An alarming new cyber campaign targeting India’s critical infrastructure has exposed how nation-state groups and hacktivists are merging forces in an era of hybrid warfare. Over 650 coordinated cyberattacks were carried out by Pakistan-aligned actors using spoofed advisories, malicious documents, and psychological tactics — all before India’s counterterror strikes in May.
From Espionage to Defacement: A Coordinated Cyber Onslaught Unfolds
Between April and early May, India witnessed one of its most expansive cyber offensives yet—over 650 cyber incidentswere recorded, targeting critical sectors ranging from defense and telecom to municipal corporations and hospitals. The coordinated campaign, dubbed Operation Sindoor, was orchestrated by Pakistan-aligned state and non-state actors, including the advanced persistent threat group APT36 and over 35 hacktivist outfits.
The campaign was anything but amateurish. Spear-phishing attacks were camouflaged as legitimate government advisories, carrying malware-laden files titled Final_List_of_OGWs.xlam and Preventive_Measures_Sindoor.ppam. The spoofed documents, disguised as internal communications, delivered malicious payloads to Indian systems. According to cybersecurity firm Seqrite Labs, the attack was not merely espionage but a full-blown digital siege designed to paralyze essential services and seed psychological unrest.
“This wasn’t just a phishing campaign. It was a digitally coordinated war game,” Seqrite wrote in its Friday report. The incidents began weeks before India’s counterterror operations conducted from May 7–10, suggesting foreknowledge and premeditated cyber-weaponization in the lead-up to physical escalation.
APT36 and the Rise of Hybrid Threat Actors
At the center of the campaign was APT36, also known as Transparent Tribe—a Pakistan-linked group with a long record of targeting Indian defense establishments. The group’s tactics have evolved, blending malware deployment with spoofed Indian domains such as nationaldefensecollege[.]com and zohidsindia[.]com. These domains were used for phishing operations and to establish communications with command-and-control servers hosted across Russia, Germany, Indonesia, and Singapore.
Supporting this state-backed infrastructure was an array of new-age hacktivist collectives. Among the 35 identified were seven newly emerged groups, including Death Slash Cyber Security, Red Wolf Cyber, Ghosts of Gaza, and Tengkorak Cyber Crew. These groups launched website defacements, posted stolen data, and claimed responsibility using hashtags like #OpIndia and #OperationSindoor.
“These aren’t just ideological hackers. They’re information warriors operating with nation-state cover,” said a senior cybersecurity analyst. The blending of tactics—APT malware supported by hacktivist amplification—creates an overwhelming assault on digital, psychological, and political fronts.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
India’s Digital Battlefield: The Next Frontline of Conflict
While no large-scale operational paralysis was reported, the attacks targeted sensitive data repositories, including municipal records, telecom backend systems, and defense contractor networks. The damage was contained thanks to rapid incident response by public and private cybersecurity teams, but the episode has triggered deep concern among national security experts.
“This is a stark reminder that modern conflicts no longer start with missiles—they begin with malware,” warned Seqrite in its advisory.
India’s cybersecurity readiness is under renewed scrutiny. Though agencies like CERT-In and private defense firms managed to deflect the brunt of the attack, the scale and coordination of Operation Sindoor marks a dangerous evolution in cross-border conflict. Cyberattacks are no longer an afterthought—they are the opening move.
As India bolsters its critical infrastructure and threat intelligence systems, the challenge is clear: prepare for conflicts where the first casualty may be trust, not troops.