Operation Sindoor: Inside the Coordinated Cyber Offensive That Targeted India’s Digital Infrastructure

State-sponsored threat actors and hacktivists converged to launch one of the most synchronized cyber disruptions witnessed in Indian cyberspace

A joint threat report by Seqrite Labs and Quick Heal Technologies has confirmed that a cyber campaign dubbed Operation Sindoor disrupted critical Indian digital infrastructure through a wave of highly targeted, hybrid warfare tactics. The coordinated campaign unfolded from 5 to 11 May 2025 and involved advanced persistent threat actors, Telegram-coordinated hacktivist groups, and data manipulation operations aimed at undermining trust in India’s cybersecurity readiness.
Triggered initially by spear-phishing attacks masquerading as official defense documents, the campaign rapidly escalated into defacement of government websites, denial-of-service attacks on telecom and finance platforms, and the deployment of modular malware by Pakistan-linked threat groups.

Operation Timeline and Attack Vectors
The earliest signals appeared on April 17 when Indian cybersecurity systems flagged anomalous traffic targeting mail servers and defense networks. The payloads were disguised as documents tied to sensitive topics. Files titled “Final_List_of_OGWs.xlam” and “Pahalgam_Incident_Timeline.pptx.lnk” weaponized public narratives around recent terror incidents to lure users into executing macros that enabled command-and-control activity.
Between May 5 and May 11, Seqrite telemetry recorded over 650 confirmed incidents involving website defacements and distributed denial-of-service attacks. Key infrastructure systems across telecom, healthcare, education, and defense were disrupted during this window.

APT36: From Crimson to Ares
Advanced Persistent Threat 36 (APT36), a Pakistan-aligned actor previously known for deploying Crimson RAT, has evolved. The report reveals that APT36 shifted to a more evasive malware framework named Ares, which enabled full remote access to compromised systems, including keylogging, screen capture, credential theft, and file manipulation.
The group used spear phishing attachments containing malicious macro-enabled file types such as .ppam, .xlam, .msi, and .lnk. These files triggered web requests to domains like fogomyart[.]com and callback communications to 167.86.97[.]58:17854. Payloads were delivered through spoofed Indian-sounding domains like nationaldefensecollege[.]com and zohidsindia[.]com.
APT36 employed techniques that included obfuscated PowerShell execution, scheduled tasks for persistence, and use of signed binaries (LOLBins) to avoid detection.

Hacktivist Coordination Through Telegram and Dark Web
While APT36 carried out espionage-grade intrusions, parallel disruptions were launched by a shadow network of hacktivists across Asia, Europe, and the Middle East. More than 35 groups participated, many of which used Telegram to synchronize attacks under banners like #OpIndia and #OperationSindoor.
These collectives executed simultaneous DDoS waves, defacements, and credential leaks. Groups like Mr. Hamza, Nation of Saviors, Keymous+, and the Islamic Hacker Army were involved, with coordinated actions across Indian defense, telecom, and media entities.
A timeline visual on page 5 of the report shows how these groups launched phase-wise attacks beginning at 1:52 AM IST on May 7, with escalating strikes every 60 to 90 minutes.

Infrastructure Deception and Digital Spoofing
Domains registered under names such as pahalgamattack[.]com and sindoor[.]website were used to serve payloads and redirect traffic. These domains mimicked military and disaster response infrastructure, exploiting trust and urgency among users.
As per the report, VPS infrastructure used for command-and-control originated from Russia, Germany, Indonesia, and Singapore, pointing to a globally distributed, anonymized attack platform.
Targeted Sectors and Confirmed Impact
The campaign focused its attacks on eight key verticals. According to a sectoral pie chart on page 6, the highest impact was reported in:

• Defense and military institutions including MoD, Army, Navy, and DRDO
  
• Government IT systems like NIC and GSTN
  
• Telecom providers including Jio and BSNL
  
• Healthcare facilities such as AIIMS and DRDO hospitals
  
• Educational boards and state-run university websites
  

In several cases, attacker groups successfully defaced public portals and leaked internal credentials on public channels and forums.
Custom Malware and Detection Rules
The forensic breakdown identifies six custom detection signatures used by Ares and SideCopy loaders. Among them:

• BAT.Sidecopy.49534.GC: loader script
  
• LNK.Sidecopy.49535.GC: shortcut-based macro injector
  
• MSI.Trojan.49537.GC: installation-based Trojan
  
• HTML.Trojan.49539.GC: credential harvesting form
  

These were detected and neutralized by 26 detection rules deployed across Seqrite XDR and endpoint products, which were pushed via emergency advisories between May 7 and May 10

Research Reflections and National Implications
The Seqrite team noted that this attack demonstrated how hybrid threat models now involve both technical intrusions and psychological warfare. Operation Sindoor represents one of the most digitally coordinated geopolitical offensives in South Asia’s recent cyber history.
The campaign blurred the line between espionage and hacktivism, with strategic use of fake domains, document impersonation, and timed strikes. The psychological objective appeared to be the erosion of public trust in digital systems, amplified through visible defacements and delays in public services.
Post-Campaign Analysis and National Response
In its conclusion, Seqrite Labs emphasized the need for deeper integration between government and private cybersecurity operations. Enhanced threat intelligence capabilities, rapid incident response playbooks, and hardening of public-facing infrastructure were recommended as immediate priorities.
Cybersecurity agencies have since deployed forensic audits across the most affected domains and are investigating potential data exfiltration channels. Reports suggest that sensitive internal documents and access credentials were extracted from several critical systems.
Seqrite is the enterprise cybersecurity arm of Quick Heal Technologies. It offers endpoint, network, and cloud protection to businesses and government institutions in over 80 countries. The company operates multiple threat intelligence centers and regularly issues public threat advisories through its blog and STIX/MISP integrations.

At Prittle Prattle News, we honor your dedication and inventiveness led by showcasing you in a positive light. Under the direction of Editor-in-Chief Smruti Bhalerao, our platform is committed to disseminating powerful narratives that raise awareness and motivate change. For more important stories, follow us on LinkedIn, Instagram, and YouTube.