A zero-day attack is defined as a cyber attack that happens when the vendor is unaware of any flaw or security vulnerability in the software, hardware, or firmware. The unknown or unaddressed vulnerability used in a zero-day attack is called a zero-day vulnerability.
What makes a Zero Day Attack lethal for organizations is
-They are often targeted attacks before the vendor can release the fix for the security vulnerability
– The malicious actor uses a zero-day exploit to plant malware, steal data, or exploit the users, organizations, or systems as part of cyber espionage or warfare.
– They take days to contain, as the fix is yet to be released by the vendors
Examples of Zero-Day Attacks in 2025
As per the India Cyber Threat Report 2025, these are the top zero day attacks identified in 2024, detailing their nature, potential impacts, and associated CVE identifiers.
A severe remote command execution vulnerability that allows attackers to execute unauthorized shell commands due to improper input validation. While authentication is typically required, an associated authentication flaw enables attackers to bypass this requirement, facilitating full system compromise.
Microsoft Windows Shortcut Handler (CVE-2024-21412)
A critical security bypass vulnerability in Windows’ shortcut file processing. It enables remote code execution through specially crafted shortcut (.lnk) files, circumventing established security controls when users interact with these malicious shortcuts.
This Server-Side request forgery vulnerability in the SAML component allows attackers to initiate unauthorized requests through the application. Successful exploitation grants access to internal network resources and enables the forwarding of malicious requests, leading to broader network compromise.
Mozilla Firefox Animation Timeline Use-After-Free (CVE-2024-9680)
A use-after-free vulnerability in Firefox’s animation timeline component permits remote code execution when users visit specially crafted websites. This vulnerability can lead to full system compromise, posing significant security risks to users.
How a Zero-day Attack Works?
Step 1: A software code creates a vulnerability without the developer realizing it.
Step 2: A malicious actor discovers this vulnerability and launches a targeted attack to exploit the code.
Step 3: The developer reliazes a security vulnerability in the software yet does not have a patch ready to fix it.
Step 4: The developers release a security patch to close the security vulnerability.
Step 5: The developers deploy the security patch.
The gap between the zero-day attack and the developers deploying a security patch is enough for a successful attack and may lead to a ransomware demand, system infiltration, and sensitive data leak. So how do we protect against
Seqrite Labs APT team has discovered “Pahalgam Terror Attack” themed documents being used by the Pakistan-linked APT group Transparent Tribe (APT36) to target Indian Government and Defense personnel. The campaign involves both credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and Indian Air Force (IAF) created shortly after the April 22, 2025 attack. This advisory alerts about the phishing PDF and domains used to uncover similar activity along with macro-laced document used to deploy the group’s well-known Crimson RAT.
Analysis
The PDF in question was created on April 24, 2025, with the author listed as “Kalu Badshah”. The names of this phishing document are related to the response measures by the Indian Government regarding the attack.
“Action Points & Response by Govt Regarding Pahalgam Terror Attack .pdf”
“Report Update Regarding Pahalgam Terror Attack.pdf”
Picture 1
The content of the document is masked and the link embedded within the document is the primary vector for the attack. If clicked, it leads to a fake login page which is part of a social engineering effort to lure individuals. The embedded URL triggered is:
The domain mimics the legitimate Jammu & Kasmir Police (jkpolice[.]gov[.]in), an official Indian police website, but the fake one introduces a subdomain kashmirattack[.]exposed.
Picture 2
The addition of “kashmirattack” indicates a thematic connection to the sensitive geopolitical issue, in this case, related to the recent attack in the Kashmir region. Once the government credentials are entered for @gov.in or @nic.in, they are sent directly back to the host. Pivoting on the author’s name, we observed multiple such phishing documents.
Picture 3
Multiple names have been observed for each phishing document related to various government and defence meetings to lure the targets, showcasing how quickly the group crafts lures around ongoing events in the country:
Report & Update Regarding Pahalgam Terror Attack.pdf
Report Update Regarding Pahalgam Terror Attack.pdf
Action Points & Response by Govt Regarding Pahalgam Terror Attack .pdf
J&K Police Letter Dated 17 April 2025.pdf
ROD on Review Meeting held on 10 April 2025 by Secy DRDO.pdf
RECORD OF DISCUSSION TECHNICAL REVIEW MEETING NOTICE, 07 April 2025 (1).pdf
MEETING NOTICE – 13th JWG meeting between India and Nepal.pdf
Agenda Points for Joint Venture Meeting at IHQ MoD on 04 March 2025.pdf
DO Letter Integrated HQ of MoD dated 3 March.pdf
Collegiate Meeting Notice & Action Points MoD 24 March.pdf
Letter to the Raksha Mantri Office Dated 26 Feb 2025.pdf
pdf
Alleged Case of Sexual Harassment by Senior Army Officer.pdf
Agenda Points of Meeting of Dept of Defence held at 11March 25.html
Action Points of Meeting of Dept of Defence held at 10March 25.html
Agenda Points of Meeting of External Affairs Dept 10 March 25.pdf.html
PowerPoint PPAM Dropper
A PowerPoint add-on file with the same name as of the phishing document “Report & Update Regarding Pahalgam Terror Attack.ppam” has been identified which contains malicious macros. It extracts both the embedded files into a hidden directory under user’s profile with a dynamic name, determines the payload based on the Windows version and eventually opens the decoy file with the same phishing URL embedded along with executing the Crimson RAT payload.
Picture 4
The final Crimson RAT dropped has internal name “jnmxrvt hcsm.exe” and dropped as “WEISTT.jpg” with similar PDB convention:
All three RAT payloads have compilation timestamp on 2025-04-21, just before the Pahalgam terror attack. As usual the hardcoded default IP is present as a decoy and the actual C2 after decoding is – 93.127.133[.]58. It supports the following 22 commands for command and control apart from retrieving system and user information.
Commands
Functionality
procl / getavs
Get a list of all processes
endpo
Kill process based on PID
scrsz
Set screen size to capture
cscreen
Get screenshot
dirs
Get all disk drives
stops
Stop screen capture
filsz
Get file information (Name, Creation Time, Size)
dowf
Download the file from C2
cnls
Stop uploading, downloading and screen capture
scren
Get screenshots continuously
thumb
Get a thumbnail of the image as GIF with size ‘of 200×150.’
putsrt
Set persistence via Run registry key
udlt
Download & execute file from C2 with ‘vdhairtn’ name
delt
Delete file
file
Exfiltrate the file to C2
info
Get machine info (Computer name, username, IP, OS name, etc.)
runf
Execute command
afile
Exfiltrate file to C2 with additional information
listf
Search files based on extension
dowr
Download file from C2 (No execution)
fles
Get the list of files in a directory
fldr
Get the list of folders in a directory
Infrastructure and Attribution
The phishing domains identified through hunting have the creation day just one or two days after the documents were created.
Domains
Creation
IP
ASN
jkpolice[.]gov[.]in[.]kashmirattack[.]exposed
2025-04-24
37.221.64.134 78.40.143.189
AS 200019 (Alexhost Srl) AS 45839 (Shinjiru Technology)
This kind of attack is typical in hacktivism, where the goal is to create chaos or spread a political message by exploiting sensitive or emotionally charged issues. In this case, the threat actor is exploiting existing tensions surrounding Kashmir to maximize the impact of their campaign and extract intelligence around these issues.
The suspicious domains are part of a phishing and disinformation infrastructure consistent with tactics previously used by APT36 (Transparent Tribe) that has a long history of targeting:
Indian military personnel
Government agencies
Defense and research organizations
Activists and journalists focused on Kashmir
PPAM for initial access has been used since many years to embed malicious executables as OLE objects. Domain impersonation to create deceptive URLs that mimic Indian government, or military infrastructure has been seen consistently since last year. They often exploit sensitive topics like Kashmir conflict, border skirmishes, and military movements to create lures for spear-phishing campaigns. Hence these campaigns are attributed to APT36 with high confidence, to have involved delivering Crimson RAT, hidden behind fake documents or malicious links embedded in spoofed domains.
Potential Impact: Geopolitical and Cybersecurity Implications
The combination of a geopolitical theme and cybersecurity tactics suggests that this document is part of a broader disinformation campaign. The reference to Kashmir, a region with longstanding political and territorial disputes, indicates the attacker’s intention to exploit sensitive topics to stir unrest or create division.
Additionally, using PDF files as a delivery mechanism for malicious links is a proven technique aiming to influence public perception, spread propaganda, or cause disruptions. Here’s how the impact could manifest:
Disruption of Sensitive Operations: If an official or government worker were to interact with this document, it could compromise their personal or organizational security.
Information Operations: The document could lead to the exposure of sensitive documents or the dissemination of false information, thereby creating confusion and distrust among the public.
Espionage and Data Breaches: The phishing attempt could ultimately lead to the theft of sensitive data or the deployment of malware within the target’s network, paving the way for further exploitation.
Recommendations
Email & Document Screening: Implement advanced threat protection to scan PDFs and attachments for embedded malicious links or payloads.
Restrict Macro Execution: Disable macros by default, especially from untrusted sources, across all endpoints.
Network Segmentation & Access Controls: Limit access to sensitive systems and data; apply the principle of least privilege.
User Awareness & Training: Conduct regular training on recognizing phishing, disinformation, and geopolitical manipulation tactics.
Incident Response Preparedness: Ensure a tested response plan is in place for phishing, disinformation, or suspected nation-state activity.
Threat Intelligence Integration: Leverage geopolitical threat intel to identify targeted campaigns and proactively block indicators of compromise (IOCs).
Monitor for Anomalous Behaviour: Use behavioural analytics to detect unusual access patterns or data exfiltration attempts.
