- From floods to fires: Investing in technologies that make communities more resilient
- 変化の早いAIに対して日本企業はどんなガバナンス体制を設けるべきなのか
- Your old router could be a security threat - here's why and what to do
- Network data hygiene: The critical first step to effective AI agents
- I replaced my Garmin with this $100 Android smartwatch for a week, and didn't regret it
Hacktivist Attacks on India Overstated Amid APT36 Espionage Threat
A wave of hacktivist claims of attacks against Indian digital infrastructure has sparked alarm in recent weeks, with over 100 purported breaches across government, educational and critical sectors amid geopolitical tensions between India and Pakistan.
However, a new investigation by CloudSEK suggests that the real damage is minimal, with many assertions either exaggerated or entirely fabricated.
The most notable hacktivist groups, including Nation Of Saviors, KAL EGY 319 and SYLHET GANG-SG, among others, claimed to have compromised prominent targets, including the Election Commission of India and the Prime Minister’s Office.
Yet CloudSEK analysts found that these disruptions were largely symbolic. Defaced websites were often restored within minutes, leaked data turned out to be public or recycled and Distributed Denial of Service (DDoS) attacks caused negligible downtime.
What Hacktivists Claimed vs What Happened
Despite claims of 247 GB of sensitive government data being exfiltrated from India’s National Informatics Centre, the leaked “proof” amounted to just 1.5 GB of public media files. Similarly, data allegedly stolen from the Andhra Pradesh High Court consisted mostly of case metadata already available online. Other claimed attacks, including breaches of the Indian Army and Election Commission, were exposed as either outdated or outright fabricated.
According to CloudSEK, much of the hype around the supposed breaches has been fueled by Pakistan-linked accounts on X (formerly Twitter). These include P@kistanCyberForce and CyberLegendX, which amplify unverified claims and link them to ongoing operations like Operation Sindoor and Bunyan Al Marsous.
Despite their visibility, most claims remain unsupported by any credible evidence of system compromise or disruption.
APT36: The Real Threat Behind the Curtain
Meanwhile, a reportedly more serious cyber threat to India is gaining momentum behind the noise. The advanced persistent threat group APT36, known for its affiliation with Pakistan, has launched a sophisticated phishing campaign to infiltrate Indian government and defense networks.
Following the April 2025 Pahalgam terror attack in Indian-administered Kashmir, APT36 leveraged emotionally charged lures to deliver Crimson RAT malware through phishing emails disguised as government briefings in PowerPoint or PDF formats. These malicious documents directed users to spoofed domains resembling official Indian websites, tricking victims into handing over credentials or executing malware.
Crimson Rat is a remote access Trojan used to take remote control of infected systems and steal data.
In the recent APT36 campaign, once installed, Crimson RAT connected to a command server, allowing remote attackers to exfiltrate files, capture screenshots and execute over 20 different commands on infected systems. Its stealth, persistence and targeting of defense networks mark it as a high-risk espionage tool.
“Once the malware has collected sensitive data, such as screenshots, files or system information, it sends this data back to the C2 server for further analysis by the attackers,” CloudSEK said. “This process is designed to be discreet, minimizing the chances of detection by security software.”
As India continues to monitor hacktivist activity, the need for vigilance against more covert and capable actors like APT36 is clear.
