Introduction
Cyber warfare has quietly become an integral dimension of geopolitical rivalry between India and Pakistan. While traditional tensions between the two nuclear-armed neighbors have historically manifested through military confrontations and diplomatic disputes, the last decade has witnessed a steady escalation of state-linked cyber espionage and digital influence campaigns.
Recent threat intelligence reports indicate a growing number of Advanced Persistent Threat (APT) operations originating from both countries. These campaigns primarily target government institutions, defense organizations, critical infrastructure providers, and telecommunications companies across South Asia.
One of the most recent examples is an alleged India-linked espionage campaign targeting Pakistan and Bangladesh, discovered by researchers at Arctic Wolf and reported by security outlets. The campaign highlights how cyber operations are increasingly used to collect intelligence and monitor strategic sectors in rival states.
This article examines the evolving cyber conflict between India and Pakistan, focusing on the threat actors, malware campaigns, operational techniques, and geopolitical implications shaping this digital battleground.
The Growing Cyber Dimension of India–Pakistan Rivalry
India and Pakistan have historically engaged in a cycle of conflict and retaliation. In recent years, however, cyber operations have become an additional layer of strategic competition.
Cyber campaigns offer several advantages for states:
Plausible deniability
Low operational cost
Intelligence gathering without direct confrontation
Psychological and informational influence
Analysts have observed that cyber operations are increasingly integrated with other forms of hybrid warfare, including information campaigns, hacktivism, and digital propaganda.
For example, during a regional crisis in 2025, reports suggested that cyber actors linked to Pakistan attempted to disrupt Indian digital infrastructure, while pro-India hackers allegedly leaked data from Pakistani government systems. These incidents highlight how cyber operations are now embedded within broader geopolitical tensions.
Despite widespread claims of large-scale attacks, many cybersecurity researchers emphasize that the most impactful operations are often espionage campaigns rather than disruptive attacks.
India-Linked Espionage Campaign: The Sloppy Lemming Operation
One of the most significant recent developments in South Asian cyber activity involves a threat group known as Sloppy Lemming, which researchers believe operates with links to India.
Security researchers identified an espionage campaign conducted between January 2025 and early 2026, targeting organizations across Pakistan, Bangladesh, and Sri Lanka.
Key Targets
The campaign primarily focused on strategic sectors, including:
Government agencies
Nuclear regulatory organizations
Defense logistics companies
Telecommunications infrastructure
Energy utilities
Financial institutions
These targets suggest that the attackers were attempting to collect intelligence related to national security, defense capabilities, and economic infrastructure.
Attack Techniques and Malware Used
The SloppyLemming campaign used spear-phishing emails to deliver malicious documents to victims.
Two main attack chains were identified.
- Burrow Shell Backdoor Deployment
One infection chain used malicious PDF documents that triggered a multi-stage malware deployment process.
The attack involved:
Click Once application manifests
DLL side-loading techniques
Execution of a custom shellcode implant
This process ultimately deployed BurrowShell, a sophisticated backdoor capable of:
File system manipulation
Remote command execution
Screenshot capture
Network tunneling via SOCKS proxy
The malware disguised its command-and-control traffic as Windows Update communication, allowing it to evade detection while maintaining persistent access.
- Rust-Based Keylogger and Reconnaissance Tools GitHub - gsingh93/keylogger: A keylogger written in Rust A keylogger written in Rust. Contribute to gsingh93/keylogger development by creating an account on GitHub.github.com The second attack chain used malicious Excel files containing embedded malware written in the Rust programming language. Rust is increasingly being used by advanced threat actors because it provides: High performance Memory safety Strong obfuscation capabilities
The malware collected:
Keystrokes
System reconnaissance data
Credentials and sensitive files
Researchers also observed attackers using DLL sideloading and exposed infrastructure directories, suggesting moderate operational sophistication combined with occasiona operational security mistakes.
Expanding Infrastructure and Cloud-Based Command Servers
Another notable aspect of the campaign was the use of Cloudflare Workers as part of the attacker infrastructure.
Threat intelligence analysts observed that the group had dramatically expanded its infrastructure footprint:
The number of command-and-control domains increased from 13 to over 100
Serverless cloud infrastructure was used to hide malicious traffic
Cloud services helped attackers blend into legitimate internet activity
This approach makes detection significantly more difficult, as malicious communications appear similar to normal cloud traffic.
Pakistan-Linked Cyber Espionage: The APT36 Threat
While India-linked actors have targeted Pakistan and neighboring countries, Pakistan is also associated with several long-running cyber espionage groups.
The most well-known is APT36, also known as Transparent Tribe.
APT36 has been active since at least 2013 and has primarily focused on targeting:
Indian government agencies
Defense personnel
Military contractors
Academic and research institutions
Security researchers consider APT36 to be one of the most persistent cyber espionage groups operating in South Asia.
Evolution of APT36 Campaigns
APT36 has continuously evolved its tactics over the years.
Earlier operations relied heavily on:
Spear-phishing emails
Malicious Office documents
Remote access trojans such as Crimson RAT
More recent campaigns show a shift toward more complex delivery mechanisms and infrastructure.
The "Gopher Strike" and "Sheet Attack" Campaigns
In 2025, researchers identified two campaigns linked to Pakistan-based threat actors.
Gopher Strike
This campaign used PDF files disguised as official documents that tricked victims into downloading malware.
The infection chain included:
Golang-based downloader called GOGITTER
Visual Basic scripts fetching commands from remote servers
Additional backdoor implants deployed through GitHub repositories
GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz
Part 1: The Gopher Strike campaign includes the GOGITTER downloader, GITSHELLPAD backdoor, and GOSHELL loader used to…www.zscaler.com
Sheet Attack
Another campaign used cloud-based platforms such as:
Google Sheets
Firebase
These services were used as command-and-control channels to retrieve malicious instructions.
Researchers also noted indications that generative AI tools may have been used during malware development, signaling an emerging trend in cyber operations.
SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz
Part 2: The Sheet Attack APT campaign includes the SHEETCREEP, FIREPOWER, & MAILCREEP backdoors, designed to compromise…www.zscaler.com
Mobile Espionage and Android Malware
APT36 has also expanded its operations into mobile espionage.
Security researchers uncovered a campaign involving trojanized Android messaging applications distributed through fake websites.
The malicious apps were presented as secure communication platforms and were used to install a spyware implant known as CapraRAT.
Capabilities of CapraRAT include:
Recording phone calls
Capturing screenshots
Accessing device storage
Monitoring microphone activity
Attackers reportedly used honey-trap tactics, persuading targets through social engineering to install these apps.
http://darkreading.com/endpoint-security/caprarat-impersonates-youtube-hijack-android-devices
Exploiting Real-World Events
Both Indian and Pakistani cyber actors frequently exploit real-world geopolitical events to craft convincing phishing lures.
For example, after a terrorist attack in Pahalgam in 2025, researchers discovered phishing campaigns targeting Indian government personnel using documents themed around the incident.
These documents were designed to appear as official government communications, encouraging recipients to open malicious attachments that deployed Crimson RAT malware.
This tactic illustrates how threat actors leverage current events and public sentiment to increase the effectiveness of phishing operations.
The Role of Hacktivists and Disinformation
Alongside state-linked APT groups, hacktivist collectives also participate in the cyber conflict between India and Pakistan.
However, many hacktivist claims are often exaggerated or misleading.
Investigations into several high-profile cyberattack claims found that:
Alleged data leaks often contained publicly available information
Website defacements were temporary
Reported DDoS attacks caused minimal disruption
In one case, authorities reported over 1.5 million attempted cyberattacks on Indian infrastructure, but only around 150 incidents were confirmed to have succeeded.
This demonstrates how cyber conflict often involves information warfare and propaganda alongside actual technical attacks.
Why South Asia Is Becoming a Cyber Espionage Hotspot
Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware
China-linked CL-STA-1087 targets Southeast Asian militaries since 2020 using AppleChris and MemFun for espionage and…thehackernews.com
Several factors explain the increasing cyber activity in the region:
Strategic Rivalry
India and Pakistan maintain a long-standing geopolitical rivalry, making intelligence gathering a high priority.
Nuclear Capabilities
Both countries possess nuclear weapons, increasing the importance of monitoring military developments.
Digital Expansion
Rapid digitization of government services and infrastructure has expanded the attack surface.
Low-Cost Intelligence Gathering
Cyber espionage provides a relatively inexpensive method to collect strategic information without risking military escalation.
Conclusion
The cyber rivalry between India and Pakistan illustrates how geopolitical tensions are increasingly spilling into the digital domain. Both sides appear to support or tolerate cyber espionage campaigns designed to monitor strategic sectors and gather intelligence.
Recent campaigns such as the SloppyLemming espionage operation and the evolving activities of APT36 (Transparent Tribe) demonstrate the growing sophistication of South Asian cyber threat actors.
At the same time, the region's cyber conflict is characterized by a mixture of state-linked espionage, hacktivist activity, and information warfare, making attribution and impact assessment challenging.
As governments and critical infrastructure continue to digitize, South Asia is likely to remain a significant cyber espionage hotspot, with cyber operations playing an increasingly central role in regional security dynamics.
About Accredian
Enjoyed this read? Take the next step. Curiosity brought you this far, let Accredian take you further. Partnering with top global institutes, Accredian brings you rigorous, relevant, and impactful programs. Designed for professionals serious about growing, upskilling, and leading with confidence.
Top comments (0)