ProofPoint’s threat research team in collaboration with Threatray, has analyzed some of the campaigns observed between October 2024 and April 2025 attributed to TA397, One of the most powerful cyberspage groups responsible for collecting information on foreign policy or matters of current interest for the Intelligence Service of India.
The group uses a wide variety of different email accounts to carry out their operations, including some committed to the governments of Pakistan, Bangladesh and Madagascar. It has also been made through entities of the Chinese government, the Ministry of Foreign Affairs of the Republic of Korea and the Office of Foreign Affairs in Beijing, to appoint some.
TA397 has a long attack history Against Entities in South Asia, especially governments, diplomatic entities and defense organizations. Like other groups focused on espionage, TA397 usually operates in the fields of politics, diplomacy, commerce, investment and defense. One of the campaigns, for example, I take advantage that the president of South Korea established the martial law in December 2024 with current content that the recipient would probably see in his entrance tray.
How TA397 acts
The majority of actions carried out by TA397 simply contained text messages without format in which the group was passed through a legitimate government organization, with a malicious attached file or an attached link, which demonstrates a general lack of maturity in Phishing compared to many other groups backed by states.
Even so, the Spearphishing electronic emails They are still the preferred technique of TA397 for initial access (such as other groups that use identities theft), demonstrating a certain degree of flexibility in their evolution. As a sign of this, at the end of 2024, shortly after the use of alternative data flows in NTFS file systems, ProofPoint observed that TA397 used Microsoft Search Connector (MSC) files, which allow users to connect with data stored in web services or remote storage locations. This was a new group tactic to place and execute LNK files in the infected machine and create scheduled tasks.
ProofPoint’s investigation indicates that TA397 operators responded to these scheduled tasks in progress with manual commands, issuing one that listed the target machine and sent a post application with information from the infected machine. TA397 also refrains from releasing loads in following stages based on system information provided in the infected machine. Threat researchers believe that the computer name is likely and the data sent to the preparation domain within the scheduled tasks are subjected to some type of prior filter.
«Ta397 may lack advanced capabilities, but the group is very active and executes frequent and consistent campaigns. Although it has a proven methodology, You can experiment with new infection chains to avoid detections or exploit vulnerabilities »indicate the threat researchers from ProofPoint. “Even so, the initial access vector of TA397 is Spearphishing by email, the amplitude of malware loads observed in the group is significant and its selection criteria reveal its highly specific nature of cyberspizage”.
The scheduled tasks resulting from TA397, the PHP URL patterns, the inclusion of the computer name and the victim’s username in the beacon and the certificates Let’s Encrypt On the attackers servers they provide a high confidence fingerprint to detect the activity of the group. Their cybercriminals take advantage of their good knowledge of the legitimate affairs and the usual practices of the governments of the target countries.
There is also a overlap of tools with other known malicious groups, Mysterious Elephant/APT-K-47 and Confucius, which suggests that TA397 is part of an ecosystem to exchange tools between cybercriminals backed by India. However, more research is needed to determine whether these groups operate with access to internal or external development resources to the organizations to which they belong.
