An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India’s public sector postal system as part of a campaign designed to infect both Windows and Android users in the country.
Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36, which is also known as Transparent Tribe.
The fraudulent website mimicking India Post is named “postindia[.]site.” Users who land on the site from Windows systems are prompted to download a PDF document, whereas those visiting from an Android device are served a malicious application package (“indiapost.apk”) file.
“When accessed from a desktop, the site delivers a malicious PDF file containing ‘ClickFix’ tactics,” CYFIRMA said. “The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it – potentially compromising the system.”
An analysis of the EXIF data associated with the dropped PDF shows that it was created on October 23, 2024, by an author named “PMYLS,” a likely reference to Pakistan’s Prime Minister Youth Laptop Scheme. The domain impersonating India Post was registered about a month later on November 20, 2024.
The PowerShell code is designed to download a next-stage payload from a remote server (“88.222.245[.]211”) that’s currently inactive.
On the other hand, when the same site is visited from an Android device, it urges users to install their mobile app for a “better experience.” The app, once installed, requests extensive permissions that allow it to harvest and exfiltrate sensitive data, including contact lists, current location, and files from external storage.
“The Android app changes its icon to mimic a non-suspicious Google Accounts icon to conceal its activity, making it difficult for the user to locate and uninstall the app when they want to remove it,” the company said. “The app also has a feature to force users to accept permissions if they are denied in the first instance.”
The malicious app is also designed to run in the background continuously even after a device restart, while explicitly seeking permissions to ignore battery optimization.
“ClickFix is increasingly being exploited by cybercriminals, scammers, and APT groups, as reported by other researchers observing its use in the wild,” CYFIRMA said. “This emerging tactic poses a significant threat as it can target both unsuspecting and tech-savvy users who may not be familiar with such methods.”
