Pakistan-Linked TransparentTribe APT Deploys AI-Assisted DeskRAT Malware Against India’s BOSS Linux Systems

The Sekoia Threat Detection & Research (TDR) Team has identified a new wave of cyber espionage activity conducted by the Pakistan-linked group TransparentTribe (APT36, also known as Operation C-Major), targeting Indian government and defense entities using Linux-based BOSS operating systems. The campaign, active between August and September 2025, delivers a Golang-based remote access trojan (RAT) dubbed DeskRAT, marking a significant evolution in the group’s Linux targeting capabilities.

“In August and September 2025, Sekoia.io YARA trackers matched new samples representing an updated infection chain ultimately delivering a Golang-based RAT which we dubbed DeskRAT,” the researchers wrote. “At that time, these results were only found on the PolySwarm platform and were not known by other editors we are dealing with.”

TransparentTribe, active since at least 2013, has long been known for espionage campaigns aligned with Pakistan’s military and strategic interests, primarily against Indian targets. According to Sekoia, the group’s latest activity reflects a shift in both tooling and delivery infrastructure, moving from the use of legitimate cloud storage services like Google Drive to dedicated staging servers.

“Our analysis reveals an evolution in the TransparentTribe infection chain, particularly in the delivery phase,” Sekoia stated. “While the initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now transitioned to using dedicated staging servers.”

The operation begins with phishing emails containing links to ZIP archives hosted on staging domains such as modgovindia[.]com. Inside the ZIP file, a malicious .desktop file masquerades as an official Ministry of Defence document (e.g., MoM_regarding_Defence_Sectors_by_Secy_Defence_25_Sep_2025.desktop). When executed, it runs a Bash one-liner that downloads and executes the DeskRAT payload while opening a decoy PDF to distract the victim.

“Upon user execution, the file runs a Bash one-liner that downloads a TXT file containing a base64-encoded binary payload from a staging server, decodes, writes, and executes the final payload in /tmp, and opens a decoy PDF document hosted on the server,” the report noted.

This technique allows the malware to appear harmless to the user while stealthily deploying the RAT in the background. The .desktop entry even includes embedded PNG data and fake icons to enhance legitimacy.

Once executed, DeskRAT establishes WebSocket-based communication with its command-and-control (C2) servers. Sekoia identified three primary endpoints:

• ws://147.93.155[.]118:8080/ws
• ws://newforsomething[.]rest:8080/ws
• ws://seeconnectionalive[.]website:8080/ws

The RAT supports standard reconnaissance and remote control functions, including:

• File browsing and exfiltration of documents under 100MB.
• Upload and execution of arbitrary files.
• Persistence through systemd services, cron jobs, and GNOME autostart entries.
• WebSocket-based command communication and real-time operator dashboards.

“The final payload is a RAT developed in Golang,” Sekoia explained. It establishes command and control communications over WebSocket and leverages multiple Linux-specific persistence techniques, including cron jobs and GNOME autostart entries.

The TDR team also noted that the malware’s development was likely assisted by large language models (LLMs), given the uniform and descriptive naming of its internal functions.

“The malware development was probably assisted by LLM: the function names are very uniform and seem to be the implementation of instructions such as ‘List evasion technique for Linux, and then implement those in Golang,’” the researchers observed.

DeskRAT’s C2 infrastructure includes a sophisticated web-based dashboard, labeled “Advanced Client Monitoring & File Management System.” This interface allows operators to monitor infected hosts, collect files, and open interactive sessions for post-exploitation.

“The interface implements the primary command-and-control operator interface for managing compromised endpoints,” Sekoia wrote. “Its functionalities include real-time client management, file operations, and remote access sessions.”

This degree of capability — a blend of automation, file management, and interactive control — indicates that TransparentTribe’s infrastructure is custom-built, not based on reused open-source RAT frameworks.

One of Sekoia’s most significant findings is the use of AI-assisted development to accelerate malware creation and obfuscation. The team observed consistent code generation patterns, suggesting that attackers are leveraging LLMs to build modular evasion routines faster than analysts can manually detect or reverse-engineer them.

“As predicted by the security community, the widespread use of LLMs by attackers compresses malware development cycles,” Sekoia warned. “It’s a clear indication that the defender needs to adapt and leverage LLM for those tasks.”

Sekoia’s analysis underscores a new stage in TransparentTribe’s evolution — blending AI-assisted malware generation, Linux targeting, and geopolitical lures into a cohesive espionage campaign.
By focusing on BOSS Linux distributions used in Indian government environments, the group demonstrates a strategic pivot to under-defended platforms.

“Based on the infection chain, we assess with high confidence that the campaign is currently focused on Linux environments, specifically targeting Bharat Operating System Solutions (BOSS) distributions widely used by the government of India,” Sekoia concluded.

Related Posts:

• Fake Sites, Custom Malware: TransparentTribe’s Deception Exposed
• APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
• Google’s “AI Mode” Transforms Search with Gemini 2.5 Pro, Deep Search, and AI Calling
• New Golang Backdoor Employs Telegram for Command and Control