Overview
APT36 is the industry-tracking name for a threat actor that has been publicly tied by Indian government advisories, the U.S. FBI, and numerous private-sector researchers to Pakistan-aligned cyber-espionage operations. The same organization is tracked as Transparent Tribe, ProjectM, Mythic Leopard, and SideCopy by different vendors, and there is meaningful operational overlap between the named clusters. APT36's mission profile is regional and persistent: long-running espionage against Indian government, military, diplomatic, and education targets, with the bulk of the activity focused on the Indian subcontinent and the Kashmir dispute in particular.
APT36 is operationally distinct from the more capable state-actor operations tracked by Western governments but it is a real, persistent, named operation with public attribution and a documented history of compromise. The group's tradecraft is mid-tier by state-actor standards but consistent over a long period, and the targeting focus on government, defense, and education makes the operation an active concern for any organization in those sectors in the region. Public reporting on APT36 has accelerated since 2020, in part because of the increasing availability of malware analysis and infrastructure tracking from Indian CERT-In and from vendors operating in the region.
TTPs
APT36 tradecraft emphasizes spear-phishing with document-based loaders, particularly the abuse of .hwp (Hancom Hangul) and .docx files themed around Indian government, defense, and education topics. The group has been documented using Crimson RAT (a remote access tool publicly available and used by multiple actors), custom Python and .NET backdoors, and a range of commodity remote-access tools. Initial access comes almost entirely from spear-phishing; the group is not commonly associated with supply-chain compromise or zero-day exploitation, and the resulting detection surface is more accessible than at higher-tier state-actor operations.
Post-exploitation, APT36 has been documented using living-off-the-land techniques, scheduled tasks, and abuse of legitimate cloud services for command and control, particularly Google Drive and Dropbox. The group has been observed using Google Drive to host payloads and exfiltrate data, blending with normal corporate traffic in environments that have not specifically restricted cloud-storage use. The group's beaconing profile is typically low-and-slow, and the group's operational discipline is good enough that detection often depends on catching the initial phishing payload rather than the post-exploitation activity.
On the targeting side, APT36 has been observed operating against Indian Ministry of External Affairs personnel, defense attaches, military and paramilitary organizations, and Indian educational institutions, with a particular focus on individuals involved in Kashmir policy or in the India-Pakistan diplomatic relationship. The group has also been tied to credential-phishing operations against Indian journalists, academics, and activists. The targeting profile is consistent with a state-aligned regional espionage operation rather than a financially motivated or criminal actor, and the public reporting aligns with that profile across multiple years.
Known incidents
The 2020-2021 surge in APT36 activity against Indian power-sector and government targets is the most consequential recent incident set. Multiple Indian government and CERT-In advisories during this period described ongoing intrusions attributed to APT36, including credential-phishing and document-based loader campaigns against Indian Ministry of External Affairs personnel, defense attaches, and other high-value government targets. The activity was paired with a long-running targeting of Indian education-sector email accounts, with the apparent goal of intelligence collection on Indian academic and policy research on the region.
Earlier APT36 operations include the long-running use of Crimson RAT against Indian government and education targets, with the tool family publicly tied to the group in vendor research going back to at least 2016. The group has been tied to a series of document-based loader campaigns themed around Indian defense, diplomatic, and education topics, with the .hwp and .docx lures particularly characteristic. These operations are not the high-profile compromise-and-publish cycles that mark Russian state actors, but the volume of activity and the consistency of targeting have made APT36 a persistent presence in the regional threat landscape.
Public attribution of APT36 to a Pakistan-aligned operation has come from Indian government advisories, the U.S. FBI, and a long list of private-sector researchers. The specific organizational attribution within the Pakistani government is less clear than for some state-actor groups, with the Inter-Services Intelligence (ISI) being the most commonly named patron. The group's operational pattern is consistent with a state-sponsored regional espionage operation, and the public reporting is consistent across multiple sources.
Detection
APT36 detection is more accessible than detection of the higher-tier state-actor operations because the group's tradecraft involves more visible artifacts: .hwp and .docx spear-phishing payloads, Crimson RAT network indicators, and the use of well-known cloud services for command and control. Useful detection signals include: incoming email with .hwp or .docx attachments from newly registered or spoofed senders, particularly with themes around Indian government, defense, or education; the presence of Crimson RAT network signatures, including beaconing to known command-and-control infrastructure; outbound traffic to Google Drive, Dropbox, and other cloud-storage services from accounts that do not normally use those services; and the use of scheduled tasks and registry-run keys consistent with Crimson RAT persistence.
For Indian government, defense, and education organizations, the right defender posture treats APT36 as a baseline adversary: assume you are being targeted, enforce phishing-resistant multi-factor authentication, restrict which document types can be opened from email, and monitor cloud-storage traffic for unusual patterns. The group's tradecraft is consistent enough that good baseline detection catches a meaningful fraction of the activity, even without nation-state-grade telemetry.
Recommendations
Defenses against APT36 cluster into email, identity, and cloud-storage layers. At the email layer, restrict which document types can be opened from email (or sandbox them in a detonation environment), particularly .hwp and .docx files from senders not on an allowlist. At the identity layer, enforce phishing-resistant multi-factor authentication for any account with access to government, defense, or education systems, and treat any sign-in from a previously unseen geography as a primary alert. At the cloud-storage layer, monitor for unusual use of Google Drive, Dropbox, and similar services, particularly the download of payloads from accounts that do not normally use those services.
For Indian organizations in particular, the regional nature of the targeting is itself a useful signal. APT36's tradecraft is consistent enough that good baseline detection catches a meaningful fraction of the activity. The right operational model is to treat APT36 as a known adversary with a known playbook, and to invest the detection effort accordingly. The cost of a successful APT36 compromise is rarely a national-security event; it is more often a sustained intelligence loss that compounds over years. The right defender posture is one that catches the early compromise and contains it before the operational damage accumulates.