This page is a comprehensive, regularly updated roundup of recent cyber attacks in India covering 2025 and 2026. It documents 15 confirmed and alleged incidents across ransomware, data extortion, cloud account compromise, DDoS attacks on critical infrastructure, hospital hacks, and new 2026 APT and ransomware campaigns. Each case includes what happened, when, which sector was targeted, CIA triad impact (Confidentiality, Integrity, Availability), and recommended prevention controls. All incidents are sourced from stock exchange filings, CERT-In advisories, court documents, CYFIRMA/Seqrite threat intelligence, and verified cybersecurity reporting.
Table of Contents
Set up 24/7 detection and response
India Cyber Attack Statistics 2026
Before reviewing individual incidents, the verified 2025–2026 statistics provide essential context. Over 265 million malware detections have been recorded, with SOC as a Service being crucial for mitigating such threats. Managed SOC services enable proactive defense and rapid response to cyber incidents.
| Metric | Figure | Source |
|---|---|---|
| Weekly attacks — Education sector | 7,684 per org/week | Check Point 2026 |
| Weekly attacks — Government sector | 4,912 per org/week | Check Point 2026 |
| Weekly attacks — Business Services | 3,747 per org/week | Check Point 2026 |
| Total malware detections (Oct 2024–Sep 2025) | 265.52 million | Seqrite India Report 2026 |
| Malware detections per minute | 505 per minute | Seqrite 2026 |
| Trojans & file infectors share | 70% of all malware | Seqrite 2026 |
| SIM cards blocked for cyber fraud | 9.42 lakh | CERT-In / DoT |
| India cybersecurity budget (2025–26) | ₹782 crore | Union Budget |
| India’s share of global endpoint malware | 12.4% | Acronis 2025 |
| Ransomware extortion victims increase | +53% globally in 2025 | Check Point 2026 |
| Ransomware surge in Jan 2026 | +31.4% above prior avg | Cyble, Feb 2026 |
| Cloud environments share of detections | 62% of all detections | DSCI telemetry |
| India WEF national cyber risk ranking 2026 | #1 national risk | WEF Global Risk Report 2026 |
Most Targeted Indian States (2026)
In 2026, Maharashtra, Gujarat, and Delhi have been the hardest hit, with targeted attacks on financial institutions, IT infrastructure, and government data. Many organizations in these regions are opting for MSSPs to gain 24/7 monitoring and incident response services.
Dominant Attack Vectors in India
- Trojans and file infectors — 70% of all malware detections (Seqrite 2026)
- AI-generated phishing and business email compromise — 22% of incidents; now voice-cloned and deepfake-enhanced
- Cloud misconfigurations and IAM exploitation — 62% of detections in cloud environments (DSCI)
- Ransomware-as-a-service (RaaS) — more fragmented, more groups, +53% victims globally in 2025
- Supply chain and vendor portal attacks — preferred entry point for India’s BFSI sector
- DDoS on critical infrastructure — state-linked and hacktivist groups targeting power, telecom, and government portals
- APT campaigns — MSI installers, DLL sideloading, open-source RATs targeting defence and critical information infrastructure
Recent Cyber Attacks in India 2025–2026: 15 Verified Case Studies
The following incidents are listed chronologically. For each case, details are drawn from stock exchange filings, CERT-In advisories, court documents, and credible cybersecurity reporting. Where root cause, IOCs, or exfiltration scope remain unconfirmed, this is explicitly noted. For better defense against such threats, consider Eventus Managed SOC for 24/7 threat detection and response.
1. APT Campaign Using MSI Installers and RATs Against India’s Defence Sector (2026)
Seqrite’s India Cyber Threat Report 2026 (January 2026) documents a rapidly evolving APT campaign using MSI installers, sideloaded DLLs, and open-source Remote Access Trojans (RATs) to target India’s defence sector and critical infrastructure. The campaign exploits trust in legitimate software installation processes, using malicious MSI packages delivered via spear-phishing or compromised software distribution channels to establish persistent access. A related hybrid warfare campaign blending APT36, SideCopy, and hacktivist attacks is documented targeting India’s defence and government networks.
| Date | Ongoing — documented in Seqrite India Cyber Threat Report 2026, January 2026 |
| Sector | Defence, critical infrastructure, government-adjacent organisations |
| Location | India (national) |
| Attack Type | APT — MSI installers, DLL sideloading, open-source RATs; spear-phishing delivery |
| Related Campaign | Hybrid warfare: APT36 + SideCopy + hacktivists targeting India’s defence and government networks |
| Source | Seqrite India Cyber Threat Report 2026 (January 2026) |
| CIA Impact | Confidentiality: primary impact — persistent access enables ongoing data exfiltration. Integrity and Availability: secondary. |
Prevention Controls
|
2. Leora Infotech — Data Advertised on Dark Web (February 2026)
On February 6, 2026, the CYFIRMA research team identified an alleged cyber intrusion involving Leora Infotech Private Limited, an India-based IT services and consulting firm headquartered in Tamil Nadu. A threat actor using the alias “KaruHunters” advertised a database containing approximately 35,000 records for sale at $200 on a dark web forum. The listing was documented in CYFIRMA’s Weekly Intelligence Report dated February 13, 2026. The authenticity of the breach and scope of data involved remain unverified at the time of reporting.
| Date | 6 February 2026 (reported 13 February 2026) |
| Sector | Information Technology — IT services and consulting |
| Location | Tamil Nadu, India |
| Attack Type | Data exfiltration — dark web forum listing |
| Threat Actor | “KaruHunters” (dark web alias) |
| Alleged Scope | ~35,000 records; database listed for $200 |
| Source | CYFIRMA Weekly Intelligence Report, 13 February 2026 |
| CIA Impact | Confidentiality: allegedly impacted — ~35,000 records potentially exposed. Availability and Integrity: not reported. |
Prevention Controls
|
3. Sinobi Ransomware Group Targets Indian IT Services Company (January 2026)
In January 2026, the Sinobi ransomware group claimed an attack on an India-based IT services company, gaining access to Hyper-V servers, virtual machines, and customer backups. The group alleged theft of 150 GB or more of data including contracts, financial information, and customer data. Sinobi emerged in mid-2025 and became one of the most active ransomware groups globally, with approximately 50 claimed victims by January 2026. This represents the supply chain attack pattern that defined early 2026.
| Date | January 2026 |
| Sector | IT Services — managed services and IT solutions |
| Location | India |
| Attack Type | Ransomware — Sinobi group; Hyper-V server and VM compromise; customer backup access |
| Alleged Exfiltration | 150 GB+ including contracts, financials, and customer information |
| Threat Actor | Sinobi — emerged mid-2025; uses VPN compromise as initial access, DLL sideloading, staged extortion |
| CIA Impact | Confidentiality: 150 GB+ alleged exfiltration. Availability: VM and backup access compromised. Integrity: customer data potentially manipulated. |
| Source | Breached.company, January 2026 |
Prevention Controls
|
4. Salarpuria Sattva Group — Ransomware Claim (2025)
Salarpuria Sattva Group, one of India’s largest real estate developers, appeared on a ransomware group’s dark web leak site in 2025. The claim was recorded in threat intelligence tracking systems. The company has not issued a comprehensive public disclosure, and the attack’s scope, impact, and authenticity remain unconfirmed in public reporting.
| Date | 2025 (exact date undisclosed) |
| Sector | Real estate and commercial property |
| Location | Bengaluru, Karnataka, India |
| Attack Type | Ransomware — dark web leak site claim recorded in threat intelligence tracking |
| Status | No comprehensive public disclosure from the company |
| CIA Impact | Unconfirmed in public reporting |
Prevention Controls
|
5. ICICI Bank — Vendor Portal Malware Incident (2025)
A malware incident targeting a third-party vendor portal associated with ICICI Bank was reported in 2025. The Bashe ransomware group claimed responsibility, alleging credential harvesting through the compromised vendor access point. ICICI Bank did not confirm the breach scope or the attacker’s claim. This incident reflects a growing pattern of supply chain attacks targeting India’s banking sector through vendor access pathways rather than direct infrastructure.
| Date | 2025 (exact date undisclosed) |
| Sector | Banking and financial services |
| Location | Mumbai, Maharashtra, India |
| Attack Type | Malware via third-party vendor portal; alleged credential harvesting |
| Threat Actor Claim | Bashe ransomware group (unverified by ICICI Bank) |
| CIA Impact | Confidentiality: alleged credential and data exposure via vendor portal. Availability and Integrity: not confirmed. |
| IOCs | Not publicly disclosed |
Prevention Controls
|
Contain faster with experts on call
6. Delhi Hospitals Hacked — Sant Parmanand & NKS Super Speciality (June 2025)
On the night of June 10–11, 2025, Sant Parmanand Hospital (Civil Lines) and NKS Super Speciality Hospital (Gulabi Bagh) both reported server hacking that disrupted their IT systems. Patient records, financial data, and administrative files were reportedly accessed. NKS stated that OPD and IPD digital workflows were disrupted, forcing reversion to manual processes. Delhi Police filed an FIR and engaged cybersecurity experts. The access method, any ransomware deployment, and confirmed exfiltration scope remain unverified.
| Date | Night of 10–11 June 2025 |
| Sector | Healthcare — hospitals |
| Location | Delhi (Civil Lines and Gulabi Bagh) |
| Data Reportedly Accessed | Patient records, financial data, administrative files |
| Service Impact | OPD and IPD digital workflows disrupted; manual fallback initiated |
| CIA Impact | Confidentiality: potentially impacted. Availability: impacted — digital workflows disrupted. Integrity: not established. |
| IOCs | Not publicly released |
Prevention Controls
|
7. Star Health Insurance — Cyber-Extortion Escalation (May 2025)
Star Health faced escalating extortion in May 2025, following an earlier customer data breach. An actor using the alias “xenZen” — the same alias linked to the Niva Bupa claim — claimed to have sent death threats and bullet cartridges to the company’s CEO and CFO. The same alias was connected to prior data exposure via chatbots, a dedicated leak site, and a reported $68,000 extortion demand. The breach method and verified scope of affected records remain unconfirmed.
| Date | May 2025 (escalation from prior breach) |
| Sector | Health insurance |
| Location | Chennai, Tamil Nadu, India |
| Attack Type | Cyber extortion and physical intimidation following a prior data breach |
| Threat Actor | “xenZen” (self-asserted; not formally verified by Star Health) |
| CIA Impact | Confidentiality: impacted — customer personal and medical data exposed in prior breach. Availability and Integrity: not reported as impacted in 2025 escalation. |
| IOCs | Not publicly released |
Prevention Controls
|
8. Operation Sindoor — Coordinated Cyberattack Wave on India (May 2025)
During India’s Operation Sindoor (May 7–10, 2025), a coordinated wave of cyber activity struck Indian government sites and critical infrastructure simultaneously. Reported impacts included approximately 19 hours of DDoS targeting the President’s official website, approximately 200,000 probing and attack attempts against the power grid, website defacements across ministries and public-service portals, and attacks targeting NIC data centres and defence research organisations. Attribution was broadly described as Pakistan-aligned hacktivist and state-linked groups — no single verified operator was named.
| Date | 7–10 May 2025 |
| Sector | Government portals, critical national infrastructure, defence-adjacent organisations |
| Location | India (nationwide coordinated attack) |
| Attack Types | Coordinated DDoS, website defacement, IT/OT probing |
| Key Targets | President’s website (~19-hour DDoS); power grid (~200,000 attempts); ministries; NIC data centres; defence research orgs |
| Attribution | Pakistan-aligned hacktivist and state-linked groups (broadly; no single verified operator) |
| CIA Impact | Availability: primary impact. Integrity: potentially impacted where defacements occurred. Confidentiality: not established. |
| IOCs | Not published |
Prevention Controls
|
9. Power Grid Corporation of India — DDoS Attack (May 2025)
On May 2, 2025, Power Grid Corporation of India’s official website was disrupted by a DDoS attack for over 31 minutes. Online services including bill payments and fault reporting were affected. Grid operations themselves were confirmed unaffected. The specific DDoS technique and responsible actor were not disclosed.
| Date | 2 May 2025 |
| Sector | Energy — critical infrastructure |
| Location | Gurugram, Haryana, India |
| Attack Type | DDoS attack on official public website |
| CIA Impact | Availability: impacted — temporary disruption to online customer services (31+ minutes). Confidentiality and Integrity: not reported. |
| IOCs | Not published |
Prevention Controls
|
10. BSNL — Double DDoS Attack on National Telecom Portal (April 2025)
On April 25–26, 2025, BSNL’s main website experienced two consecutive DDoS attacks, each lasting over 30 minutes. The website remained inaccessible for several days, disrupting bill payments, service requests, and customer support nationwide. No public details confirmed data access or internal network penetration during this DDoS event.
| Date | 25–26 April 2025 |
| Sector | Telecommunications — public-sector national telecom |
| Location | India (national impact) |
| Attack Type | Two consecutive DDoS attacks, each exceeding 30 minutes |
| CIA Impact | Availability: significantly impacted — site inaccessible for multiple days. Confidentiality and Integrity: not reported. |
| IOCs | Not published |
Prevention Controls
|
11. Nippon India Mutual Fund — Cyberattack Causing 12-Day Portal Outage (April 2025)
On April 9, 2025, Nippon Life India Asset Management reported a cyberattack and shut affected systems for investigation. The company’s website, portal login, and mobile app were disrupted for 12 days, significantly limiting online transactions for investors. Services were fully restored by April 21. The intrusion method and whether any data was accessed were not publicly confirmed.
| Date | 9 April 2025 (restored 21 April 2025) |
| Sector | Financial services — asset management and mutual funds |
| Location | Mumbai, Maharashtra, India |
| Outage Duration | 12 days — website, portal, and mobile app affected |
| CIA Impact | Availability: significantly impacted — digital channels down 12+ days. Confidentiality: not confirmed. Integrity: not disclosed. |
| IOCs | Not publicly disclosed |
Prevention Controls
|
12. Angel One — AWS Cloud Resources Compromised (February 2025)
Angel One, one of India’s largest stockbroking platforms, disclosed a breach on February 28, 2025, following a dark-web monitoring alert indicating unauthorised access to AWS-hosted resources. The company immediately rotated AWS and application credentials and engaged external forensics. Client funds, securities, and login credentials were stated as unaffected. The initial intrusion vector and full data scope were not publicly confirmed.
| Date | 28 February 2025 (alert received 27 February) |
| Sector | Financial services — stockbroking |
| Location | Mumbai, Maharashtra, India |
| Attack Type | Unauthorised access to AWS-hosted resources (initial vector undisclosed) |
| Detection | External dark-web monitoring alert triggered the response |
| CIA Impact | Confidentiality: potentially impacted — data leakage context; scope not fully confirmed. Availability and Integrity: not reported. |
| IOCs | Not publicly disclosed |
Prevention Controls
|
13. Niva Bupa Health Insurance — Alleged Customer Data Extortion (February 2025)
On February 21, 2025, Niva Bupa reported receiving emails from an anonymous sender claiming possession of customer data. By early March, court-linked reporting described escalation: data allegedly through February 2025 was said to have been posted to “NivaBupaLeaks.com” with a payment demand. Takedown efforts were initiated. The breach method and confirmed scope of records affected remain unverified.
| Date | 21 February 2025 |
| Sector | Health insurance |
| Location | Gurugram, Haryana, India |
| Attack Type | Data extortion — anonymous email claim with dedicated leak site |
| Threat Actor Claim | “xenZen” referenced in court-linked reporting (unverified by insurer) |
| CIA Impact | Confidentiality: potentially impacted — data possession claimed, unverified. Availability and Integrity: not reported as impacted. |
| IOCs | Not publicly disclosed |
Prevention Controls
|
14. Raymond Ltd — Cybersecurity Incident Disclosed to Stock Exchanges (February 2025)
On February 19, 2025, Raymond Ltd disclosed a cybersecurity incident affecting some IT assets, which were isolated for containment. Core systems and daily operations — including customer-facing store operations — were stated as unaffected. The attack type, root cause, and whether any data was accessed remain unconfirmed in public disclosures.
| Date | 19 February 2025 |
| Sector | Textiles and fashion retail |
| Location | Mumbai, Maharashtra, India |
| Attack Type | Unconfirmed; some IT assets isolated for containment |
| Malicious Intent | Not disclosed — motive unconfirmed |
| CIA Impact | Availability: limited — affected assets isolated, operations continued. Confidentiality: not confirmed. Integrity: not disclosed. |
| IOCs | Not publicly disclosed |
Prevention Controls
|
15. Tata Technologies — Ransomware Attack (January 2025)
Tata Technologies disclosed a ransomware incident on January 31, 2025, affecting a few internal IT assets. The company suspended some IT services temporarily, later restored them, and confirmed that client delivery services remained unaffected throughout. In early March 2025, the Hunters International ransomware group claimed responsibility and alleged theft of 1.4 TB of data — a claim Tata Technologies has not confirmed.
| Date | 31 January 2025 |
| Sector | Engineering & IT Services — product engineering, digital delivery for manufacturing |
| Location | Pune, Maharashtra, India |
| Attack Type | Ransomware (Hunters International claimed responsibility, March 2025) |
| Alleged Exfiltration | 1.4 TB claimed by Hunters International — not confirmed by Tata Technologies |
| Disclosure | Company statement and stock exchange filing (BSE/NSE) |
| CIA Impact | Availability: some services suspended. Confidentiality: alleged by attacker, unconfirmed. Integrity: not described. |
| IOCs | Not publicly disclosed |
Prevention Controls
|
Recent Cyber Attacks in India by Sector — Quick Reference
Use this table to identify incidents relevant to your sector and understand the dominant attack patterns affecting Indian organisations in 2025–2026.
| Sector | Key Incidents (2025–2026) | Primary Attack Types | CIA Risk | Count |
|---|---|---|---|---|
| BFSI | Angel One (AWS breach), ICICI Bank (vendor malware), Nippon India MF (12-day outage) | Cloud compromise, supply chain malware, DDoS | C + A | 3 |
| Healthcare | Niva Bupa (extortion), Star Health (ongoing extortion + threats), Delhi Hospitals (hack) | Data extortion, server hacking, ransomware-adjacent | C + A | 3 |
| Govt / Critical Infra | Operation Sindoor wave (DDoS + defacement), Power Grid DDoS, BSNL double DDoS | DDoS, defacement, IT/OT probing, state-sponsored | A + I | 3 |
| Defence / Strategic | APT campaign (MSI/RAT, 2026), APT36+SideCopy hybrid warfare | APT, DLL sideloading, spear-phishing, RAT | C | 2 |
| IT & Engineering | Tata Technologies (ransomware), Leora Infotech (data listing), Sinobi attack | Ransomware, data exfiltration, dark web listing | C + A | 3 |
| Real Estate | Salarpuria Sattva Group (ransomware claim) | Ransomware, dark web leak claim | C | 1 |
| Retail / Manufacturing | Raymond Ltd (cybersecurity incident) | Unknown cyberattack, IT system isolation | A | 1 |
What’s New in 2026: Emerging Cyber Threats Targeting India
1. Ransomware Surge — +31.4% Attack Velocity in January 2026
Ransomware attacks surged more than 31% above the prior nine-month average in January 2026 (Cyble). India accounted for approximately 3% of global ransomware victims — representing hundreds of organisations. New groups like Sinobi specifically target IT service providers for the supply chain multiplication effect: breach one managed service provider, access hundreds of client environments. The ransomware ecosystem now has 100+ active groups, making threat intelligence and pre-tested incident response playbooks critical.
2. AI-Powered Attack Automation
Attackers are increasingly using generative AI to create polymorphic malware and highly targeted phishing campaigns. IBM X-Force documented the “Slopoly” AI-generated malware framework in early 2026.
With behavior-based malware detections in India rising 974.6% over three years, organizations are adopting advanced detection systems such as an AI Driven SOC to identify anomalies and respond to AI-powered threats faster.
3. Deepfake and Voice-Cloning Fraud Targeting Indian Enterprises
India in 2026 is experiencing a surge in deepfake-based Business Email Compromise (BEC) attacks. Fraudsters impersonate CEOs, CFOs, and government officials using AI-generated voice recordings and video calls to authorise financial transfers or extract credentials. Mid-sized Indian businesses are particularly vulnerable — the impersonation quality exceeds what traditional security awareness training prepares employees to recognise.
4. Cloud Misconfigurations as the Primary Enterprise Attack Surface
DSCI telemetry shows 62% of all detections occurred in cloud environments. Misconfigured APIs, publicly exposed storage buckets, excessive IAM permissions, and absent workload protection are the most exploited weaknesses. Multiple Indian financial institutions suffered data exposure in 2025 due to misconfigured cloud storage buckets exposing customer identity details and transaction logs. The Angel One breach demonstrates that dark-web monitoring should be a backup detection mechanism — not a substitute for proactive IAM controls.
5. State-Sponsored APT Activity Against India’s Defence and Critical Infrastructure
Seqrite India Cyber Threat Report 2026 documents a coordinated hybrid warfare campaign blending APT36, SideCopy, and hacktivist attacks targeting India’s defence and government networks. A separate APT campaign uses MSI installers and DLL sideloading to target critical infrastructure organisations. CYFIRMA’s February 2026 intelligence reports document ongoing campaigns against India-based organisations with data advertised for sale on dark web forums.
6. UPI and Digital Payment Fraud at Scale
India’s UPI infrastructure — processing over 15 billion transactions monthly — is a high-value target. MHA data shows 9.42 lakh SIM cards blocked for cybercrime links. The I4C projects ₹1.2 lakh crore in annual losses for 2025, driven predominantly by investment fraud, UPI scams, and fake stock trading platforms. Early reporting to the 1930 helpline significantly increases the chances of fund recovery.
Conclusion
The pattern behind recent cyber attacks in India highlights several critical realities security leaders must address. Attackers increasingly combine multiple techniques within a single campaign, making single-layer defenses ineffective. Third-party vendors and cloud environments have also become common entry points, meaning an organization’s security is only as strong as its weakest external connection.
In this environment, preparedness is essential. Organizations with strong incident response plans, resilient architectures, and continuous monitoring are far better positioned to contain attacks before they escalate. Many enterprises are strengthening their defenses by partnering with experienced SOC Service Providers that deliver 24/7 threat detection and rapid incident response.
FAQs
1. How many cyber attacks happen in India every week in 2026?
Indian organisations experience an average of 3,195 cyber attacks per week, according to the Check Point 2026 Cyber Security Report. This equals roughly 702 attacks every minute, based on estimates from the Seqrite India Cyber Threat Report 2026. Education institutions face the highest volume of attacks, followed by government organisations and business services.
2. Which sectors are most targeted by cyber attacks in India?
The education sector experiences the highest attack frequency, with around 7,684 attacks per organisation per week, followed by government organisations (4,912) and business services (3,747), according to Check Point 2026 data. Seqrite also reports that education, healthcare, and manufacturing together account for nearly 47% of malware detections in India.
3. Is cybersecurity India’s biggest national risk in 2026?
Yes. The World Economic Forum Global Risk Report 2026 ranks cybersecurity as India’s number one national risk, ahead of economic downturns, climate-related disasters, and armed conflict. Rapid digitisation and increasing cyber attack frequency have significantly expanded India’s national cyber risk exposure.
4. What are India’s mandatory cyber incident reporting requirements?
Under CERT-In’s cybersecurity incident reporting rules, organisations must report cyber incidents within 6 hours of detection. Critical Information Infrastructure operators must also notify NCIIPC, while personal data breaches must be reported under the Digital Personal Data Protection (DPDP) Act 2023. Listed companies must disclose major cyber incidents to BSE or NSE within 24 hours.
5. What is the cybercrime helpline number in India?
India’s official cybercrime helpline is 1930, designed to help victims quickly report financial cyber fraud. Complaints can also be filed on the National Cyber Crime Reporting Portal (cybercrime.gov.in). Early reporting improves the chances of recovering funds in cases involving UPI, banking, or online payment fraud.
