014 [Stealth Server C2 on port 8080]<br \/>45.141.59[.]168<a href=\"https:\/\/twitter.com\/500mk500?ref_src=twsrc%5Etfw\">@500mk500<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/APT?src=hash&amp;ref_src=twsrc%5Etfw\">#APT<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Malware?src=hash&amp;ref_src=twsrc%5Etfw\">#Malware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ioc?src=hash&amp;ref_src=twsrc%5Etfw\">#ioc<\/a> <a href=\"https:\/\/t.co\/Hn1KmVJ67o\">pic.twitter.com\/Hn1KmVJ67o<\/a><\/p>\n<p>\u2014 Cyber Team (@Cyberteam008) <a href=\"https:\/\/twitter.com\/Cyberteam008\/status\/1978823152118407431?ref_src=twsrc%5Etfw\">October 16, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>The operation represents a continuation of APT36\u2019s long-standing <a href=\"https:\/\/cybersecuritynews.com\/redcurl-corporate-espionage-hackers-uses-advanced-tactics\/\" target=\"_blank\" rel=\"noreferrer noopener\">espionage activities<\/a> against Indian government targets, reflecting the group\u2019s persistent interest in compromising sensitive governmental communications.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-infrastructure-and-technical-indicators\"><strong>Infrastructure and Technical Indicators<\/strong><\/h2>\n<p>The attack infrastructure reveals a multi-layered command-and-control framework centered around the <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-registered-26k-domains-mimic-brands\/\" target=\"_blank\" rel=\"noreferrer noopener\">fraudulent domain<\/a> accounts.mgovcloud[.]in.departmentofdefence[.]live, which closely mimics legitimate government cloud services.<\/p>\n<p>The primary malicious domain departmentofdefence[.]live serves as the foundation for the phishing operation, while IP address 81.180.93[.]5 operates as a stealth server with C2 functionality accessible on port 8080.<\/p>\n<p>Additional infrastructure includes IP 45.141.59[.]168, providing redundancy and resilience to the adversary\u2019s command-and-control network.<\/p>\n<p>This sophisticated setup enables the threat actors to maintain persistent access while evading detection through a distributed infrastructure that complicates attribution and takedown efforts.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/pakistani-threat-actors-targeting-indian-govt\/\">Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as \u2018NIC eEmail Services\u2019<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/pakistani-threat-actors-targeting-indian-govt\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as \u2018NIC eEmail Services\u2019 A sophisticated phishing campaign orchestrated by Pakistan-linked threat actors has been discovered targeting Indian government entities by impersonating the National Informatics Centre\u2019s email services. The operation, attributed to APT36, also known as TransparentTribe, leverages social engineering tactics to compromise sensitive government infrastructure [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-7851","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7851"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7851"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7851\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}