A new report from cybersecurity firm CloudSEK suggests that the surge in claimed cyberattacks by Pakistan-linked hacktivist groups in the wake of clashes in Kashmir was exaggerated, recycled, or outright fabricated.
According to CloudSEK’s analysis, multiple hacktivist groups collectively claimed responsibility for more than 100 breaches against Indian government websites, educational institutions, and critical infrastructure during May 2025.
Prominent hacktivist groups such as Nation of Saviours, KAL EGY 319, and Vulture reportedly made bold announcements of defacements and data leaks as tensions began to flare.
However, an investigation by the cybersecurity firm revealed that many of these alleged cyberattacks were overstated.
Supposed breaches of sensitive entities, including the Prime Minister’s Office, Election Commission, and the National Informatics Centre, turned out to involve minimal or no actual disruption, often limited to brief outages lasting mere minutes.
In addition, many purported data leaks comprised publicly available information, outdated databases, or fabricated content.
While the purported hacktivist actions went on to make headlines, CloudSEK identified what it considers a more pressing threat: APT36, a sophisticated espionage group linked to Pakistan.
The group, also known as Transparent Tribe, have persistently targeted Indian government organisations, with Zscaler suggesting they use Google Ads paid search feature to push malicious attacker-registered fake websites to the top of the search results to trick unsuspecting users.
According to CloudSEK, APT36’s primary weapon is Crimson RAT, a remote access trojan used to take remote control of infected systems and steal data.
The malware is hidden in emotionally charged documents like PDFs mimicking official communications. These malicious files, when opened, would deploy a virus capable of capturing screenshots, accessing files, and executing remote commands on victims' systems.
CloudSEK suggested that in the aftermath of the cross-border exchange, APT36 capitalised by employing targeted phishing campaigns and Crimson RAT malware to infiltrate Indian defence and government networks.
Beyond the actual cyberattacks, the report highlighted a parallel information warfare strategy. Social media accounts were identified and actively spread unverified claims of cyberattacks, creating a narrative of digital conflict.
These accounts, often identifying as Pakistani hackers or ethical hackers, are believed to have claimed breaches of Indian institutions ranging from government portals to CCTV systems, though many of these claims could not be substantiated.
The firm’s analysts cautioned that, unlike the theatrical yet superficial hacktivist activities, APT36's operations are methodically targeted and pose genuine risks.
The group uses emotionally charged narratives related to recent terror incidents, enticing victims into downloading malicious payloads.
Pagilla Manohar Reddy, a researcher at CloudSEK, said: “As hacktivist campaigns continue to generate noise, our report separates fact from fiction, empowering organisations to focus on genuine threats like APT36’s targeted espionage.
“By understanding the tactics behind these disruptions, businesses and government entities can prioritise proactive defences and maintain operational continuity.”
Beyond CloudSEK’s findings, recent research from NSFOCUS suggested that the number of cyber attacks targeting India surged by more than 500% following the end of April 26.
However, the same research shows that attacks going the other way, targeting Pakistan, also soared by more than 700%.
Although DDoS volumes began to ease after May 1, NSFOCUS tracked several high-profile incidents, including a 31-minute attack on the Power Grid Corporation of India’s website.
While no physical infrastructure was affected, the disruption to services like billing and outage reporting underscores the vulnerabilities facing critical digital services during geopolitical crises.
While the two nations have agreed to a ceasefire, tensions are still higher than they’ve been in years, fuelling a climate where real cyberattacks could yet escalate.
