India-Pak Cyber warfare continues, Kavach 2FA phishing attack targets Indian Government Officials

Cyber Warfare Asia
3 min readMar 16, 2023

As long as one may recall the history, post cyber world, one will find a long list of attacks done by Pakistan and India to gather intelligence that can be used against each other.

Recently, the mandatory made two factor authentication solution (2FA) called Kavach falls a victim of malicious phishing campaign, STEPPY#KAVACH that aims at stealing credentials of Indian government employees.

As per cybersecurity group, Securonix, the threat actor has a lot of similarity with the pattern of SideCopy APT, based out of Pakistan.

The threat actor has been executing discreet attacks to steal credential by cloning Indian government’s official websites making them land on the login page where they would use the mandatory process and input their data.

As per the technical report published by Securonix, “LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan (RAT)”.


This is not entirely a new practice. Kavach based entice apps have been co-opted by another threat actor, Transparent Tribe in its attacks targeting India since the start of the year. Transparent Tribe is also known as APT36,Operation C-Major, and Mythic Leopard, a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.

It’s also known to impersonate attack chains leveraged by Indian APT groups SideWinder, a prolific nation-state group that disproportionately singles out Pakistan-based military entities, to deploy its own toolset. SideWinder which has become infamous for targeting the governments and enterprises in South Asia and East Asia since 2012.

Alike Pakistan, Indian threat actors including Phronesis, BellTrox, CyberRoot risk advisory, White Int, Secfence Technologies, Innefu labs etc have also been in news for launching various attacks against Indian rival nations.

One of the pioneers that have held its ground in this warfare is cyber intelligence firm Phronesis. The company was founded by Indian security experts Retd. Brigadier Bryan Miranda and Ram Chhillar. Monsoon APT is one of their most talked about campaigns against Pakistan and Chinese nationals which are of great interest to Indian govt intelligence services.

Among new actors is Delhi-based BellTrox run by Sumit Gupta which was behind spying on US environmental activists, lawyers and its involvement in Dark Basin APT.

Another Indian company that positioned itself in this space is CyberRootRisk Advisory, founded by Vibhor Sharma. It provides cyber forensics investigation, penetration testing, physical access control and security testing, wireless security, network security and mobile application audit.After its exposure in Farhad Azima case Indian RAW team paid a visit to CyberRoot, a company that provides hacking services, to ask it to ease up on its informational campaigns relating to this case.

Aditya Jain cofounder of WhiteInt situated in Gurugram, India which get famous after its name appear on Farhad Azima case for illegal hacking his mails. Jain had also worked for Western and particularly British intelligence companies involved in major commercial disputes.

India’s Innefu Lab founded by Tarun Wig and Abhishek Sharma in 2010.It has developed a niche in the indigenous Artificial Intelligence Products and provides services for law enforcement.APT-C-35 is its most popular campaign.

MiroxIndia founded by Rajesh Babu situated in Kerala. It is one the leading and fastest growing CERT-In Empanelled Security Auditor, Cyber Security Service & Solution Company providing Vulnerability Assessment & Penetration Testing, Security Testing, Assessment & Consultancy, Security Audit, Research and Development.

Secfence Technologies, headed by Atul Agarwal, explained that the vision of the company was to stand out from the big suppliers of vulnerabilities and develop advanced cyber-offensive operations for their clients that are harder to detect. It has been executing various state backed cyber surveillance operations in India and Middle East.

This indicates that Asian cyber actors have setting new standards with every passing day in the dynamic changing geo-political sphere. They are now also eyeing foreign markets by signing agreements and contracts.



Cyber Warfare Asia

Providing news related to state sponsored cyber warfare in Asia