India faces massive cyberattack during cross-border strikes

Between May 7 and 10, over 650 coordinated cyberattacks targeted Indian institutions, exploiting public anxiety after the April 22 Pahalgam terror attack, with Pakistan-based threat actors using phishing emails disguised as government advisories

While India executed precision military strikes in Pakistan-controlled Kashmir under ‘Operation Sindoor’, a simultaneous wave of cyberattacks hit Indian institutions between May 7 and 10. Over 650 coordinated incidents were reported, according to a threat intelligence report by Seqrite Labs, the cybersecurity arm of Quick Heal Technologies.

The attacks were linked to Pakistan-based threat actors exploiting public anxiety following the April 22 Pahalgam terror attack. Hackers launched a phishing campaign using malicious files disguised as government advisories. Attachments like Final_List_of_OGWs.xlam and Preventive_Measures_Sindoor.ppam were used to lure users into downloading malware onto their systems.

Seqrite’s investigation uncovered the deployment of Ares RAT, a sophisticated remote access trojan believed to be a variant of APT36’s Crimson RAT. The malware established covert connections to command-and-control servers and spoofed legitimate Indian domains such as nationaldefensecollege[.]com and zohidsindia[.]com to avoid detection.

Hackers target key Indian sectors

The cyberattacks targeted multiple sectors. Telecom providers like Jio and BSNL were hit by denial-of-service attacks, while leading healthcare institutions including AIIMS and Apollo faced phishing attempts and credential theft. Several government-run education portals were also defaced. These operations were amplified online by hacktivist collectives operating under banners like #OpIndia and #OperationSindoor, who claimed to leak sensitive municipal and defence-related data on Telegram and other platforms.

To mask their origin, the attackers used servers hosted in countries including Russia, Germany, and Indonesia. The malicious documents triggered PowerShell scripts capable of disabling antivirus software, stealing sensitive information, and deploying ransomware—particularly in healthcare systems.

Cyberwarfare emerges as strategic threat

Experts have warned that these attacks represent a new phase of hybrid warfare, where cyber operations are used to destabilize a nation’s digital infrastructure during military escalation. “Cyberattacks are no longer just technical threats—they are strategic weapons,” said Neehar Pathare, CEO of 63SATS Cybertech. “Each unsecured device can act as a gateway for large-scale breaches.”

Saloni Jain, Co-Founder of Plus91Labs, added that attackers are leveraging fear, trust, and urgency to manipulate users. “By disguising malware as official alerts or job offers, they exploit emotional responses. Cyber vigilance is no longer optional—it’s a necessity.”

Seqrite’s report concludes that the blending of state-backed espionage with hacktivist operations underscores a critical need for stronger cyber readiness across sectors, especially during periods of geopolitical tension.