Quick Heal Technologies Limited a global cybersecurity solutions provider, through its Seqrite Labs, India’s largest malware analysis facility, has revealed some critical details about coordinated cyberattacks exploiting geopolitical tensions during ‘Operation Sindoor’, India’s military counterterrorism response to the April 22, 2025 Pahalgam terror attack. While the Indian Armed Forces conducted precision strikes on terrorist infrastructure in Pakistan-administered Kashmir from May 7-10, 2025, the threat intelligence team at Seqrite Labs, identified parallel cyber campaigns by Pakistan-aligned threat actors targeting defense, healthcare, telecom, and government sectors across India.
The cyber offensive began on April 17, 2025, with spear-phishing emails distributing weaponized files such as Final_List_of_OGWs.xlam and Preventive_Measures_Sindoor.ppam. These attachments exploited public concern about national security by masquerading as official Indian government advisories. Forensic analysis confirmed the use of Ares RAT, an evolved variant of APT36’s Crimson RAT malware, which established covert communication channels with command-and-control (C2) servers at IP 167.86.97[.]58:17854. Attackers spoofed legitimate Indian domains like nationaldefensecollege[.]com and zohidsindia[.]com to bypass security protocols.
Between May 7-10, Seqrite’s telemetry recorded 650+ cyber incidents, including DDoS attacks on telecom providers (Jio, BSNL), defacements of state education portals, and credential harvesting campaigns against healthcare institutions like AIIMS and Apollo Hospitals. Hacktivist collectives such as #OpIndia and #OperationrSindoor coordinated via Telegram, claiming responsibility for leaking sensitive data from defense contractors and municipal databases.
The attackers’ infrastructure leveraged virtual private servers (VPS) in Russia, Germany, and Indonesia to mask origins. Malicious .ppam and .Ink files triggered PowerShell scripts that disabled security tools, exfiltrated military communication logs, and deployed ransomware on healthcare systems. Seqrite’s countermeasures included 26 custom detection signatures deployed across Seqrite XDR, integration of YARA rules into national threat intelligence platforms, real-time alerts for spoofed domains, and threat advisory dissemination to Indian entities.
The targeted cyberattacks on Indian institutions in wake of rising geopolitical tensions between India and Pakistan paint a clear picture of how nation-state actors now collaborate with non-state hacktivists, merging technical intrusion with psychological operations. The evolution of APT36 and the simultaneous hacktivist attacks signal a deliberate convergence of cyber espionage and ideological warfare. Instead of isolated malware campaigns, we now face digitally coordinated war games run with a common objective: that of destabilizing, disinforming, and disrupting.
In light of these alarming findings, Seqrite urges organizations to exercise utmost caution with respect to their digital security. It is advised to adopt a zero-trust approach, deploy advanced, multi-layer security systems, create regular backups, and conduct awareness drives to impart essential cybersecurity training which can help reduce human error. Seqrite’s cutting-edge suite of cybersecurity solutions, including EPS, ZTNA, EDR, and XDR, along with Seqrite Malware Analysis Platform and Seqrite Threat Intel Platform, can help organizations of all sizes strengthen their cybersecurity stance.
