#FactCheck-AI-Generated Image Falsely Shared as Chinese Soldiers Capturing Indian Troops in Arunachal Pradesh
Executive Summary
A photograph is being widely circulated on social media with the claim that it shows Chinese soldiers blindfolding and escorting three Indian soldiers after entering 60 kilometres inside Arunachal Pradesh. The image is being shared as evidence of an alleged Chinese military intrusion into Indian territory.
CyberPeace Research Wing’s research found the claim to be false. Our research revealed that the viral image is AI-generated and has no connection to any real incident in Arunachal Pradesh. The Government of India and the Indian Army have also rejected claims of Chinese forces entering Indian territory.
Claim
An Instagram user, 'star8atik', shared the viral image on July 6, 2026, with the caption:"China has occupied 60 km of land in Arunachal Pradesh."
https://www.instagram.com/reel/Dac60uVtH4j

Fact Check
To verify the claim, we first performed a reverse image search using Google Lens. However, we did not find any authentic source or credible report linking the viral image to an actual incident involving Chinese troops in Arunachal Pradesh. We also conducted keyword-based searches on Google using terms related to the alleged Chinese incursion. The search yielded no credible news reports confirming that Chinese soldiers had captured Indian troops or entered 60 kilometres inside Arunachal Pradesh. We then closely examined the image and noticed several visual inconsistencies commonly associated with AI-generated content. The facial features and body proportions of the soldiers in the background appeared distorted and unnatural. Additionally, one of the Indian soldiers was shown with what appeared to be a Chinese flag patch on his arm, but its design and placement were inconsistent and visually flawed. These anomalies raised strong suspicions that the image had been generated using artificial intelligence. To verify this, we analysed the image using the AI detection tool Hive Moderation, which indicated a 98% probability that the image was AI-generated.

For additional verification, we also scanned the image using Undetectable AI, which found a 97% probability that the image had been digitally generated or manipulated using AI.

Conclusion
Our research found that the viral image claiming to show Chinese soldiers capturing Indian troops after entering Arunachal Pradesh is fake. The image is AI-generated and is being falsely circulated to support misleading claims of a Chinese military incursion. Furthermore, Union Minister Kiren Rijiju and the Indian Army have publicly rejected claims that Chinese forces entered Indian territory, making the viral claim baseless.
Related Blogs

Introduction
A zero-click cyber attack solely relies on software and hardware flaws, bypassing any human factor to infect a device and take control over its data. It is almost impossible to discover the attack and know that the device is hacked unless someone on your side is closely monitoring your network traffic data.
At Kaspersky, security analysts used their SIEM solution KUMA to monitor their corporate WiFi network traffic and discovered this mysterious attack. They took necessary actions to investigate it and even went a step further to dive right into the action and uncover the entire attack chain.
A few months ago, Kaspersky shared their findings about this attack on iOS devices. They shared how these zero-click vulnerabilities were being exploited by the attackers and called this attack ‘Operation Triangulation’.
A zero-click exploit in the network
Kaspersky detected a zero-click attack on the iPhones of their colleagues while monitoring their corporate WiFi network traffic. They managed to get detailed information on all the stages of the attack by simply identifying a pattern in the domain names flowing through their network. Although the attackers were quite experienced, their mistakes helped Kaspersky detect critical vulnerabilities in all iOS devices.
The name-pattern
These previously unsuspected domains had a similar name-style which consisted of two names and ended with ‘.com’, such as ‘backuprabbit.com’ and ‘cloudsponcer.com’. They were used in pairs, one for an exportation process and the other served as a command and control server. These domains showed high outbound traffic, they were registered with NameCheap and protected with Cloudflare.
The network pattern
Each time a connection to these suspicious domains was made, it was preceded by an iMessage connection which indicated these domains are being accessed by iOS devices. It was observed that the devices connected to these domains, downloaded attachments, performed a few requests to a first level domain which was an exploitation framework server, then made regular connections with the second level domain which was a command and control server controlled by the attackers.
Getting more information
To get more information about the attack all the infected devices were collected and backed up after carefully informing the device owners. Although the attackers had managed to clean their artefacts, the backed up data was used to perform digital forensic procedures and find traces of the attacks. This helped Kaspersky to figure out how the infection might be taking place.
The attacker’s mistakes
The attackers deleted all the attachment files and exploits but did not delete the modified SMS attachment folder. That folder had no files left inside it. The attackers removed evidence from other databases as well, like the ‘SMS.db’ database, however another database called ‘datausage.sqlite’ was not sanitised.
The ‘datausage.sqlite’ database is the most important database when it comes to iOS forensics as its contents can be used to track applications and network usage. Upon examination of this database, a process logged as ‘BackupAgent’ was found to be making network connections at the same time the device was making connections to the suspicious domains.
The indicator of compromise
‘BackupAgent’ stood out in this scenario because although it is a legitimate binary, it has been deprecated since iOS4 and it should not have been making any network connections. This identified the ‘BackupAgent’ process as the first solid indicator of compromise in Operation Triangulation. The indicator is termed as- ‘Data usage by process BackupAgent’, and was used to determine if any specific device was infected.
Taking it a step ahead
The team at Kaspersky successfully identified the indicator of compromise and determined which devices were infected, but as the attackers were experienced enough to delete their payloads, they decided to set a trap and perform a man-in-the-middle attack. When they did, the attackers were unable to detect it.
The man-in the-middle attack
Kaspersky prepared a server with ‘WireGuard’ and ‘mitmproxy’. They installed root certificates on devices that could be used as targets for the attackers and routed all the network traffic to that server. They also developed a ‘Telegram’ bot to notify them about new infections as they decrypted the network traffic.
Setting up a bot proved to be an effective way of real time monitoring while modifying all the network packets on-the-fly with ‘mitmproxy’, this gave them unlimited power! Their trap was successful in capturing a payload sent by the attackers and it was analysed in detail.
The name was in the payload
The payload was an HTML page with obfuscator javascript which performed various code checks and canvas footprinting. It rendered a yellow triangle and calculated its hash value. This is why the operation was named Operation Triangulation.
The team at Kaspersky started cracking various layers of asymmetric cryptography with regular expressions. They patched the stages one-by-one on the fly to move the logic from each stage to ‘mitmproxy’ and finally implemented a 400 line ‘mitmproxy’ add-on. This add-on decrypted all the validators, exploits, spyware and additional modules.
The mystery
It is remarkable how Kaspersky detected the attack and identified multiple vulnerabilities, set up a trap to capture a payload and decrypted it completely. They shared all their findings with the device manufacturer and Apple responded by sending out a security patch update addressing four zero-day vulnerabilities.
A zero-click vulnerability
Traditionally any spyware relies on the user to to click on a compromised link or file to initiate the infection. However a zero-click vulnerability is a specific flaw in the device software or hardware that the attacker can use to infect the device without the need for a click or tap from the user.
The vulnerabilities identified
- Tricky Font Flaw (CVE-2023-41990): A clandestine method involving the manipulation of font rendering on iPhones, akin to a secret code deciphered by the attackers.Apple swiftly addressed this vulnerability in versions iOS 15.7.8 and iOS 16.3.
- Kernel Trick (CVE-2023-32434): Exploiting a hidden language understood only by the iPhone's core, the attackers successfully compromised the kernel's integrity.Apple responded with fixes implemented in iOS 15.7.7, iOS 15.8, and iOS 16.5.1.
- Web Sneakiness (CVE-2023-32435): Leveraging a clever ploy in the interpretation of web content by iPhones, the attackers manipulated the device's behaviour.Apple addressed this vulnerability in iOS 15.7.7 and iOS 16.5.1.
- Kernel Key (CVE-2023-38606): The pinnacle of the operation, the attackers discovered a covert method to tamper with the iPhone's core, the kernel.Apple responded with a fix introduced in iOS 16.6, thwarting the intrusion into the most secure facets of the iPhone
Still, how these attackers were able to find this critical vulnerability in a device which stands out for it’s security features is still unknown.
CyberPeace Advisory
Zero-click attacks are a real threat, but you can defend yourself. Being aware of the risks and taking proactive steps can significantly reduce vulnerability. Regularly installing the latest updates for your operating system, apps, and firmware helps patch vulnerabilities before attackers can exploit them.
- Keep your software updated as they contain crucial security patches that plug vulnerabilities before attackers can exploit them.
- Use security software to actively scan for suspicious activity and malicious code, acting as a first line of defence against zero-click intrusions.
- Be cautious with unsolicited messages if the offer seems too good to be true or the link appears suspicious as it can contain malware that can infect your device.
- Disable automatic previews as it can potentially trigger malicious code hidden within the content.
- Be mindful of what you install and avoid unverified apps and pirated software, as they can be Trojan horses laden with malware.
- Stay informed about the latest threats and updates by following reliable news sources and security blogs to stay ahead of the curve, recognize potential zero-click scams and adjust your behaviour accordingly.
Check out our (advisory report)[add report link] to get in depth information.
Conclusion
Operation Triangulation stands as a testament to the continuous cat-and-mouse game between cybercriminals and tech giants. While the covert spy mission showcased the vulnerabilities present in earlier iPhone versions, Apple's prompt response underscores the commitment to user security. As the digital landscape evolves, vigilance, timely updates, and collaborative efforts remain essential in safeguarding against unforeseen cyber threats.
References:
- Operation Triangulation: iOS devices targeted with previously unknown malware | Securelist, 1 June, 2023
- Operation Triangulation: The last (hardware) mystery | Securelist, 27 December, 2023.
- 37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers (youtube.com), 29 December,2023
.webp)
Introduction
The link between social media and misinformation is undeniable. Misinformation, particularly the kind that evokes emotion, spreads like wildfire on social media and has serious consequences, like undermining democratic processes, discrediting science, and promulgating hateful discourses which may incite physical violence. If left unchecked, misinformation propagated through social media has the potential to incite social disorder, as seen in countless ethnic clashes worldwide. This is why social media platforms have been under growing pressure to combat misinformation and have been developing models such as fact-checking services and community notes to check its spread. This article explores the pros and cons of the models and evaluates their broader implications for online information integrity.
How the Models Work
- Third-Party Fact-Checking Model (formerly used by Meta) Meta initiated this program in 2016 after claims of extraterritorial election tampering through dis/misinformation on its platforms. It entered partnerships with third-party organizations like AFP and specialist sites like Lead Stories and PolitiFact, which are certified by the International Fact-Checking Network (IFCN) for meeting neutrality, independence, and editorial quality standards. These fact-checkers identify misleading claims that go viral on platforms and publish verified articles on their websites, providing correct information. They also submit this to Meta through an interface, which may link the fact-checked article to the social media post that contains factually incorrect claims. The post then gets flagged for false or misleading content, and a link to the article appears under the post for users to refer to. This content will be demoted in the platform algorithm, though not removed entirely unless it violates Community Standards. However, in January 2025, Meta announced it was scrapping this program and beginning to test X’s Community Notes Model in the USA, before rolling it out in the rest of the world. It alleges that the independent fact-checking model is riddled with personal biases, lacks transparency in decision-making, and has evolved into a censoring tool.
- Community Notes Model ( Used by X and being tested by Meta): This model relies on crowdsourced contributors who can sign up for the program, write contextual notes on posts and rate the notes made by other users on X. The platform uses a bridging algorithm to display those notes publicly, which receive cross-ideological consensus from voters across the political spectrum. It does this by boosting those notes that receive support despite the political leaning of the voters, which it measures through their engagements with previous notes. The benefit of this system is that it is less likely for biases to creep into the flagging mechanism. Further, the process is relatively more transparent than an independent fact-checking mechanism since all Community Notes contributions are publicly available for inspection, and the ranking algorithm can be accessed by anyone, allowing for external evaluation of the system by anyone.
CyberPeace Insights
Meta’s uptake of a crowdsourced model signals social media’s shift toward decentralized content moderation, giving users more influence in what gets flagged and why. However, the model’s reliance on diverse agreements can be a time-consuming process. A study (by Wirtschafter & Majumder, 2023) shows that only about 12.5 per cent of all submitted notes are seen by the public, making most misleading content go unchecked. Further, many notes on divisive issues like politics and elections may not see the light of day since reaching a consensus on such topics is hard. This means that many misleading posts may not be publicly flagged at all, thereby hindering risk mitigation efforts. This casts aspersions on the model’s ability to check the virality of posts which can have adverse societal impacts, especially on vulnerable communities. On the other hand, the fact-checking model suffers from a lack of transparency, which has damaged user trust and led to allegations of bias.
Since both models have their advantages and disadvantages, the future of misinformation control will require a hybrid approach. Data accuracy and polarization through social media are issues bigger than an exclusive tool or model can effectively handle. Thus, platforms can combine expert validation with crowdsourced input to allow for accuracy, transparency, and scalability.
Conclusion
Meta’s shift to a crowdsourced model of fact-checking is likely to have bigger implications on public discourse since social media platforms hold immense power in terms of how their policies affect politics, the economy, and societal relations at large. This change comes against the background of sweeping cost-cutting in the tech industry, political changes in the USA and abroad, and increasing attempts to make Big Tech platforms more accountable in jurisdictions like the EU and Australia, which are known for their welfare-oriented policies. These co-occurring contestations are likely to inform the direction the development of misinformation-countering tactics will take. Until then, the crowdsourcing model is still in development, and its efficacy is yet to be seen, especially regarding polarizing topics.
References
- https://www.cyberpeace.org/resources/blogs/new-youtube-notes-feature-to-help-users-add-context-to-videos
- https://en-gb.facebook.com/business/help/315131736305613?id=673052479947730
- http://techxplore.com/news/2025-01-meta-fact.html
- https://about.fb.com/news/2025/01/meta-more-speech-fewer-mistakes/
- https://communitynotes.x.com/guide/en/about/introduction
- https://blogs.lse.ac.uk/impactofsocialsciences/2025/01/14/do-community-notes-work/?utm_source=chatgpt.com
- https://www.techpolicy.press/community-notes-and-its-narrow-understanding-of-disinformation/
- https://www.rstreet.org/commentary/metas-shift-to-community-notes-model-proves-that-we-can-fix-big-problems-without-big-government/
- https://tsjournal.org/index.php/jots/article/view/139/57

Executive Summary
A picture is rapidly going viral on social media, showing Indian cricketer Virat Kohli and actor Anushka Sharma having breakfast together. Users are sharing this photo, presenting it as a "candid" (real) moment.
Research by the CyberPeace Research Wing revealed that the photo of Virat Kohli and Anushka Sharma having breakfast is completely fake. This image does not depict a real moment, but has been created using Artificial Intelligence (AI).
Claim
A picture is rapidly going viral on social media, showing Indian cricketer Virat Kohli and actor Anushka Sharma having breakfast together. Users are sharing this photo, presenting it as a "candid" (real) moment.
https://www.facebook.com/reel/951138134598230

Fact Check
We extracted several keyframes from the viral video and searched them using the Google Lens tool. We found that this video was also quite viral on X (formerly Twitter). Responding to users, the official X handle of DCP Yamuna Nagar, Prayagraj, stated, “Upon a detailed research of the said matter/video, it has been found that it is not from the Naini Yamuna Bridge, but is a 2.5-year-old video from Delhi’s Signature Bridge. Please do not spread misleading information, otherwise legal action will be initiated against it.”

During our search, we found a post on the official X handle of the Delhi Police. Sharing the viral video, they wrote that taking cognizance of the auto-rickshaw stunt incident on the Signature Bridge, the Delhi Traffic Police seized the auto-rickshaw and issued a challan totaling ₹32,000 under various sections of the Motor Vehicles Act.
https://x.com/DelhiPolice/status/1735268792434057352?s=20

Conclusion
In our research, the viral post turned out to be fake. A video of an incident that took place on Delhi's Signature Bridge in 2023 is now being falsely circulated to spread misinformation as an incident from a bridge in Prayagraj. No such incident has taken place on the Naini Bridge in Prayagraj.