When Indian forces launched Operation Sindoor, a sequence of focused strikes in opposition to terrorist infrastructure throughout the border, in May this yr, Indian cyber networks started to flicker with uncommon exercise. Government servers, defence communications and even civilian techniques have been hit by a wave of phishing emails and malware assaults.
A current analysis paper from the Indian Institute of Technology, Bombay, titled ‘Cyber warfare during Operation Sindoor: Malware campaign analysis and detection framework’, supplies the first detailed reconstruction of those cyber assaults. Authored by Prakhar Paliwal, Atul Kabra and Manjesh Kumar Hanawal, the research paperwork how Pakistan-based ‘advanced persistent threat’ (APT) teams launched focused cyber intrusions in parallel with the bodily battle, marking one in all the most refined cases of hybrid warfare in South Asia.
The masterminds
The assaults have been traced to APT36, often known as Transparent Tribe, a Pakistan-based cyber espionage group that has been energetic since 2013. Believed to function in alignment with Pakistani State pursuits, APT36 has a protracted historical past of focusing on Indian navy, diplomatic and authorities networks.
It sometimes depends on spear-phishing, utilizing malicious Office paperwork and faux domains to lure victims into opening contaminated attachments.
During Operation Sindoor, the group’s techniques have been comparable, however marked by unprecedented precision and timing.
According to the IIT-Bombay research, the digital offensive started even earlier than the first navy strike. Spear-phishing emails disguised as official communication have been despatched to Indian officers, carrying attachments that gave the impression to be professional reviews on the Pahalgam terrorist assault.
One file, titled “Action Points & Response by Govt Regarding Pahalgam Terror Attack.pdf”, seemed routine however, when opened, unleashed a ‘remote access Trojan’ (RAT), a malicious software program, generally known as Crimson RAT.
Once activated, the malware gave the attackers full distant management of the system. It might file keystrokes, seize screens, copy information, steal credentials and ship them to command servers positioned in Russia, Germany and Indonesia. The payload was hidden in a faux listing named 0ffice360-48, mimicking Microsoft Office file constructions to keep away from suspicion.
The researchers discovered that the malware was compiled on April 21, a day earlier than the Pahalgam assault, suggesting advance coordination between the terror operation and the cyber marketing campaign. This, they write, “strengthens claims that the Pahalgam attacks were planned and controlled from Pakistani soil”.
Tracking the malware
To perceive how the cyber assault unfolded, the IIT-Bombay group recreated it in a managed, remoted atmosphere. Using Osquery, an open-source endpoint telemetry system, they monitored each course of, file and community occasion triggered by the malware.
Osquery treats a pc’s working system like a database, permitting analysts to question system occasions in actual time. For instance, which course of created a file, which program opened a community port or which command sequence was executed.
By correlating information throughout three occasion varieties — course of, file and socket — the researchers reconstructed the total an infection chain:
1. The malicious PowerPoint add-in (.ppam) was opened.
2. It created a hidden picture file (WEISTE.jpg), which was quietly renamed and executed as jnmxrvt hcsm.exe, the Crimson RAT.
3. Within 90 seconds, the system started connecting to identified command-and-control (C2) servers.
This timeline, the research notes, illustrates the “precision and speed of APT36’s operations”, which leveraged trusted Microsoft binaries to hide malicious actions, a tactic generally known as “living off the land”.
Defence rulebook
Beyond reconstruction of the assault, the researchers developed a detection framework that organisations can deploy for early warning. Using Osquery’s SQL-like interface, they wrote a question rule that flags Crimson RAT behaviour, together with suspicious file renames, course of chains and outbound connections to identified malicious IPs.
The rule, the authors be aware, will be built-in into present endpoint detection and response (EDR) or prolonged detection and response (XDR) techniques. This ready-to-use cybersecurity software can show notably precious for Indian enterprises in search of open, adaptable defence applied sciences.
The research additionally underscores the strategic dimension of cyber warfare. During Operation Sindoor, greater than 35 hacktivist teams claimed assaults beneath banners resembling #OpIndia and #OperationSindoor, focusing on Indian authorities and public sector web sites. The episode highlights the must deal with cyber defence as essential infrastructure. Tools like Osquery might kind the basis of indigenous AI-driven detection frameworks. Equally there’s a want for forensic visibility, the means to see what is occurring inside each course of, file and port in actual time.
As the authors conclude, fashionable battle now spans “code, command and cognition”. For policymakers and enterprise leaders alike, the lesson is obvious: cyber readiness is not an adjunct to defence; it’s defence.
More Like This
Published on November 3, 2025