Threat Emulation: APT36

Welcome to the July 2023 SCYTHE #ThreatThursday! This edition features an APT-36 plan based on Poseidon malware research from Uptycs.

Executive Summary

APT-36 is a Pakistan-based advanced persistent threat group that has been active since at least 2013, targeting primarily Indian government organizations, military personnel, and defense contractors. This threat actor is known for creating fake websites and documents that mimic legitimate government sites to obtain user credentials or deliver their payloads. Abuse of the Google Ads paid search feature allows for prioritization of the malicious sites as a way to direct unsuspecting users to download their backdoored variant of Indian government applications. Over the last year researchers have observed this group most notably moving towards deploying small, bespoke stagers or downloaders which they can easily modify. This in turn leads to more agile and flexible operations. Prior to Poseidon, the group primarily used Windows-based malware families to carry out their espionage activities against their targets.

Cyber Threat Intelligence


APT-36 utilized a backdoored version of the Kavach authentication tool to deliver their Poseidon malware payload, specifically targeting Linux users at Indian government agencies. Kavach is a two-factor authentication system provided by the Indian government for secure email access. When the user interacts with the malicious version of Kavach, Poseidon is downloaded in the background via a wget request and a crontab created to periodically log the victim’s machine login name. A C2 connection is created and the attacker can leverage the backdoor to perform a variety of capabilities (keylogging, download additional stagers, screen capture, etc).


  • Transparent Tribe
  • Mythic Leopard
  • ProjectM


  • Indian government organizations, military personnel, and defense contractors
    • Specifically Linux users in this case


  • Cyber espionage
  • Information theft


Poseidon is a second-stage payload that is a general purpose backdoor providing a range of functionalities:

  • Keylogging
  • Screen capture
  • File upload/download
  • Remote system administration

SCYTHE Customers can read the full write-up and download this month’s plan in the customer portal.

Happy Hunting! : )



Latest Posts

Threat Thursday: February
February 22,2024
Threat Thursday: January
January 18,2024