A Cyber Offensive Rooted in Geopolitical Flashpoints

Operation Sindoor, India’s military counterterrorism response to the April 22 Pahalgam attack, sparked an intense cyber onslaught. Between April 17 and May 10, 2025, Seqrite Labs — the threat intelligence wing of Quick Heal — uncovered over 650 coordinated cyber incidents. The digital campaign paralleled India’s precision military strikes in Pakistan-administered Kashmir, suggesting that cyber warfare is now a strategic arm of geopolitical conflict.

APT36’s Return with a More Dangerous Payload

The offensive was spearheaded by APT36, a Pakistan-aligned group known for cyber-espionage against Indian defense and government entities. Their tools of choice included an evolved malware, Ares RAT, a successor to Crimson RAT. It allowed complete remote access — enabling credential theft, file manipulation, and command execution.

Spear-phishing campaigns using files like Final_List_of_OGWs.xlam and Preventive_Measures_Sindoor.ppam were among the earliest signs. These decoy documents mimicked government advisories, preying on national anxiety post-Pahalgam. Triggered macros in these files connected infected systems to a known C2 server — IP 167.86.97[.]58:17854 — without detection.

Deception at Scale: Fake Domains and Weaponized Files

APT36 used spoofed domains like nationaldefensecollege[.]com and zohidsindia[.]com, closely resembling legitimate Indian entities. These were instrumental in bypassing email security systems. Malware spread through formats like .ppam, .xlam, .lnk, .msi, and .xlsb, which, when activated, launched obfuscated PowerShell scripts and web queries linked to domains such as fogomyart[.]com.

VPS infrastructure in Russia, Germany, Indonesia, and Singapore further masked the attackers’ origins, complicating attribution efforts.

Hacktivist Coordination via Telegram

APT36 didn’t act alone. Parallel to its operations, hacktivist collectives—operating under hashtags like #OpIndia and #OperationSindoor—launched defacements, DDoS attacks, and data leaks. They targeted critical Indian sectors including healthcare, telecom, education, and government portals. High-profile breaches included AIIMS, Apollo Hospitals, Jio, BSNL, and state education websites.

Telegram channels served as coordination hubs. Over 35 hacktivist groups took part, including seven newly emerged ones, showcasing how ideological agendas are aligning with advanced persistent threats.

A Glimpse into Modern Hybrid Warfare

Seqrite’s telemetry during the May 7–10 window logged a staggering 650+ cyber incidents. Notably, these weren’t isolated malware drops. This was a digitally orchestrated hybrid war. The attackers blended psychological operations with technical intrusion—damaging both trust and infrastructure.

Seqrite responded by deploying 26 detection signatures, integrating YARA rules into threat intel platforms, and sending out real-time alerts for spoofed domains. The lab’s XDR solutions helped Indian institutions identify SideCopy and Ares malware variants early.

National Implications and the Urgent Call for Cyber Resilience

Operation Sindoor exposed glaring vulnerabilities in India’s cyber defenses. It compromised healthcare databases, disrupted telecom services, and leaked sensitive data from defense contractors. Perhaps most critically, it eroded public confidence in digital communication.

The coordinated offensive reveals a shift: cyberwar is no longer an accessory — it’s a parallel battlefield. Attackers now combine malware and misinformation to destabilize nations.

Seqrite has urged organizations to adopt a zero-trust architecture, perform regular cybersecurity drills, and deploy advanced endpoint detection systems. With tools like Seqrite XDR, EPS, and its Malware Analysis and Threat Intelligence Platforms, businesses can better anticipate and block evolving threats.

Conclusion

The findings from Operation Sindoor confirm an escalating cyberwar between India and Pakistan. What once were state-sponsored probes have now transformed into multi-pronged digital sieges. The fusion of APT tactics with hacktivist disruption underlines a new age of hybrid warfare—where every political flashpoint becomes a potential cyber frontline.