Assessment of Hacktivist Threats to India in Context of APT36 Espionage Activities

A recent surge in reported hacktivist attacks against India’s digital infrastructure has raised concerns, with claims of over 100 breaches across various sectors, including government and education. These incidents coincide with heightened geopolitical tensions between India and Pakistan. However, an investigation by CloudSEK indicates that the extent of the actual damage is greatly overstated, with many claims either significantly exaggerated or entirely fabricated.

Prominent hacktivist groups such as Nation Of Saviors, KAL EGY 319, and SYLHET GANG-SG have alleged that they successfully targeted high-profile organizations including the Election Commission of India and the Prime Minister’s Office. Yet, analysts from CloudSEK found that most reported disruptions were largely symbolic in nature. Many defaced websites were restored within minutes, claims of leaked data frequently involved public information or recycled content, and Distributed Denial of Service (DDoS) attacks resulted in minimal downtime.

Claims vs. Reality

One major assertion included the exfiltration of 247 GB of sensitive data from India’s National Informatics Centre. However, the actual leaked content turned out to be just 1.5 GB of public media files. Allegations of data theft from the Andhra Pradesh High Court mainly involved case metadata that was already publicly accessible online. Other claimed breaches, such as those involving the Indian Army and the Election Commission, were discredited as either outdated or entirely untrue.

CloudSEK notes that much of the sensationalism surrounding these breaches has been amplified by accounts linked to Pakistan on X (formerly Twitter), including handles like P@kistanCyberForce and CyberLegendX. These accounts propagate unverified claims and associate them with ongoing operations like Operation Sindoor and Bunyan Al Marsous. Despite their prominent visibility, many of these claims lack credible evidence indicating actual system compromises or disruptions.

APT36: The Genuine Threat

In contrast to the exaggerated hacktivist reports, a more substantial cyber threat is surfacing. The advanced persistent threat group APT36, known for its connections to Pakistan, has initiated a sophisticated phishing campaign aimed at infiltrating Indian government and defense networks.

Following the Pahalgam terror attack in Indian-administered Kashmir in April 2025, APT36 has been utilizing emotionally charged lures to disseminate Crimson RAT malware through phishing emails disguised as official government briefings in PowerPoint or PDF formats. These malicious documents direct users to spoofed domains that closely resemble legitimate Indian government websites, enticing victims into divulging credentials or executing malware.

Crimson RAT is specifically designed as a remote access Trojan that enables attackers to control infected systems and steal sensitive data. In the latest APT36 campaign, once installed, Crimson RAT connects to a command server, allowing remote attackers to extract files, capture screenshots, and execute over 20 different commands on the compromised systems. Its stealth and persistence, combined with a focus on defense networks, classify it as a high-risk espionage tool.

CloudSEK emphasizes that once the malware gathers sensitive information, including screenshots and system files, it transmits this data back to the command server for further analysis by the attackers. This meticulous process is engineered to operate discreetly, significantly reducing the likelihood of detection by security software.

As India continues to monitor the evolving landscape of hacktivist activity, the urgency for enhanced vigilance against more insidious and capable threat actors like APT36 becomes increasingly apparent.