For CISOs, SOC leads and security leadership across Indian central/state government, defence and public-sector bodies. The picture is continuity, not novelty: Pakistan-aligned espionage (APT36/Transparent Tribe + SideCopy) remains the dominant — and now multi-platform — threat, while an Exim mail-gateway RCE, a Chrome zero-day and a Linux root flaw raise the floor for everyone on @gov.in.
Sector snapshot
The targeting pattern is stable and well-documented: defence/MoD-themed spear-phishing delivering RATs for long-term espionage and credential theft. The 2025–26 shift is platform breadth — the same actors now reliably reach BOSS Linux and the official Android fleet, not just Windows. For scale, CERT-In handled ~29.44 lakh incidents in 2025 (1,530 alerts, 390 vulnerability notes, 65 advisories; PIB, 23 Jan 2026). Treat every government endpoint class as in-scope.
Threats targeting government & defence
1
APT36 / Transparent Tribe (+ SideCopy) — multi-platform espionage (the dominant threat)
Transparent Tribe continues defence-themed document-lure phishing delivering RATs across Windows (Crimson/ElizaRAT), Android (CapraRAT) and BOSS Linux (DeskRAT — a Golang implant delivered via a malicious .desktop file behind a decoy PDF, persisting via cron/systemd/shell-profile with WebSocket C2). The SideCopy sub-cluster's June operation (Xeno RAT 1.8.7 via ZIP→LNK→mshta→HTA) hit an Afghan ministry — not India directly — but uses the same toolset previously turned on Indian defence, so treat it as a live tradecraft warning.
Exposuregovernment Windows, official Android and BOSS Linux desktops; DRDO-adjacent contractors.
Actionblock LNK-in-ZIP and CHM at the gateway; alert on mshta.exe from temp/download paths and .desktop→shell execution; deploy Linux EDR/auditd; enforce MDM + no-sideload on Android.
SourceXcitium Threat Labs (28 Oct 2025); The Hacker News (2 Jan 2026; 2 Jun 2026).
2CriticalCVSS 9.8
Exim "Dead.Letter" — unauthenticated RCE in @gov.in mail relays (CVE-2026-45185, CVSS 9.8)
A use-after-free in Exim's BDAT/GnuTLS path lets an unauthenticated attacker execute code as the Exim process on builds advertising STARTTLS + CHUNKING (Exim 4.97–4.99.2, GnuTLS). Self-hosted departmental SMTP relays — common across government — are the priority. OpenSSL builds are unaffected.
Exposureself-hosted/legacy Exim mail gateways on Debian/Ubuntu-derived systems.
Actionupgrade Exim to 4.99.3+; confirm GnuTLS build status; review mail logs for anomalous STARTTLS/BDAT/CHUNKING sequences.
SourceThe Hacker News, BleepingComputer (21–22 May 2026); fixed in Exim 4.99.3.
3
Actively-exploited Chrome V8 zero-day (CVE-2026-11645)
A Chromium V8 flaw enabling sandbox code execution was added to CISA's KEV on 9 June; the same update cycle fixed credential- and session-relevant bugs — directly material to every @gov.in user.
Exposureall Chrome/Chromium browsers on government workstations; saved credentials and sessions.
Actionforce-update the Chrome/Chromium fleet now; verify via management console; reset high-value sessions post-patch.
SourceCISA KEV (9 Jun 2026); Google Chrome Releases.
4HighCVSS 7.8
Linux "Copy Fail" — local root on BOSS/Linux (CVE-2026-31431, CVSS 7.8, KEV)
An algif_aead/AF_ALG logic flaw lets an unprivileged local user gain root with high reliability; added to CISA KEV on 1 May. Not remote on its own, but it converts any phishing foothold (e.g., DeskRAT) into full root.
ExposureBOSS/Linux desktops, lab systems, CI runners, container hosts.
Actionpatch kernels (fixed in 6.18.22 / 6.19.12 / 7.0); contain AF_ALG where advised; revisit container-escape assumptions.
SourceMicrosoft Security Blog; The Hacker News; CISA KEV (1 May 2026).
Sector tech & exposures
- BOSS Linux is now a primary espionage and privilege-escalation target (DeskRAT + Copy Fail) — Linux EDR, .desktop execution controls and cron/systemd monitoring are mandatory. - Official Android fleet: CapraRAT plus the June Android Framework flaw (CVE-2025-48595) — enforce the June security patch level via MDM; isolate non-compliant devices from mail/VPN. - @gov.in mail & NIC infra: patch Exim; enforce SPF/DKIM/DMARC, attachment sandboxing and LNK/HTA/CHM filtering. - Edge/VPN: CERT-In flagged large-scale FortiGate credential exposure (FortiBleed) on 18 June — rotate Fortinet VPN/admin credentials; do not ingest leaked dumps. - Software supply chain: CERT-In's "Mini Shai-Hulud" advisory (21 May) warns of npm/PyPI compromise and CI/CD token theft — pin dependencies, rotate build tokens, audit GitHub Actions.
Regulatory & compliance watch
- CERT-In AI-exploitation blueprint (25 May) — prompt patching of OS/browsers/apps against AI-accelerated exploitation; map to patch-SLA governance. - CERT-In June advisories — Oracle, SAP, Microsoft, Adobe; plus the 21 May Mini Shai-Hulud supply-chain advisory. - CERT-In + SIA-India space-sector cyber guidelines (DefSat 2026, Feb) — relevant to defence-adjacent and space/satcom bodies. - NCIIPC — Exim advisory referenced for critical mail relays.
Actor in focus — APT36 / Transparent Tribe (incl. SideCopy)
Attribution: High (Pakistan-aligned). Targeting of Indian government/defence: High. Active since ~2013; the defining 2025–26 evolution is cross-platform reach — Crimson/ElizaRAT on Windows, CapraRAT on Android, DeskRAT on BOSS Linux; SideCopy adds Xeno/Spark/CurlBack RAT. Methodical tradecraft — defence decoys, ZIP/LNK/HTA chains, in-memory execution, AV-adaptive persistence, WebSocket C2 — for espionage and credential theft, not disruption. PRC-aligned Mustang Panda (LOTUSLITE, India banking from March 2026) is a credible cross-sector watch. Attribution-direction note: India-nexus actors (SideWinder, Bitter, Patchwork, DoNot, Confucius) are not threats to India and are out of scope here.
IOC & detection pack
Public, attributed, defanged — validate before blocking; pull hash-level indicators from the cited advisories. Do not ingest or redistribute FortiBleed credential dumps. - Domains: modgovindia[.]com, dns.wmiprovider[.]com, aeroclubofindia.co[.]in (APT36; Xcitium/THN). - Lures: CDS_Directive_Armed_Forces.pdf, NCERT-Whatsapp-Advisory.pdf.lnk, Request for Support.chm. - Behavioural (higher fidelity): mshta.exe from user/temp paths; reversed-string C2 URI patterns; .desktop→shell; new cron/systemd/shell-profile edits on Linux; DLL-sideloading from signed binaries; anomalous Exim STARTTLS/BDAT sequences.
Recommended actions
Board: fund a fleet-wide browser-patch SLA and Linux/Android endpoint coverage as named risks; approve emergency patch windows for mail (Exim), VPN, Android and Linux; endorse CERT-In's AI guidance as policy. CISO: enforce DMARC + attachment sandboxing + LNK/HTA/CHM blocking on @gov.in mail; patch Exim, Chrome and Linux kernels; extend EDR to BOSS Linux and MDM to Android; bring DRDO-adjacent contractors into phishing controls; tabletop an APT36 document-lure intrusion. SOC: hunt the behavioural detections above; patch CVE-2026-11645, CVE-2026-31431 and Exim; rotate FortiGate credentials; alert on .desktop auto-execution, cron/systemd changes and mshta.exe abuse.
Source index
The Hacker News (2 Jan 2026; 2 Jun 2026) · Xcitium Threat Labs (28 Oct 2025) · CISA KEV — CVE-2026-11645 (9 Jun) and CVE-2026-31431 (1 May 2026) · The Hacker News / BleepingComputer — Exim CVE-2026-45185 (21–22 May 2026) · Microsoft Security Blog (Copy Fail) · CERT-In — AI blueprint (25 May), Mini Shai-Hulud (21 May), June Oracle/SAP/MS advisories, 18 June FortiGate exposure · Acronis TRU / The Hacker News — Mustang Panda LOTUSLITE (Apr 2026) · CERT-In + SIA-India space guidelines (Feb 2026) · PIB/CERT-In (23 Jan 2026).
Nirad Bharat Threat Feed — Government & Defence Edition | Bharat-first threat intelligence
