Cybersecurity firm Cyfirma uncovered on December 23, 2025, a sophisticated cyber espionage operation by Pakistan-aligned APT36 (Transparent Tribe), targeting Indian government entities, defense sectors, universities, and strategic institutions through spear-phishing emails with ZIP archives containing malicious LNK files disguised as PDFs like “Online JLPT Exam Dec 2025.pdf.lnk,” first observed on December 15. These trigger mshta.exe to execute fileless HTA loaders decrypting ReadOnly and WriteOnly payloads—a RAT enabling remote control, screenshots, clipboard monitoring for credential and cryptocurrency theft, data exfiltration via AES-encrypted C2 to 2.56.10.86:8621, and antivirus-adaptive persistence. This persistent threat, active since 2013, underscores the urgent need for India’s institutions to bolster defenses against such cross-border intrusions aimed at stealing classified intelligence.