APT36-Linked ClickFix Campaign Spoofs Indian Ministry of Defence, Targets Windows & Linux Users
ID: 0b1b7569-9e76-5ebb-b146-e52b0676c79d
STIX ID: report--0b1b7569-9e76-5ebb-b146-e52b0676c79d
Feed Name: Hunt.io Blog
Threat Score
This report details a ClickFix-style campaign spoofing India's Ministry of Defence to distribute cross-platform malware via clipboard-based commands—Linux flows download a shell script (mapeal.sh) and Windows flows use mshta/HTA to launch an obfuscated .NET loader that contacts 185.117.90.212; infrastructure includes domains such as email.gov.in.drdosurvey.info and trade4wealth.in and observable IOCs and staging patterns consistent with prior APT36 activity (assessed with medium confidence).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.