.png){kind=logo}
Targeted Threat Alert: Full IOC Details for CrimsonRAT & CurlBack RAT Campaigns
Date: May 2025
Source: Cybervahak Threat Intelligence Team
In light of ongoing tensions and targeted cyber activity against Indian organizations, Cybervahak is publishing a full breakdown of Indicators of Compromise (IOCs) associated with recent campaigns using CrimsonRAT and CurlBack RAT. These tools have been actively deployed by APT36 and SideCopy—Pakistan-linked threat groups engaged in cyber-espionage and disruption operations.
We are also seeing widespread abuse of typosquatted domains mimicking Indian government services, and increasing use of Pahalgam-related lures in phishing campaigns. This article aims to enhance both security team readiness and public awareness.
1. CrimsonRAT: Surveillance Malware by APT36
-
Purpose: Credential theft, data exfiltration, espionage
-
Tactics: Phishing with .ppam, .hta files and spoofed gov domains
File Hash:
-
d946e3e94fec670f9e47aca186ecaabe739902dd8f9c5a4c96b36b5b85b0595e
-
e18c4172329c32d8394ba0658d5212c2b70cbe2e465c0bff77ae48e0b0e755ec
-
2fde001f4c17c8613480091fa48b55a0f9fbe16270008a16b11dcf7a012c3450
-
70b8040730c62e4a52a904251fa74029
-
7087e5f768acaad83550e6b1b9696477089d2797e8f6e3f9a9d69c77177d030e
-
fb64c22d37c502bde55b19688d40c803
-
026e8e7acb2f2a156f8afff64fd54066
Malicious Domains:
-
postindia.site
-
jkpolice.gov.in.kashmirattack.exposed
-
email.gov.in.drdosurvey.info
-
ministryofdefenceindia.org
-
email.gov.in.ministryofdefenceindia.org
-
iaf.nic.in.ministryofdefenceindia.org
Command-and-Control (C2) IPs:
-
93.127.133.58
-
104.129.27.14
2. CurlBack RAT: New Modular RAT by SideCopy
-
Purpose: Espionage across critical infrastructure
-
Tactics: Delivered via malicious .zip, .lnk, and .pdf files
Full File Hashes (CurlBack RAT Samples):
-
a5410b76d0cb36786e00d2968d3ab6e42024-National-Holidays-RH-PER_N-1.zip
-
f404496abccfa93eed5dfda9d8a53dc62024-National-Holidays-RH PER_N-1.pdf.lnk
-
0e57890a3ba16b1ac0117a624f262e61Security-Guidelines.zip
Note: These samples are highly obfuscated and delivered through deceptive ZIP archives imitating HR policies or security advisories.
Domain Abuse: Spoofed Government Sites & Social Engineering
APT36 has systematically registered misspelled or lookalike domains designed to spoof Indian government portals. These are used to trick users into entering credentials or downloading malware.
Examples:
-
jkpolice.gov.in.kashmirattack.exposed – fake J&K police email portal
-
ministryofdefenceindia.org – mimic of the Ministry of Defence
-
postindia.site – impersonates India Post, serves Android spyware and malicious PDFs
These domains are often hosted on infrastructure mimicking legitimate SSL certificates and content layouts. Their rapid deployment during real-world crises like the Pahalgam terror attack increases success by preying on public emotion.
For Security Teams:
We recommend ingesting the above IOCs into your SIEM and SOAR platforms to detect and respond to emerging threats. Monitor:
-
Unusual outbound connections to listed IPs/domains
-
File writes or executions matching the listed hashes
-
Login attempts to lookalike or spoofed portals
-
Phishing emails referencing "Pahalgam", "terror", "defense", or other emotionally charged keywords