A sophisticated phishing campaign orchestrated by Pakistan-linked threat actors has been discovered targeting Indian government entities by impersonating the National Informatics Centre’s email services.
The operation, attributed to APT36, also known as TransparentTribe, leverages social engineering tactics to compromise sensitive government infrastructure through deceptive email communications designed to appear as legitimate NIC eEmail Services correspondence.
The campaign employs carefully crafted phishing lures that mimic official government communication channels, exploiting the trust associated with NIC’s established email infrastructure.
By masquerading as authentic government correspondence, the threat actors aim to trick officials into divulging credentials or downloading malicious payloads.
This targeting strategy demonstrates the group’s deep understanding of Indian government communication protocols and their continued focus on intelligence gathering operations against Indian administrative and defense sectors.
Cyber Team analysts identified the malicious infrastructure supporting this campaign, uncovering a network of fraudulent domains and command-and-control servers designed to facilitate credential harvesting and data exfiltration.
Pakistan's #APT36 / #TransparentTribe Targeting Indian Govt. with theme "NIC eEmail Services"
Infra:
accounts.mgovcloud[.]in.departmentofdefence[.]live
departmentofdefence[.]live
81.180.93[.]5 — [Stealth Server C2 on port 8080]
45.141.59[.]168@500mk500 #APT #Malware #ioc pic.twitter.com/Hn1KmVJ67o— Cyber Team (@Cyberteam008) October 16, 2025
The operation represents a continuation of APT36’s long-standing espionage activities against Indian government targets, reflecting the group’s persistent interest in compromising sensitive governmental communications.
Infrastructure and Technical Indicators
The attack infrastructure reveals a multi-layered command-and-control framework centered around the fraudulent domain accounts.mgovcloud[.]in.departmentofdefence[.]live, which closely mimics legitimate government cloud services.
The primary malicious domain departmentofdefence[.]live serves as the foundation for the phishing operation, while IP address 81.180.93[.]5 operates as a stealth server with C2 functionality accessible on port 8080.
Additional infrastructure includes IP 45.141.59[.]168, providing redundancy and resilience to the adversary’s command-and-control network.
This sophisticated setup enables the threat actors to maintain persistent access while evading detection through a distributed infrastructure that complicates attribution and takedown efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as ‘NIC eEmail Services’ appeared first on Cyber Security News.
