TransparentTribe BOSS Linux phishing espionage campaign
Campaign
Summary
Hide ▲
Show ▼
A TransparentTribe / APT36 espionage campaign targeting Indian government Linux systems has been uncovered, showing an updated phishing operation built around dedicated staging servers and DeskRAT. The activity began in June 2025 and focused on BOSS Linux endpoints used by government entities. Phishing emails with malicious ZIP archives and defense-related lures were used to seed infections, increasing the chance of compromise during periods of regional tension. The campaign matters because it reflects a continued intelligence-collection effort against Indian government and military networks with more controlled infrastructure and purpose-built malware.
Related Happenings
LotusLite backdoor delivered via DLL sideloading
Malware Activity
H score22
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
Latest development: 29.06.2026 18:03
Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware Activity
H score23
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
How related:
The final payload, DeskRAT, is a Golang-based remote access Trojan capable of:
About this happening:
**Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware ActivityHow related: The final payload, DeskRAT, is a Golang-based remote access Trojan capable of:
About this happening: **Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
H score37
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
**Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: **Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...
Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
Campaign
H score23
First: 20.01.2026 20:41
Last: 20.01.2026 20:41
Sources 1
About this happening:
The **Contagious Interview** campaign now also includes a **Fake Font** sub-campaign that uses **hijacked npm packages** and **16 Go packages** to deliver a **Python infostealer**...
Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
CampaignAbout this happening: The **Contagious Interview** campaign now also includes a **Fake Font** sub-campaign that uses **hijacked npm packages** and **16 Go packages** to deliver a **Python infostealer**...
Latest development: 02.03.2026 10:44
North Korean Contagious Interview operators published 26 malicious npm packages to the npm registry, using install.js and vendor/scrypt-js/version.js to pull steganographically hidden C2 locations from Pastebin and Vercel-hosted infrastructure. The chain used ext-checkdin.vercel[.]app and 103.106.67[.]63:1244/1247 to deliver a cross-platform RAT and modules for VS Code persistence, keylogging, browser credential theft, TruffleHog secret scanning, and Git and SSH key exfiltration.
LongNosedGoblin cyber-espionage campaign targeting government entities in Southeast Asia and Japan
Campaign
H score33
First: 18.12.2025 19:34
Last: 18.12.2025 19:34
Sources 1
About this happening:
A **LongNosedGoblin** campaign is targeting **governmental entities in Southeast Asia and Japan**, creating a sustained risk of **cyber espionage** and **file exfiltration** insid...
LongNosedGoblin cyber-espionage campaign targeting government entities in Southeast Asia and Japan
CampaignAbout this happening: A **LongNosedGoblin** campaign is targeting **governmental entities in Southeast Asia and Japan**, creating a sustained risk of **cyber espionage** and **file exfiltration** insid...
Timeline
-
23.10.2025 18:30 2 articles · 8mo ago
TransparentTribe BOSS Linux espionage campaign disclosed
Initial DisclosureSekoia.io attributed a cyber-espionage campaign against Indian government entities running Linux systems, especially BOSS Linux, to TransparentTribe / APT36. The operation used phishing emails with malicious ZIP archives, dedicated staging servers, a Bash-based loader, and a new DeskRAT remote access tool with WebSocket command-and-control, remote file upload and execution, Linux persistence, and collection of sensitive files under 100MB. Researchers said the campaign began in June 2025, aligned with protests in Ladakh and New Delhi in August and September 2025, and appeared aimed at intelligence collection from Indian military and government networks.
Show sources
- Pakistani-Linked Hacker Group Targets Indian Government — www.infosecurity-magazine.com — 23.10.2025 18:30
- Pakistani-Linked Hacker Group Targets Indian Government — www.infosecurity-magazine.com — 23.10.2025 18:30