Transparent Tribe APT Deploys DeskRAT to Spy on Indian Government Linux Systems

The Pakistani hacking collective known as Transparent Tribe (APT36) has intensified cyber-espionage operations against Indian government institutions, deploying a new Go-written malware dubbed DeskRAT, researchers at Sekoia reported after observing activity in August and September of this year.

The campaign continues a pattern of attacks previously documented by CYFIRMA. DeskRAT is propagated via phishing emails that carry ZIP archives containing malicious files. Each archive conceals a shortcut which, when executed, simultaneously opens a decoy PDF and fetches the primary executable from the external domain “modgovindia[.]com”.

The campaign targets systems running BOSS Linux—the domestically developed Indian operating system. The trojan establishes command-and-control communications over WebSocket and employs one of four persistence techniques: creating a systemd service, scheduling a cron job, adding an entry to the autostart folder, or modifying the user’s .bashrc to launch a script from a system-backup directory.

The malware supports a suite of commands for data exchange, directory enumeration, and the searching and exfiltration of files with specified extensions (each under 100 MB). It can also download and execute additional payloads—both scripts and binaries. Moreover, DeskRAT can operate in concert with “stealth servers,” an infrastructure that omits public DNS records and thus complicates detection.

QiAnXin XLab reported that Transparent Tribe’s operations have not been limited to Linux: Windows systems have also been affected. The Windows backdoor, StealthServer, exists in multiple variants. The first, observed in July, is deployed via scheduled tasks, PowerShell scripts, and registry modifications, communicating with its controller over raw TCP. The second and third variants, which emerged in August, introduced anti-debugging protections and migrated to WebSocket communications; the latter’s functionality mirrors that of DeskRAT.

XLab also identified two distinct Linux variants of StealthServer. One uses HTTP rather than WebSocket and offers a reduced command set—directory listing, file upload, and execution of bash commands. It additionally scans the entire filesystem for target extensions and transmits them encrypted to “modgovindia[.]space:4000”. This suggests the variant may have been a precursor to DeskRAT, with search-and-exfiltration capabilities later implemented in a more structured fashion.

The evolution of Transparent Tribe’s toolset illustrates how swiftly state-aligned hacking groups adapt: broadening their reach, refining delivery and persistence mechanisms, and honing evasion techniques—thereby amplifying the threat to critical infrastructure.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy