TransparentTribe BOSS Linux phishing espionage campaign
Campaign
Summary
Hide ▲
Show ▼
A TransparentTribe / APT36 espionage campaign targeting Indian government Linux systems has been uncovered, showing an updated phishing operation built around dedicated staging servers and DeskRAT. The activity began in June 2025 and focused on BOSS Linux endpoints used by government entities. Phishing emails with malicious ZIP archives and defense-related lures were used to seed infections, increasing the chance of compromise during periods of regional tension. The campaign matters because it reflects a continued intelligence-collection effort against Indian government and military networks with more controlled infrastructure and purpose-built malware.
Related Happenings
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware Activity
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
How related:
The final payload, DeskRAT, is a Golang-based remote access Trojan capable of:
About this happening:
**Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware ActivityHow related: The final payload, DeskRAT, is a Golang-based remote access Trojan capable of:
About this happening: **Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
Campaign
First: 20.01.2026 20:41
Last: 20.01.2026 20:41
Sources 1
About this happening:
The **Contagious Interview** campaign has expanded from **malicious npm packages** into **VS Code**-based lures that trick victims into cloning a booby-trapped repository and open...
Contagious Interview campaign uses malicious VS Code projects to deliver backdoors
CampaignAbout this happening: The **Contagious Interview** campaign has expanded from **malicious npm packages** into **VS Code**-based lures that trick victims into cloning a booby-trapped repository and open...
Latest development: 02.03.2026 10:44
North Korean Contagious Interview operators published 26 malicious npm packages to the npm registry, using install.js and vendor/scrypt-js/version.js to pull steganographically hidden C2 locations from Pastebin and Vercel-hosted infrastructure. The chain used ext-checkdin.vercel[.]app and 103.106.67[.]63:1244/1247 to deliver a cross-platform RAT and modules for VS Code persistence, keylogging, browser credential theft, TruffleHog secret scanning, and Git and SSH key exfiltration.
LongNosedGoblin cyber-espionage campaign targeting government entities in Southeast Asia and Japan
Campaign
First: 18.12.2025 19:34
Last: 18.12.2025 19:34
Sources 1
About this happening:
A **LongNosedGoblin** campaign is targeting **governmental entities in Southeast Asia and Japan**, creating a sustained risk of **cyber espionage** and **file exfiltration** insid...
LongNosedGoblin cyber-espionage campaign targeting government entities in Southeast Asia and Japan
CampaignAbout this happening: A **LongNosedGoblin** campaign is targeting **governmental entities in Southeast Asia and Japan**, creating a sustained risk of **cyber espionage** and **file exfiltration** insid...
APT24 BadAudio multi-delivery espionage campaign
Campaign
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
BO Team phishing campaign targeting Russian companies with password-protected RAR archives
Campaign
First: 26.09.2025 15:45
Last: 26.09.2025 15:45
Sources 1
About this happening:
**BO Team** ran an **early September 2025** phishing campaign that targeted **Russian companies** and used **password-protected RAR archives** to deliver backdoor payloads. The op...
BO Team phishing campaign targeting Russian companies with password-protected RAR archives
CampaignAbout this happening: **BO Team** ran an **early September 2025** phishing campaign that targeted **Russian companies** and used **password-protected RAR archives** to deliver backdoor payloads. The op...
Timeline
-
23.10.2025 18:30 2 articles · 7mo ago
TransparentTribe BOSS Linux espionage campaign disclosed
Initial DisclosureSekoia.io attributed a cyber-espionage campaign against Indian government entities running Linux systems, especially BOSS Linux, to TransparentTribe / APT36. The operation used phishing emails with malicious ZIP archives, dedicated staging servers, a Bash-based loader, and a new DeskRAT remote access tool with WebSocket command-and-control, remote file upload and execution, Linux persistence, and collection of sensitive files under 100MB. Researchers said the campaign began in June 2025, aligned with protests in Ladakh and New Delhi in August and September 2025, and appeared aimed at intelligence collection from Indian military and government networks.
Show sources
- Pakistani-Linked Hacker Group Targets Indian Government — www.infosecurity-magazine.com — 23.10.2025 18:30
- Pakistani-Linked Hacker Group Targets Indian Government — www.infosecurity-magazine.com — 23.10.2025 18:30