Hybridization of the Terror Threat in India

India suffered two terrorist incidents in a span of a few days, one of which was successful and the other thwarted in time. On November 10, a car packed with explosives was detonated by a suicide bomber near the Red Fort in Delhi during the evening rush hour. The blast killed 15 and injured 28 people.

The attack was perpetrated by a cell of medical doctors dubbed the “white collar terror module,” allegedly linked to Pakistan-based terror group Jaish-e-Mohammed (JeM) and Ansar Ghazwat-ul-Hind, a group affiliated with al-Qaida. The suicide bomber was identified as Umar un-Nabi, a doctor working at Al-Falah University in Faridabad. Other co-conspirators include Nabi’s colleagues at the university, namely Muzammil Shakeel Ganai, Adeel Ahmed Rather, Muzaffar Ahmed Rather, and Dr. Shaheen Shahid, the alleged financier of the Delhi cell and senior member of JeM’s women’s wing.

A day before the Delhi blasts, Gujarat counterterrorism officials arrested another medical doctor identified as Dr. Ahmed Mohiyuddin Saiyed from Telangana and two other individuals who were allegedly plotting to carry out a bio-terror attack using ricin. The cell was uncovered during a routine stop of Saiyed’s car, in which police found a cache of firearms, ammunition, and castor bean cake, a precursor for the manufacture of ricin.

These two incidents highlight several key trends involving the use of advanced operational techniques and technologies, including drones, bioweapons, and virtual direction, signaling an increasing hybridization of terrorist techniques, tactics, and procedures (TTPs) in India.

Use of Drones

Apart from the vehicle-borne improvised explosives used in the attacks, the Delhi cell had planned to use drones to target security establishments and public places. The aim was to replicate recent drone warfare tactics seen in conflict zones, which would be adapted for domestic targets.  The arrest of an individual named Jasir Bilal Wani in Srinagar unearthed the cell’s drone ambitions.

Wani was alleged to have provided “technical support for carrying out terror attacks by modifying drones and attempting to make rockets.” Some sources noted that the Delhi cell was set to receive from Pakistan long-range drones capable of carrying payloads of up to 10 kilograms. The consignment reportedly reached India through a local import company. The cell members planned to assemble the drones and mount improvised explosives on them.

This revelation comes at a time when drones are becoming cheaper, more accessible, and easier to use, with resources on improvised weaponization proliferating on the internet. An increasing number of terror plots involving small, independent cells have featured drones. In October 2025, Belgian authorities interdicted a jihadist-inspired plot to assassinate politicians, including the Belgian prime minister. The plot involved four teenagers who planned to build drones using a 3D printer and attach improvised explosives to them.

Drones were also involved in the Gujarat plot, though not as a primary weapon. The Gujarat cell had received a consignment of weapons consisting of two Glock pistols, one Beretta pistol, and 30 live cartridges that were transported across the border from Pakistan to Rajasthan using drones. The cell then collected the weapons with the help of two individuals linked to the Islamic State Khorasan Province (ISKP) group and moved the weapons by road when they were caught.

Drones have been used to transport weapons across the border from Pakistan in the past. In the same week, Gujarat counterterrorism officials arrested Gurpreet Singh alias Gopi Billa, who was wanted for his involvement in an arms smuggling racket allegedly linked to Pakistan-based terrorist networks, signaling a crime-terror nexus. However, it is unclear if this network was directly linked to the Gujarat ricin cell.

Threat From Improvised Bio-agents

Ricin is a bio-toxin that is extracted from castor beans. Castor beans are not controlled and are available commercially. Ricin can cause multi-organ failure and death when inhaled or injected into the bloodstream. It is also lethal when ingested in a large dose.

The danger with ricin is the ease with which it can be manufactured. It requires minimal advanced knowledge and equipment. Its lethality, however, is largely dependent on environmental conditions and the efficacy of its delivery mechanism. Degradation in uncontrolled environments largely reduces its lethality.

The use of ricin in terror attacks is not new. Bulgarian intelligence agents assassinated dissident writer Georgi Markov by piercing him with a ricin-laced umbrella tip in 1978. Since then, there have been several terrorist and criminal plots involving ricin, including the ricin letters that were posted to the White House in 2003 and 2013, a right-wing extremist plot targeting federal agents and judges in Georgia in 2011, and an Islamic State (IS)-inspired ricin plot uncovered in Cologne, Germany, in 2018. Terrorist groups such as al-Qaida have planned to use the agent to poison food at restaurants in the U.S., in bombs targeting the London subway, and in perfume bottles to assassinate government officials.

Though there have not been any successful large-scale attacks involving ricin, the fact that it is still attractive to terrorist cells could be attributed to its ease of availability. Saiyed had procured the castor beans commercially through online websites and at local stores. In the 2018 Cologne plot, the main accused had procured castor beans through Amazon. Ricin currently does not have an antidote, and theoretically, the amounts possessed by the Gujarat cell were capable of causing significant casualties, assuming perfect dispersion and 100 percent lethality.

Virtual Direction

Virtual direction refers to the act of one or more individuals providing virtual guidance to operatives located in a target country via virtual means, i.e., social media and encrypted messaging platforms. Virtual direction can be divided into two broad categories: those who are engaged in direct plotting and/or encouragement and facilitation. In most cases, the level of involvement of virtual planners can vary.

In the Delhi case, the perpetrators were virtually directed by three handlers in foreign countries, identified as “Hanzullah,” “Nisar,” and “Abu Ukasha.” Hanzulla, a Pakistan-based JeM operative, had sent 42 bomb-making videos via Telegram to Muzammil Ganai. The handlers also provided the operatives with instructions on setting up clandestine home laboratories and detailed operational guidance. Abu Ukasha is believed to be based in either Afghanistan or Turkiye.

Several other handlers by the names Hashim, Faisal Iqbal Bhat, and Mohammad Shahid Faisal have been identified. Faisal, an engineering student in Bengaluru, is believed to have been linked to several other terror networks in Tamil Nadu and Karnataka. The Delhi cell had used an encrypted online messaging platform known for its high privacy design and end-to-end encryption, and other applications like Signal, Session and Telegram.

Similarly, the Gujarat ricin plot pointed to the involvement of an Afghanistan-based handler called Abu Khadija. The latter, who is allegedly linked to ISKP, had sent operational instructions to Saiyed and his two other associates via Telegram. Abu Khadija had also provided Saiyed with funds to purchase the weapons and suggested that he target public places with ricin. Saiyed then used a combination of online searches and ChatGPT to research the process of making ricin.

The nature of virtual direction in these two cases goes beyond just providing encouragement and facilitation. It involved foreign handlers providing key operational instructions, plot formulation, funds, ideological indoctrination, and logistical assistance. This mirrors the IS modus operandi of using virtual direction to carry out external operations during the 2014-2017 period. A key IS virtual planner operating in India during this time was Shafi Armar (Yusuf al-Hindi), who was linked to at least two IS-linked attack plots in 2015 and 2016.

The nature of virtual direction, however, has shifted from the involvement of prolific planners with a visible social media presence to a more obscure group of individuals orchestrating attacks anonymously. This, combined with the widespread use of encrypted platforms, has made counterterrorism efforts more challenging.

Implications

The Delhi attack and the Gujarat ricin plot point to a hybridization of the terror threat in India, characterized by the incorporation of commercial technologies and dual-use agents into the modus operandi of terror networks. With the proliferation of commercial technologies, terrorist TTPs are only going to become more complex and multifaceted. Thus, counterterrorism agencies must focus on interdicting key supply chains and logistical networks, particularly with regard to the procurement of commercial technologies, and enhance their intelligence capabilities with regard to monitoring online communications.

Another key aspect of the recent cases is the involvement of educated white-collar professionals. Highly educated individuals with no prior criminal backgrounds may yield “more technical and ideological sophistication” and are less visible. Apart from tackling the technical and technological aspects of the threat, Indian authorities must also work on addressing the underlying grievances and factors that are contributing to the recruitment of this group of individuals into terrorist groups.