Covert Data Heist: APT36 Exploits ZIP Vulnerabilities in BOSS Linux Systems

Threat intelligence company CYFIRMA has discovered a sophisticated campaign targeting India’s defense industry that was planned by APT36, also known as Transparent Tribe, in a startling increase in cyber-espionage activities.

Previously known for focusing on Windows-based environments, the Pakistan-based hacking group has now pivoted aggressively towards Linux, with a particular focus on BOSS Linux systems.

BOSS is a distribution developed explicitly for Indian government agencies, raising the stakes of this intrusion to critical national infrastructure.

Multi-Stage Attack

The attack begins with crafted phishing emails, laced with ZIP attachments containing a malicious .desktop shortcut file. When executed by an unsuspecting user, this file triggers a dual-action mechanism.

On the surface, it downloads and opens what appears to be a legitimate PowerPoint (.pptx) presentation, providing a convincing cover and diverting the user’s attention.

Beneath this veneer, the script quietly downloads and executes a malicious ELF binary, named BOSS.elf, designed as the principal agent for system compromise and remote access.

The .desktop file is engineered for stealth and social engineering. Masked with icons matching legitimate software and set to run without a terminal window, it chains together bash commands to fetch files from attacker-controlled infrastructure in this case, the domain sorlastore.com.

The decoy PowerPoint, in reality, is an HTML file with an embedded iframe leading to an innocuous-looking blog page, further lulling users into a false sense of security.

Meanwhile, the ELF binary is dropped into a temporary directory, made executable, and launched silently in the background with output redirected to /dev/null to evade immediate detection.

Stealthy C2 Communications

Technical analysis indicates the malware, written in Go, executes with flexibility capable of running interactively or entirely headless.

It collects key reconnaissance data such as system hostname, CPU, RAM details, and enumerates local drives for possible exfiltration.

The malware also incorporates anti-detection techniques, logging its operations in custom-structured files and minimizing obvious behavioral indicators.

A unique aspect is the use of the github.com/kbinani/screenshot library, allowing the attacker to capture screen images, thereby gleaning sensitive on-screen information without user awareness.

For command and control (C2), the malware maintains persistent TCP connections to attacker infrastructure (notably the IP 101.99.92.182:12520), using custom keep-alive protocols to ensure resilience and ongoing access even in the face of network interruptions.

CYFIRMA emphasizes that this campaign signals a strategic evolution in APT36’s toolkit, merging phishing, social engineering, and Linux-specific malware delivery.

These developments highlight the urgent need for organizations especially those using BOSS Linux to upgrade their email filtering, user training, patch management, and endpoint monitoring processes.

Proactive threat intelligence integration, as well as continuous monitoring for known Indicators of Compromise (IOCs), is essential for early detection and mitigation.

By exploiting ZIP file delivery, .desktop execution, and staged payload approaches, APT36 has demonstrated a new level of sophistication and adaptability in executing covert data exfiltration operations, posing a substantial risk to India’s critical defense infrastructure.

Key Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant updates