In early May 2025, cybersecurity researchers identified a sophisticated cyber espionage campaign targeting Indian government personnel. The attackers are employing decoy documents referencing the recent Pahalgam attack to lure officials into compromising their systems.
The campaign begins with spear-phishing emails that appear to originate from legitimate government agencies. These emails contain attachments designed to exploit the recipients’ interest in security developments related to the Pahalgam incident. The attachments are Microsoft Word documents with embedded macros. When enabled, these macros deploy a multi-stage malware payload.
The malicious documents are crafted to resemble official briefings or intelligence reports on the Pahalgam situation. They prompt users to Enable Content to view supposedly protected information, which triggers the execution of hidden malicious code. The attackers have paid close attention to detail, including authentic-looking letterheads and formatting consistent with official government communications.
Seqrite researchers identified the campaign after detecting unusual network traffic patterns from government networks. Their investigation uncovered a previously undocumented Remote Access Trojan (RAT) that establishes persistence and communicates with command-and-control servers. These servers are reportedly linked to a nation-state threat actor with a history of targeting Indian government institutions.
The malware campaign appears specifically tailored to compromise sensitive government information, with a particular focus on defense, intelligence, and law enforcement agencies. Security experts assess the operation as highly targeted, suggesting a deliberate intelligence-gathering mission rather than opportunistic cybercrime. The timing of the campaign, coinciding with the aftermath of the Pahalgam incident, indicates the attackers’ strategic approach to exploiting current events.
Infection Mechanism
The infection chain begins when victims open the malicious document, typically named Pahalgam_Incident_Report_Confidential.docx. When macros are enabled, the document executes obfuscated VBA code that decodes and executes a PowerShell command.
This PowerShell command downloads and executes a second-stage payload disguised as a PNG image file. The malware establishes persistence through scheduled tasks and Registry modifications. It then collects system information and begins exfiltrating sensitive data while attempting to move laterally within government networks.
