Operation Sindoor marked a watershed in the experience of India with state-sponsored cyber warfare, revealing the evolving nature and the scale of digital conflicts in the subcontinent. This essay investigates the coordinated cyber offense after the Pahalgam terror attack and subsequent response of Indian military, focusing on the sophisticated and multi-vector campaigns launched by the state-backed allies and group hacktivists from countries like Pakistan, Bangladesh, Indonesia and other regions.
Drawing on primary data from leading cybersecurity firms, government advisories, and think tank analyses, the essay highlights over 1.5 million cyber-attack attempts — most targeting government and critical services. It uncovers the innovative tactics employed by cybercriminals to maximise disruption and erode public trust. Yet, despite the scale of these assaults, India's rapid detection, operational resilience, and strategic communication helped contain the worst outcomes. The analysis applies theoretical insights to explain the calculated cost-benefit logic driving such operations, offering a framework for understanding hybrid warfare in the region.
How Conflict on Border Triggered Digital Conflict During Op Sindoor
The Cyber Siege associated with Op Sindoor began shortly after the Pahalgam terror attack. On April 17, 2025, Indian defence telemetry first detected a spike in dubious activity, targeting government mail servers and defence infrastructures. During this initial wave of cyber-attack, the threat actors utilised headlines and urgent themes to create convincing spear phishing lures, hence taking the advantage of public anxiety and national tragedy. The lures attackers made were not generic. They included file types like .xlam, .ppam, and .pptx.Ink which were embedded with macros, shortcuts and scripts. These were intended to initiate a secret command and control (C2) conversations and release malware when opened.
The initial access vectors were targeted the most, leveraging social engineering and technical sophistication. For instance, a Pakistani-aligned threat group — APT36 — used spear phishing attachments and malicious file types to establish a foothold. These infected files, once opened, release a series of scripts that communicate with the attacker-controlled domains like fogomyart[.]com. These domains delivered payloads via spoofed Indian domains such as zohidsindia[.]com and nationaldefencecollege[.]com. The malware arsenal includes Ares RAT, allowing key logging, credential theft, screen capture and persistent access.
Here, the strategic intent was crystal clear. The attackers not only sought to exfiltrate the sensitive data, but they also undermined the trust in official digital communication and disrupted the operations in critical sectors. They also intended to amplify the psychological pressure during a period of heightened geopolitical tension.
The Cyber Onslaught: Scale and Scope
The scale of the cyberattack following Op Sindoor was unprecedented in India's digital history. The Maharashtra Cyber Cell reports that over 1.5 million cyberattacks aimed at Indian systems just after the Pahalgam terror attack. Out of 1.5 million attacks, 150 breaches were successful. These attacks were put together by at least 7 APT groups. These groups are said to have links to Pakistan, Bangladesh, Indonesia, as well as West Asia.
India's CERT-In recorded a spike in daily attacks. Around 30 to 40 cyberattacks were thwarted every day since April 22, 2025. Initially, the attacks mainly targeted the financial sectors. Later, these attacks expanded to power grids, government portals, defence networks, telecom and healthcare infrastructure. The live threat maps from Kaspersky and Radware consistently ranked India among the top 5 most targeted nations during and after the terror attack at Pahalgam.
Attack Methods and the Strategies Used
The Cyber component of Op Sindoor was characterised by a blend of advanced technical methods and psychological warfare. The attacker utilised highly customised spear phishing emails which were disguised as urgent government advisories related to a terror attack at Pahalgam. These emails consist of malicious attachments that were embedded with macros and scripts. These were executed, which established covert C2 channels and downloaded the malware, such as Ares RAT. To increase the percentage of compromises, the attackers distributed payloads via domains that mimicked legitimate institutions in India.
The most common attack vectors were the DDoS attacks. These were designed to overwhelm the online services and prevent people from accessing them. Since the terror attack at Pahalgam, India has faced around 30 to 40 major DDoS attacks daily. These attacks primarily targeted government websites and power and financial sector websites. Several government and institutional websites were defaced by the attackers. The adversaries employed advanced tactics, including Living-off-the-Land Binaries (LOL Binaries), scheduled tasks, UAC bypasses, and obfuscated PowerShell scripts, to evade detection and maintain persistence within the compromised networks. The DDoS attacks utilised amplification and reflection techniques like NTP and CLDAP reflections to maximise the disruption.
The Threat Actor Landscape and Alliances
The Op Sindoor marked a significant escalation in the complexity and coordination of threat actors in India. The campaign was led by state-sponsored cyber groups like APT 36 (or the Transparent Tribe), and SideCopy. Both hacking groups are known for their alignment with Pakistan's interests and sophisticated cyber espionage tactics.
This campaign was different from others because of the emergence of 'shadow battalions' — loosely coordinated hacktivist collectives from countries like Pakistan, Bangladesh, Indonesia, Malaysia, Turkiye and Iran. These groups mainly consisted of the Sylhet Gang, Red Wolf Cyber and Vulture. These threat actors had a history related to anti-Israel and anti-Western campaigns. Hence, these groups united under the hashtags like #OpIndia and #OperationSindoor. They coordinated disruptive attacks via Telegram and other social media platforms. As per Radware's 2025 Global Threat Analysis Report, more than 75% of attacks post Op Sindoor targeted Indian government agencies, with the remainder focused on financial (8.5%) and telecom (6.4%) industries. The alliances were not merely regional; they extended to groups with diverse ideological motivations, amplifying both the scale and sophistication of the offensive.
Information Warfare and Psychological Operations
Op Sindoor was not confined to technical attacks. It included a highly coordinated campaign of information warfare. The hacking groups and state actors ran a misinformation campaign across social media platforms. These campaigns amplify the psychological impact of the conflict. After the terror attack at Pahalgam, followed by Op Sindoor, cyberattacks intensified. These attacks sought to disrupt the perception of the general public, undermine the confidence in government institutions and provoke instability.
Just after the terror attack, a sudden surge in circulation of doctored videos, fake news and repurposed conflict footage was observed. These fake videos, news and footage flooded various social media platforms like X (formerly known as Twitter), Facebook, Instagram and YouTube. The Ministry of Information and Broadcasting in India responded by banning 16 YouTube channels and several Instagram accounts. These accounts were alleged to have spread proactive content with combined views of more than 680 million.
A cyberattack today is not just limited to exfiltrating data. Cyberattacks have new arenas where they create narratives — psychological warfare where groups sow the seeds of doubt and fear in the minds of citizens. Pakistan's temporary restoration of X access during the crisis facilitated coordinated narrative warfare. The Fact Check division of India's Press Information Bureau (PIB) continuously worked to debunk viral falsehoods and maintain the trust of citizens. India's Intelligence agencies reported several attempts by adversaries to recruit various social media influencers for espionage purposes. Hence, this has blurred the line between cyber and psychological operations.
Defensive Measures and Response
India's response to offensive cyber-attacks during Operation Sindoor was multi-layered. This involved rapid detection, attribution and operational resilience. India's CERT collaborated with Seqrite Labs and SISA to identify indicators of compromise — including malware signatures, suspicious domains and C2 infrastructure. The attribution linked most attacks to APT36, SideCopy and a constellation of hacktivist groups.
Despite the scale of attacks, robust digital infrastructure and real-time monitoring enabled the authorities to neutralise most of the threats even before they could cause significant damage. For instance, the portal of income tax in India faced a brief slowdown, but the issue was swiftly resolved. The financial sector's digital payment ecosystem, including the UPI and Stock Exchange, remained largely unaffected due to the proactive defence mechanisms.
The Operation Sindoor, after the terror attack at Pahalgam, served as a wake-up call for India's cybersecurity posture. The cybersecurity specialist from SISA, Mr. Dharshan Shanthamurthy, emphasised the need for self-reliance in products related to cybersecurity. It's important to note that less than 10% of tools used by the Indian enterprise are domestically developed. The campaign threw light on the urgency for indigenous solutions and greater investment in Cyber defence capabilities.
The essay reveals that Operation Sindoor marked an unprecedented escalation in cyber hostilities against India. With over 1.5 million cyberattacks aimed at India in the wake of the Pahalgam terror attack and subsequently the Indian military's response, the attacks were orchestrated by state-sponsored groups and hacktivists originating from Pakistan, Bangladesh, Malaysia, Turkiye and parts of West Asia. The groups utilised sophisticated tools, their attacks were coordinated, and they were supported by the mentioned nations. The critical infrastructure — including the government, defence, power, finance, telecom and transportation sectors — was systematically targeted. The power sector alone went through over 200,000 cyberattacks during the operation, all of which were thwarted.
The attack vectors included DDoS, phishing, malware injections and large-scale attempts at extracting data and disrupting services. Notably, only 0.01% of these attacks succeeded, underscoring the resilience of India's cybersecurity apparatus and effectiveness of rapid detection and response protocols. However, the volume and the sophistication of attacks exposed persistent vulnerabilities, especially in Tier 2 cities and sectors with less developed cyber defences. The emergence of new alliances in the region of Southeast Asian and West Asian hacktivist groups, some with ideological motivations, amplified the threat landscape and demonstrated the growing role of non-state actors in cyber conflicts.
About the Author: Puloma Pal
Pal is a PhD scholar in Political Science at Amity University, Gurugram, focusing on drug trafficking and cybersecurity in India. Her research interests span cyber warfare, espionage, autonomous defence systems, and cross-border conflicts in Asia. She is currently a Research Intern at the Vivekananda International Foundation and has previously worked with MP-IDSA and the Indic Researchers Forum, where she was promoted to Associate Researcher. A published writer on information warfare and emerging digital threats, she combines national defence studies with insights on technological disruptions. Beyond academia, Puloma is a trained classical dancer with a senior diploma in Kathak and Bharatanatyam from Prayag Sangeet Samiti, Allahabad, and over eight years of experience in performance.
Read Unquiet Neighbourhood: What is the Future of South Asia
