A sophisticated threat group with ties to Pakistan, known as an advanced persistent threat (APT) group, has been linked to the development of a counterfeit website impersonating India’s public sector postal system. This campaign is designed to compromise both Windows and Android users in the country.
CYFIRMA, a cybersecurity company, has attributed this campaign to a threat actor known as APT36, also referred to as Transparent Tribe, with medium confidence.
The fake website, named “postindia[.]site,” serves different purposes depending on the device used to access it. When visited from a Windows system, users are prompted to download a PDF document. In contrast, those accessing the site from an Android device are presented with a malicious application package (“indiapost.apk”) file.
According to CYFIRMA, when accessed from a desktop, the site delivers a malicious PDF file that employs ‘ClickFix‘ tactics. The document instructs users to press the Win + R keys, paste a provided PowerShell command into the Run dialog, and execute it, which could potentially compromise the system.
An examination of the EXIF data associated with the dropped PDF reveals that it was created on October 23, 2024, by an author named “PMYLS,” likely referring to Pakistan’s Prime Minister Youth Laptop Scheme. The domain impersonating India Post was registered about a month later, on November 20, 2024.
The PowerShell code is designed to download a next-stage payload from a remote server (“88.222.245[.]211”) that is currently inactive.
On the other hand, when the same site is visited from an Android device, it prompts users to install their mobile app for a “better experience.” The app, once installed, requests extensive permissions that allow it to harvest and exfiltrate sensitive data, including contact lists, current location, and files from external storage.
“The Android app disguises itself by changing its icon to mimic a non-suspicious Google Accounts icon, making it difficult for the user to locate and uninstall the app when they want to remove it,” the company noted. “Furthermore, the app has a feature to force users to accept permissions if they are denied initially.”
The malicious app is also designed to run continuously in the background, even after a device restart, and explicitly seeks permissions to ignore battery optimization.
According to CYFIRMA, “ClickFix is increasingly being exploited by cybercriminals, scammers, and APT groups, as reported by other researchers observing its use in the wild. This emerging tactic poses a significant threat as it can target both unsuspecting and tech-savvy users who may not be familiar with such methods.”
