Red Fort blast: Malware attack on investigators, IP linked to Pakistan

Several members of the investigative team probing Monday evening’s bomb blast near the Red Fort — which killed 13 persons and injured more than 20 — have reported receiving suspicious calls followed by a WhatsApp message containing a ZIP file laced with malware.

The message came from a fake account impersonating a girl named “Drishti”. The ZIP file reportedly contained a Trojan virus, a type of malicious software that disguises itself as a legitimate file to trick users into installing it. Once activated, a Trojan can steal data, corrupt files, or grant remote access to the device.

Investigators said the IP address behind the fake WhatsApp account has been traced to Pakistan. As a preventive measure, police have advised personnel not to open unknown links or download unsolicited attachments. So far, officials confirmed that no device has been compromised.

Messages reviewed by The Tribune show the sender claiming: “Sir, I am Drishti here, I have some evidence regarding the blast,” followed by the infected ZIP file.

Trojan is a type of malware that typically hides as an attachment in an email or a free‑to‑download file, then transfers onto the user’s device. Once downloaded, the malicious code executes the task the attacker designed it for, such as gaining backdoor access to corporate systems, spying on users’ online activity, or stealing sensitive data.

It had earlier emerged that the accused communicated with each other via an application that uses default end‑to‑end encryption. Sources said Dr Umer un‑Nabi, Dr Muzammil Ahmad Ganaie and Dr Shaheen Shahid — all linked to Al‑Falah University — were in constant touch through the encrypted platform Threema.