#FactCheck - "Deep fake Falsely Claimed as a photo of Arvind Kejriwal welcoming Elon Musk when he visited India to discuss Delhi’s administrative policies.”

INTRODUCTION:

The Ministry of Defence has recently designated the Additional Directorate General of Strategic Communication in the Indian Army as the nodal officer now authorised to send removal requests and notices to social media intermediaries regarding posts consisting of illegal content with respect to the Army. Earlier, this process was followed through the Ministry of Electronics and Information Technology (MeitY). The recent designation gives the Army the autonomy of circumnavigating the old process and enables them to send direct notices (as deemed appropriate by the government and its agency). Let us look at the legal framework that allows them to do so and its policy implications. 

BACKGROUND AND LEGAL FRAMEWORK:

Section 69 of the IT Act 2000 gives the government the power to issue directions for interception, monitoring or decryption of any data/information through any computer resource. This is done so under six reasons related to:

• Upholding the sovereignty or integrity of India
• Security of the state
• Defence of India
• Friendly relations with foreign states
• Public order or for preventing incitement of any cognisable offence
• Investigations of offences related to the aforementioned reasons 

Section 79(3)(b) of the Information Technology Act 2000 is another aspect of the law related to the removal of data on notification. It allows for all intermediaries (including internet service providers and social media platforms) to have safety harbours from the liability of the content put out by third parties/users on their platforms. This, however, is only applicable when the intermediary has either received a notification or actual knowledge by the appropriate government or its agency of the data on their platform being used for unlawful acts and complies promptly by removing the data from their platform without tampering with evidence.

PLAUSIBLE REASONS FOR POLICY DECISION:

Cases related to the Indian Army are sensitive for a number of reasons, rooted in the fact that they directly pertain to the nation's security, integrity and sovereignty. The impact of the spread of misinformation and disinformation is almost instantaneous and the stakes are high in any circumstance, but exceptionally so when it comes to the Armed Forces and the nation’s security status. A mechanism to tackle cases of such a security level should allow for quick action from the authorities. Owing to the change in the ability to notify directly rather than through another ministry, the army can now promptly deal with these concerns as and when they arise. One immediate benefit of this change is that the forces can now quickly respond to instances where foreign states and actors with malicious intent put out information that can cause harm to the nation’s interests, image and integrity. 

This step helps the forces deal with countering misinformation, ensuring national security and even addressing issues of online propaganda. An example of sensitive content about the army leading to legal intervention is the case of Delhi-based magazine The Caravan. The Defence Ministry, along with the Intelligence Bureau and the Jammu and Kashmir police ordered the Delhi-based publication to remove an article claiming the murder and torture of civilians by the Indian army in Jammu and Kashmir citing the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The instruction was challenged by the magazine in the courts.

CONCLUSION:

This move brings with it potential benefits along with risks and the focus should always be on maintaining a balanced approach. Transparency and accountability are imperative and checks on related guidelines so as to prevent misuse while simultaneously protecting national security should be at the centre of the objective of the policy approach. Misinformation in and about the armed forces must be dealt with immediately.

REFERENCES:

• https://www.hindustantimes.com/india-news/army-can-now-directly-issue-notices-to-remove-online-posts-101730313177838.html
• https://www.hindustantimes.com/india-news/inside-79-3-b-the-content-blocking-provision-with-many-legal-grey-areas-101706987924882.html
• https://www.thehindu.com/news/national/govt-orders-magazine-to-take-down-article-on-army-torture-and-murder-in-jammu/article67840790.ece
• https://myind.net/Home/viewArticle/army-gains-authority-to-directly-issue-notice-to-take-down-online-posts

‍

Executive Summary:

‍

A viral video (archived link) circulating on social media claims that Vice Admiral AN Pramod stated India would seek assistance from the United States and President Trump if Pakistan launched an attack, portraying India as dependent rather than self-reliant. Research traced the extended footage to the Press Information Bureau’s official YouTube channel, published on 11 May 2025. In the authentic video, the Vice Admiral makes no such remark and instead concludes his statement with, “That’s all.” Further analysis using the AI Detection tool confirmed that the viral clip was digitally manipulated with AI-generated audio, misrepresenting his actual words.

‍

Claim:

‍

In the viral video an X user posted with the caption

‍

‍”India sells itself as a regional superpower, but its Navy Chief’s own words betray that image. If Pakistan attacks, their plan is to involve Trump, not fight back. This isn’t strategic partnership; it’s dependency in uniform”. 

‍

In the video the Vice Admiral was heard saying  

‍

“We have worked out among three services, this time if Pakistan dares take any action, and Pakistan knows it, what we are going to do. We will complain against Pakistan to the United States of America and President Trump, like we did earlier in Operation Sindoor.”  

‍

‍

‍

Fact Check:

‍

Upon conducting a reverse image search on key frames from the video, we located the full version of the video on the official YouTube channel of the Press Information Bureau (PIB), published on 11 May 2025. In this video, at the 59:57-minute mark, the Vice Admiral can be heard saying:

‍

“This time if Pakistan dares take any action, and Pakistan knows it, what we are going to do. That’s all.”

‍

‍

‍

‍

Further analysis was conducted using the Hive Moderation tool to examine the authenticity of the circulating clip. The results indicated that the video had been artificially generated, with clear signs of AI manipulation. This suggests that the content was not genuine but rather created with the intent to mislead viewers and spread misinformation.

‍

‍

‍

Conclusion:

‍

The viral video attributing remarks to Vice Admiral AN Pramod about India seeking U.S. and President Trump’s intervention against Pakistan is misleading. The extended speech, available on the Press Information Bureau’s official YouTube channel, contained no such statement. Instead of the alleged claim, the Vice Admiral concluded his comments by saying, “That’s all.” AI analysis using Hive Moderation further indicated that the viral clip had been artificially manipulated, with fabricated audio inserted to misrepresent his words. These findings confirm that the video is altered and does not reflect the Vice Admiral’s actual remarks.

‍

Claim: Fake Viral Video Claiming Vice Admiral AN Pramod saying that next time if Pakistan Attack we will complain to US and Prez Trump.

Claimed On: Social Media

Fact Check: False and Misleading

‍

Executive Summary

This report analyses a recently launched social engineering attack that took advantage of Microsoft Teams and AnyDesk to deliver DarkGate malware, a MaaS tool. This way, through Microsoft Teams and by tricking users into installing AnyDesk, attackers received unauthorized remote access to deploy DarkGate that offers such features as credential theft, keylogging, and fileless persistence. The attack was executed using obfuscated AutoIt scripts for the delivery of malware which shows how threat actors are changing their modus operandi. The case brings into focus the need to put into practice preventive security measures for instance endpoint protection, staff awareness, limited utilization of off-ice-connection tools, and compartmentalization to safely work with the new and increased risks that contemporary cyber threats present.

Introduction

Hackers find new technologies and application that are reputable for spreading campaigns. The latest use of Microsoft Teams and AnyDesk platforms for launching the DarkGate malware is a perfect example of how hackers continue to use social engineering and technical vulnerabilities to penetrate the defenses of organizations. This paper focuses on the details of the technical aspect of the attack, the consequences of the attack together with preventive measures to counter the threat.

Technical Findings

1. Attack Initiation: Exploiting Microsoft Teams

The attackers leveraged Microsoft Teams as a trusted communication platform to deceive victims, exploiting its legitimacy and widespread adoption. Key technical details include:

• Spoofed Caller Identity: The attackers used impersonation techniques to masquerade as representatives of trusted external suppliers.
• Session Hijacking Risks: Exploiting Microsoft Teams session vulnerabilities, attackers aimed to escalate their privileges and deploy malicious payloads.
• Bypassing Email Filters: The initial email bombardment was designed to overwhelm spam filters and ensure that malicious communication reached the victim’s inbox.

2. Remote Access Exploitation: AnyDesk

After convincing victims to install AnyDesk, the attackers exploited the software’s functionality to achieve unauthorized remote access. Technical observations include:

• Command and Control (C2) Integration: Once installed, AnyDesk was configured to establish persistent communication with the attacker’s C2 servers, enabling remote control.
• Privilege Escalation: Attackers exploited misconfigurations in AnyDesk to gain administrative privileges, allowing them to disable antivirus software and deploy payloads.
• Data Exfiltration Potential: With full remote access, attackers could silently exfiltrate data or install additional malware without detection.

3. Malware Deployment: DarkGate Delivery via AutoIt Script

The deployment of DarkGate malware utilized AutoIt scripting, a programming language commonly used for automating Windows-based tasks. Technical details include:

• Payload Obfuscation: The AutoIt script was heavily obfuscated to evade signature-based antivirus detection.
• Process Injection: The script employed process injection techniques to embed DarkGate into legitimate processes, such as explorer.exe or svchost.exe, to avoid detection.
• Dynamic Command Loading: The malware dynamically fetched additional commands from its C2 server, allowing real-time adaptation to the victim’s environment.

4. DarkGate Malware Capabilities

DarkGate, now available as a Malware-as-a-Service (MaaS) offering, provides attackers with advanced features. Technical insights include:

• Credential Dumping: DarkGate used the Mimikatz module to extract credentials from memory and secure storage locations.
• Keylogging Mechanism: Keystrokes were logged and transmitted in real-time to the attacker’s server, enabling credential theft and activity monitoring.
• Fileless Persistence: Utilizing Windows Management Instrumentation (WMI) and registry modifications, the malware ensured persistence without leaving traditional file traces.
• Network Surveillance: The malware monitored network activity to identify high-value targets for lateral movement within the compromised environment.

5. Attack Indicators

Trend Micro researchers identified several indicators of compromise (IoCs) associated with the DarkGate campaign:

• Suspicious Domains: example-remotesupport[.]com and similar domains used for C2 communication.

• Malicious File Hashes:some text
  • AutoIt Script: 5a3f8d0bd6c91234a9cd8321a1b4892d
  • DarkGate Payload: 6f72cde4b7f3e9c1ac81e56c3f9f1d7a
• Behavioral Anomalies:some text
  • Unusual outbound traffic to non-standard ports.
  • Unauthorized registry modifications under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

Broader Cyber Threat Landscape

In parallel with this campaign, other phishing and malware delivery tactics have been observed, including:

1. Cloud Exploitation: Abuse of platforms like Cloudflare Pages to host phishing sites mimicking Microsoft 365 login pages.
2. Quishing Campaigns: Phishing emails with QR codes that redirect users to fake login pages.
3. File Attachment Exploits: Malicious HTML attachments embedding JavaScript to steal credentials.
4. Mobile Malware: Distribution of malicious Android apps capable of financial data theft.

Implications of the DarkGate Campaign

This attack highlights the sophistication of threat actors in leveraging legitimate tools for malicious purposes. Key risks include:

• Advanced Threat Evasion: The use of obfuscation and process injection complicates detection by traditional antivirus solutions.
• Cross-Platform Risk: DarkGate’s modular design enables its functionality across diverse environments, posing risks to Windows, macOS, and Linux systems.
• Organizational Exposure: The compromise of a single endpoint can serve as a gateway for further network exploitation, endangering sensitive organizational data.

Recommendations for Mitigation

1. Enable Advanced Threat Detection: Deploy endpoint detection and response (EDR) solutions to identify anomalous behavior like process injection and dynamic command loading.
2. Restrict Remote Access Tools: Limit the use of tools like AnyDesk to approved use cases and enforce strict monitoring.
3. Use Email Filtering and Monitoring: Implement AI-driven email filtering systems to detect and block email bombardment campaigns.
4. Enhance Endpoint Security: Regularly update and patch operating systems and applications to mitigate vulnerabilities.
5. Educate Employees: Conduct training sessions to help employees recognize and avoid phishing and social engineering tactics.
6. Implement Network Segmentation: Limit the spread of malware within an organization by segmenting high-value assets.

Conclusion

Using Microsoft Teams and AnyDesk to spread DarkGate malware shows the continuous growth of the hackers’ level. The campaign highlights how organizations have to start implementing adequate levels of security preparedness to threats, including, Threat Identification, Training employees, and Rights to Access.

The DarkGate malware is a perfect example of how these attacks have developed into MaaS offerings, meaning that the barrier to launch highly complex attacks is only decreasing, which proves once again why a layered defense approach is crucial. Both awareness and flexibility are still the key issues in addressing the constantly evolving threat in cyberspace.

Reference:

• https://thehackernews.com/2024/12/attackers-exploit-microsoft-teams-and.html
• https://socprime.com/blog/darkgate-malware-detection/