Full Report
Insikt Group exposes pro-India and pro-Pakistan influence networks active during the 2025 conflict, revealing their tactics, narratives, and strategic objectives.
Analysis Summary
# Threat Actor: Hidden Charkha and Khyber Defender (Two State-Aligned Influence Networks)
## Attribution & Identity
* **Hidden Charkha:** Pro-India influence operation network, almost certainly aligned with the Indian government. Active since at least 2021 and operates in the Indian Standard Time (IST) timezone.
* **Khyber Defender:** Pro-Pakistan influence operation network, almost certainly aligned with the Pakistani government. Active since at least 2020.
* **Motivation:** Patriotism and alignment with respective domestic and foreign policy objectives of India and Pakistan.
## Activity Summary
Both networks engaged in coordinated inauthentic behavior (CIB) during the India-Pakistan conflict of April and May 2025, spanning from the April 22, 2025, Pahalgam terror attack until the May 10, 2025, ceasefire announcement.
1. **Initial Phase:** Both networks attempted to attribute the Pahalgam attacks as state-sponsored terrorism by the opposing nation.
2. **Escalation Phase:** They suppressed dissent domestically, amplified nationalist sentiment, undermined senior political figures in the opposing country, and closely supported/criticized kinetic military operations (Operation Sindoor for India, Operation Bunyan-Al-Marsous for Pakistan).
3. **Narrative Focus:** Both consistently framed their respective countries as possessing superior technological and military capabilities, implying tactical restraint and holding the moral high ground. They also amplified forged military documents and exaggerated the impact of claimed cyberattacks to undermine adversary claims of preparedness.
4. **Post-Ceasefire:** Hidden Charkha accused Pakistan of violating the ceasefire, and Khyber Defender accused India, in an attempt to shape international perceptions of the conflict outcome.
## Tactics, Techniques & Procedures
* Coordinated Inauthentic Behavior (CIB).
* Amplifying pro-government messaging to domestic audiences in local languages.
* Suppressing dissenting opinions on social media.
* Amplifying forged military documents.
* Exaggerating the impact of claimed cyberattacks.
* Utilizing generative AI to produce visual and textual content (a new procedure likely aimed at crossing language barriers and creating consistent content).
* Amplifying narratives/content from national media outlets and government PR entities.
## Targeting
* **Sectors:** Organizations operating in conflict zones (due to recommendation to track brand mentions).
* **Geography:** India and Pakistan (domestic audiences are the primary focus, but also shaping foreign perceptions).
* **Victims:** The opposing political figures and general public opinion in India and Pakistan, as well as international perception.
## Tools & Infrastructure
* **Malware families used:** Not specified, as the activity is focused on influence operations rather than traditional cyber intrusions.
* **Infrastructure (C2, domains, IPs):** Not specified in terms of digital infrastructure, but the activity is heavily reliant on social media platforms.
## Implications
These networks demonstrate a blueprint for how state-aligned influence operations function symmetrically during crises involving nuclear-armed rivals, attempting to manage escalation and garner domestic/diplomatic support for kinetic actions. The adoption of generative AI suggests an evolution in their content creation capabilities. Their activity aims to inflate operational success, strengthen national cohesion, reinforce perceptions of technological superiority, and complicate adversary battle damage assessments and attribution claims.
## Mitigations
* Organizations operating in conflict zones should proactively track mentions of their brand or key personnel within influence narratives to mitigate reputational damage.
* Defenders should analyze narratives produced by these networks to gain insights into TTPs used during conflict escalation.
* Be aware that content, including forged documents and exaggerated cyber claims, may be seeded by associated social media accounts or hacktivist groups.