India has officially entered a new era of digital governance with the enactment of the Digital Personal Data Protection (DPDP) Act, 2023. For businesses, the clock is ticking.
The Act mandates how organizations handle personal data and introduces significant penalties for non-compliance. It’s not just an IT issue anymore; it’s a boardroom concern that cuts across legal, HR, marketing, and product teams.
This blog provides an essential compliance checklist to help Indian businesses understand and align with the DPDP Act before enforcement begins.
Understand What Qualifies as Digital Personal Data
Under the DPDP Act, personal data refers to any data about an identifiable individual. The law applies to data:
Collected digitally, or
Digitized from non-digital sources and then processed.
Whether you’re storing customer details, employee information, or vendor records, it’s covered if it’s personal and digital.
Appoint a Data Protection Officer (DPO)
You’ll need a Data Protection Officer (DPO) if your organization processes large volumes of personal data. This person must:
Act as the point of contact for the Data Protection Board of India.
Ensure compliance across departments.
Handle grievance redressal from data principals (users).
Map and Classify Your Data
Before securing or managing personal data, you must know what you have. Conduct a complete data discovery and classification exercise:
Identify where personal data resides (servers, cloud apps, local drives).
Categorize it by sensitivity and usage.
Tag data to individuals (data principals) and note the purpose of collection.
This is foundational to compliance, enabling you to correctly apply retention, consent, and deletion rules.
Implement Robust Consent Mechanisms
The DPDP Act emphasizes informed, specific, and granular consent. Ensure your systems can:
Capture affirmative user consent before data collection.
Clearly state the purpose for which the data is collected.
Allow easy withdrawal of consent at any time.
Dark patterns, pre-checked boxes, or vague terms won’t cut it anymore.
Enable Data Principal Rights
The Act grants every individual (data principal) the right to:
Know what personal data is being collected.
Access and correct their data.
Request deletion of their data.
Nominate someone to exercise rights posthumously.
You must build systems that can fulfill such requests within a reasonable timeframe. A sluggish or manual process here could result in reputational damage and fines.
Revamp Your Privacy Policy
Your privacy policy must reflect your compliance posture. It should be:
Written in clear, simple language (avoid legalese).
Updated to include new consent practices and rights.
Accessible on all platforms where data is collected.
Transparency builds trust and aligns with the DPDP mandate for fair processing.
Review and Redefine Data Sharing Agreements
If your company works with third parties (vendors, cloud providers, agencies), it’s time to revisit all data processing agreements:
Ensure contracts specify responsibilities and liabilities under the DPDP Act.
Avoid sharing data with parties that cannot ensure compliance.
Include clauses about breach notification and data retention.
Establish a Breach Response Protocol
The law mandates reporting data breaches to the Data Protection Board and affected users. Prepare by:
Setting up a dedicated incident response team.
Creating SOPs for breach detection, containment, and reporting.
Running breach simulation drills for preparedness.
Time is critical; delays in breach reporting can attract harsh penalties.
Train Your Teams
Compliance isn’t just about tools; it’s about people. Conduct mandatory training sessions for all employees, especially those in:
IT and data management
Sales and marketing (who handles customer data)
HR (who manage employee records)
Awareness is your first line of defense against accidental data misuse.
Invest in Technology for Automation and Governance
Manual compliance is error-prone and unsustainable. Consider deploying:
Data Discovery & Classification tools to auto-tag and manage personal data.
Consent Management Platforms (CMPs) to handle user permissions.
Access Control & Encryption solutions to protect data at rest and in transit.
Platforms like Seqrite Data Privacy offer end-to-end visibility and control, ensuring you stay audit-ready and compliant.
The Bottom Line
The DPDP Act is not a one-time checkbox—it demands continuous, demonstrable accountability. Indian businesses must view it as a catalyst for digital transformation, not just a regulatory hurdle.
By acting now, you avoid penalties and earn consumer trust in an era where privacy is a competitive differentiator.
Is your business ready for the DPDP Act? Talk to Seqrite today to explore how our data privacy solutions can streamline your compliance journey.
Seqrite Labs APT team has discovered “Pahalgam Terror Attack” themed documents being used by the Pakistan-linked APT group Transparent Tribe (APT36) to target Indian Government and Defense personnel. The campaign involves both credential phishing and deployment of malicious payloads, with fake domains impersonating Jammu & Kashmir Police and Indian Air Force (IAF) created shortly after the April 22, 2025 attack. This advisory alerts about the phishing PDF and domains used to uncover similar activity along with macro-laced document used to deploy the group’s well-known Crimson RAT.
Analysis
The PDF in question was created on April 24, 2025, with the author listed as “Kalu Badshah”. The names of this phishing document are related to the response measures by the Indian Government regarding the attack.
“Action Points & Response by Govt Regarding Pahalgam Terror Attack .pdf”
“Report Update Regarding Pahalgam Terror Attack.pdf”
Picture 1
The content of the document is masked and the link embedded within the document is the primary vector for the attack. If clicked, it leads to a fake login page which is part of a social engineering effort to lure individuals. The embedded URL triggered is:
The domain mimics the legitimate Jammu & Kasmir Police (jkpolice[.]gov[.]in), an official Indian police website, but the fake one introduces a subdomain kashmirattack[.]exposed.
Picture 2
The addition of “kashmirattack” indicates a thematic connection to the sensitive geopolitical issue, in this case, related to the recent attack in the Kashmir region. Once the government credentials are entered for @gov.in or @nic.in, they are sent directly back to the host. Pivoting on the author’s name, we observed multiple such phishing documents.
Picture 3
Multiple names have been observed for each phishing document related to various government and defence meetings to lure the targets, showcasing how quickly the group crafts lures around ongoing events in the country:
Report & Update Regarding Pahalgam Terror Attack.pdf
Report Update Regarding Pahalgam Terror Attack.pdf
Action Points & Response by Govt Regarding Pahalgam Terror Attack .pdf
J&K Police Letter Dated 17 April 2025.pdf
ROD on Review Meeting held on 10 April 2025 by Secy DRDO.pdf
RECORD OF DISCUSSION TECHNICAL REVIEW MEETING NOTICE, 07 April 2025 (1).pdf
MEETING NOTICE – 13th JWG meeting between India and Nepal.pdf
Agenda Points for Joint Venture Meeting at IHQ MoD on 04 March 2025.pdf
DO Letter Integrated HQ of MoD dated 3 March.pdf
Collegiate Meeting Notice & Action Points MoD 24 March.pdf
Letter to the Raksha Mantri Office Dated 26 Feb 2025.pdf
pdf
Alleged Case of Sexual Harassment by Senior Army Officer.pdf
Agenda Points of Meeting of Dept of Defence held at 11March 25.html
Action Points of Meeting of Dept of Defence held at 10March 25.html
Agenda Points of Meeting of External Affairs Dept 10 March 25.pdf.html
PowerPoint PPAM Dropper
A PowerPoint add-on file with the same name as of the phishing document “Report & Update Regarding Pahalgam Terror Attack.ppam” has been identified which contains malicious macros. It extracts both the embedded files into a hidden directory under user’s profile with a dynamic name, determines the payload based on the Windows version and eventually opens the decoy file with the same phishing URL embedded along with executing the Crimson RAT payload.
Picture 4
The final Crimson RAT dropped has internal name “jnmxrvt hcsm.exe” and dropped as “WEISTT.jpg” with similar PDB convention:
All three RAT payloads have compilation timestamp on 2025-04-21, just before the Pahalgam terror attack. As usual the hardcoded default IP is present as a decoy and the actual C2 after decoding is – 93.127.133[.]58. It supports the following 22 commands for command and control apart from retrieving system and user information.
Commands
Functionality
procl / getavs
Get a list of all processes
endpo
Kill process based on PID
scrsz
Set screen size to capture
cscreen
Get screenshot
dirs
Get all disk drives
stops
Stop screen capture
filsz
Get file information (Name, Creation Time, Size)
dowf
Download the file from C2
cnls
Stop uploading, downloading and screen capture
scren
Get screenshots continuously
thumb
Get a thumbnail of the image as GIF with size ‘of 200×150.’
putsrt
Set persistence via Run registry key
udlt
Download & execute file from C2 with ‘vdhairtn’ name
delt
Delete file
file
Exfiltrate the file to C2
info
Get machine info (Computer name, username, IP, OS name, etc.)
runf
Execute command
afile
Exfiltrate file to C2 with additional information
listf
Search files based on extension
dowr
Download file from C2 (No execution)
fles
Get the list of files in a directory
fldr
Get the list of folders in a directory
Infrastructure and Attribution
The phishing domains identified through hunting have the creation day just one or two days after the documents were created.
Domains
Creation
IP
ASN
jkpolice[.]gov[.]in[.]kashmirattack[.]exposed
2025-04-24
37.221.64.134 78.40.143.189
AS 200019 (Alexhost Srl) AS 45839 (Shinjiru Technology)
This kind of attack is typical in hacktivism, where the goal is to create chaos or spread a political message by exploiting sensitive or emotionally charged issues. In this case, the threat actor is exploiting existing tensions surrounding Kashmir to maximize the impact of their campaign and extract intelligence around these issues.
The suspicious domains are part of a phishing and disinformation infrastructure consistent with tactics previously used by APT36 (Transparent Tribe) that has a long history of targeting:
Indian military personnel
Government agencies
Defense and research organizations
Activists and journalists focused on Kashmir
PPAM for initial access has been used since many years to embed malicious executables as OLE objects. Domain impersonation to create deceptive URLs that mimic Indian government, or military infrastructure has been seen consistently since last year. They often exploit sensitive topics like Kashmir conflict, border skirmishes, and military movements to create lures for spear-phishing campaigns. Hence these campaigns are attributed to APT36 with high confidence, to have involved delivering Crimson RAT, hidden behind fake documents or malicious links embedded in spoofed domains.
Potential Impact: Geopolitical and Cybersecurity Implications
The combination of a geopolitical theme and cybersecurity tactics suggests that this document is part of a broader disinformation campaign. The reference to Kashmir, a region with longstanding political and territorial disputes, indicates the attacker’s intention to exploit sensitive topics to stir unrest or create division.
Additionally, using PDF files as a delivery mechanism for malicious links is a proven technique aiming to influence public perception, spread propaganda, or cause disruptions. Here’s how the impact could manifest:
Disruption of Sensitive Operations: If an official or government worker were to interact with this document, it could compromise their personal or organizational security.
Information Operations: The document could lead to the exposure of sensitive documents or the dissemination of false information, thereby creating confusion and distrust among the public.
Espionage and Data Breaches: The phishing attempt could ultimately lead to the theft of sensitive data or the deployment of malware within the target’s network, paving the way for further exploitation.
Recommendations
Email & Document Screening: Implement advanced threat protection to scan PDFs and attachments for embedded malicious links or payloads.
Restrict Macro Execution: Disable macros by default, especially from untrusted sources, across all endpoints.
Network Segmentation & Access Controls: Limit access to sensitive systems and data; apply the principle of least privilege.
User Awareness & Training: Conduct regular training on recognizing phishing, disinformation, and geopolitical manipulation tactics.
Incident Response Preparedness: Ensure a tested response plan is in place for phishing, disinformation, or suspected nation-state activity.
Threat Intelligence Integration: Leverage geopolitical threat intel to identify targeted campaigns and proactively block indicators of compromise (IOCs).
Monitor for Anomalous Behaviour: Use behavioural analytics to detect unusual access patterns or data exfiltration attempts.