A wave of hacktivist claims of assaults towards Indian digital infrastructure has sparked alarm in current weeks, with over 100 purported breaches throughout authorities, academic and demanding sectors amid geopolitical tensions between India and Pakistan.
Nonetheless, a brand new investigation by CloudSEK means that the actual harm is minimal, with many assertions both exaggerated or totally fabricated.
Essentially the most notable hacktivist teams, together with Nation Of Saviors, KAL EGY 319 and SYLHET GANG-SG, amongst others, claimed to have compromised outstanding targets, together with the Election Fee of India and the Prime Minister’s Workplace.
But CloudSEK analysts discovered that these disruptions had been largely symbolic. Defaced web sites had been usually restored inside minutes, leaked knowledge turned out to be public or recycled and Distributed Denial of Service (DDoS) assaults triggered negligible downtime.
What Hacktivists Claimed vs What Occurred
Regardless of claims of 247 GB of delicate authorities knowledge being exfiltrated from India’s Nationwide Informatics Centre, the leaked “proof” amounted to only 1.5 GB of public media information. Equally, knowledge allegedly stolen from the Andhra Pradesh Excessive Courtroom consisted principally of case metadata already out there on-line. Different claimed assaults, together with breaches of the Indian Military and Election Fee, had been uncovered as both outdated or outright fabricated.
In response to CloudSEK, a lot of the hype across the supposed breaches has been fueled by Pakistan-linked accounts on X (previously Twitter). These embody P@kistanCyberForce and CyberLegendX, which amplify unverified claims and hyperlink them to ongoing operations like Operation Sindoor and Bunyan Al Marsous.
Regardless of their visibility, most claims stay unsupported by any credible proof of system compromise or disruption.
APT36: The Actual Menace Behind the Curtain
In the meantime, a reportedly extra critical cyber menace to India is gaining momentum behind the noise. The superior persistent menace group APT36, identified for its affiliation with Pakistan, has launched a complicated phishing marketing campaign to infiltrate Indian authorities and protection networks.
Following the April 2025 Pahalgam terror assault in Indian-administered Kashmir, APT36 leveraged emotionally charged lures to ship Crimson RAT malware by phishing emails disguised as authorities briefings in PowerPoint or PDF codecs. These malicious paperwork directed customers to spoofed domains resembling official Indian web sites, tricking victims into handing over credentials or executing malware.
Crimson Rat is a distant entry Trojan used to take distant management of contaminated techniques and steal knowledge.
Within the current APT36 marketing campaign, as soon as put in, Crimson RAT linked to a command server, permitting distant attackers to exfiltrate information, seize screenshots and execute over 20 totally different instructions on contaminated techniques. Its stealth, persistence and concentrating on of protection networks mark it as a high-risk espionage instrument.
“As soon as the malware has collected delicate knowledge, corresponding to screenshots, information or system info, it sends this knowledge again to the C2 server for additional evaluation by the attackers,” CloudSEK mentioned. “This course of is designed to be discreet, minimizing the possibilities of detection by safety software program.”
As India continues to watch hacktivist exercise, the necessity for vigilance towards extra covert and succesful actors like APT36 is evident.
