Chinese APTs Expand Targets, Update Backdoors — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 16, 2026

Severity: HIGH | View Full Scam Details

Chinese APTs Expand Phishing Targets in India — Beware FireCrawl Backdoor Attacks in 2026

Cybercriminals linked to China’s advanced persistent threat (APT) groups are increasingly targeting Indian users with sophisticated phishing scams that harvest personal data and compromise devices.

What Is the Chinese APTs Expand Targets, Update Backdoors Scam?

In 2026, Indian internet users face increasing threats from Chinese APT groups such as Salt Typhoon and Twill Typhoon. These state-backed hacker outfits have broadened their focus beyond traditional geopolitical targets, now aggressively aiming at India’s energy, technology, and critical infrastructure sectors. Their main attack vector in India is phishing—sending deceptive messages designed to trick people into revealing sensitive information or downloading malware.

Recently, Indian cybersecurity bodies including CERT-In and the Indian government’s Inter-Departmental Committee on Cybersecurity (I4C) have raised alerts about phishing campaigns linked to these APTs. The hackers deploy new malware “backdoors,” like the FireCrawl backdoor, updated to evade traditional antivirus detection. These backdoors allow attackers persistent access to compromised systems, enabling data theft or espionage.

What makes this scam dangerous for everyday Indians is the localised approach. Attackers craft phishing emails and WhatsApp messages imitating trusted Indian entities — such as NPCI with fake UPI notifications, government departments, or utility companies — often using Hindi, Tamil, or other regional languages. Anyone using UPI or communicating over social platforms risks falling victim.

How This Scam Works — Step by Step

1. Initial Contact via Phishing Message
   You receive a WhatsApp message or email claiming to be from a trusted source like NPCI, RBI, or your electricity provider. It warns of a UPI security alert, payment failure, or Aadhaar-linked account update needed.

2. Urgent Call to Action
   The message contains a link or attachment labeled as a security update form, refund claim, or urgent notice, urging you not to ignore it.

3. Fake Website or Malware Download
   Clicking the link takes you to a very convincing fake website mimicking the official portal. It asks you to enter personal details like Aadhaar number, UPI PIN, bank details, or OTPs. Alternatively, it installs the FireCrawl backdoor malware on your device silently.

4. Backdoor Install – Hacker Access Gained
   The FireCrawl backdoor grants hackers ongoing control of your device, enabling them to monitor activities, steal stored credentials, and even intercept UPI transactions or SIM OTPs.

5. Money and Data Theft
   With access to UPI apps or e-wallets, fraudsters initiate unauthorized transfers from your bank accounts. They may also sell your personal data, including Aadhaar and PAN details, on the dark web.

Real Warning Signs to Watch For

• Messages claiming urgent action on your UPI or Aadhaar account without prior contact
• Links directing to URLs with slight misspellings or unusual domains (e.g., “npci-customer-verify.in” instead of “npci.org.in”)
• Requests for sensitive info like OTPs, UPI PINs, or bank passwords via email or WhatsApp
• Poor grammar, spelling errors, or unnatural phrasing in the message, especially when pretending to be official
• Unsolicited attachments from unknown or unverified sources
• Pressure tactics like “Account will be blocked if you don’t act now”
• Receiving security alerts on WhatsApp instead of official app notifications or SMS from registered numbers

What Happens to Victims

Victims often suffer immediate financial loss through unauthorized UPI payments that are difficult to reverse, as RBI guidelines allow limited windows for UPI transaction disputes. Fraudsters may also exploit compromised Aadhaar data for identity theft—opening fraudulent loans or credit cards in your name. In many cases, SIM swapping scams follow, where fraudsters hijack your mobile number to intercept OTPs and bypass 2FA on bank apps.

Emotionally, victims experience trauma and helplessness, as recovering stolen funds can be extraordinarily slow or impossible. The threat of personal data misuse adds anxiety and distrust in digital payment systems that are crucial for everyday life in India.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) frequently warns users to avoid sharing sensitive data via WhatsApp or email and to verify links before clicking. Their official helpline and grievance portal assist victims of digital fraud. CERT-In, India’s national cybersecurity agency, issues advisories on evolving malware including FireCrawl and recommends immediate reporting and device clean-up upon suspicion of infection.

The Indian Cyber Crime Coordination Centre (I4C) also encourages users to report phishing scams promptly to enable quick action and awareness drives. They emphasize that institutions like NPCI or government agencies never ask for personal details through informal channels like WhatsApp.

How to Protect Yourself

1. Never click links or attachments from unknown or suspicious messages, especially related to UPI or Aadhaar.
2. Verify any official-sounding message by contacting the organization directly via their official website or helpline, not via the message reply.
3. Use the official apps (like BHIM or bank apps) for UPI payments, and rely on in-app notifications, not WhatsApp messages.
4. Regularly update your smartphone’s OS and antivirus software to detect malware like FireCrawl.
5. Enable multi-factor authentication on all financial apps and change default PINs immediately if you suspect compromise.
6. Do not share OTPs, UPI PIN, or passwords with anyone—even if they claim to be officials.
7. If you receive suspicious UPI transactions, report immediately to your bank and NPCI for possible blocking and reversal.

What to Do If You’ve Been Targeted

• Immediately contact your bank’s customer support and NPCI’s grievance cell to block transactions and freeze compromised accounts.
• Report the incident at cybercrime.gov.in, India’s national cybercrime reporting portal. Use the 1930 cybercrime helpline for urgent assistance.
• Change all passwords and UPI PINs associated with your mobile device and financial apps.
• Visit a service center to check for possible SIM swap or biometric Aadhaar misuse and file an FIR at local police if needed.
• Run a trusted antivirus scan and consider a factory reset of your device to remove persistent malware.
• Keep records of all suspicious messages, screenshots, and transaction logs for investigation.

Frequently Asked Questions

Q1: Can I get my stolen UPI money back after falling for this scam?
RBI guidelines allow reversal of fraudulent UPI transactions if reported within a limited timeframe, usually 3-7 days. Early reporting to your bank and NPCI increases chances of recovery but reversals are not guaranteed.

Q2: How do I know if my phone is infected with the FireCrawl backdoor?
Signs include sudden battery drain, slow performance, unexpected pop-ups, or unknown apps installed. If you notice unusual device behavior after clicking suspicious links, suspect malware infection and scan your device immediately.

Q3: Are government agencies like NPCI or UIDAI sending messages over WhatsApp?
No. Official agencies do not communicate sensitive information or ask for details like OTPs via WhatsApp. If you get such messages, they are phishing attempts.

Stay vigilant! If you ever doubt a message's authenticity, verify it before responding or clicking. Protect yourself and your loved ones by checking suspicious links and messages on BharatSecure.app to stay one step ahead of scammers.