The advanced persistent threat (APT) group Transparent Tribe (APT36) has been observed targeting Indian government entities through a new campaign that leverages malicious desktop shortcut files on both Windows and BOSS Linux systems.
According to CYFIRMA, attackers are relying on spear-phishing emails to gain initial access. In the case of Linux BOSS systems, malicious .desktop shortcut files are used. Once executed, these files download and run harmful payloads.
How the Attack Works
- Initial Access
- Phishing emails are sent with fake meeting notices.
- Attached files such as
"Meeting_Ltr_ID1543ops.pdf.desktop"appear to be PDF documents but are actually booby-trapped shortcut files.
- Payload Execution
- When opened, the file launches a shell script.
- This script downloads a hex-encoded ELF binary from
securestore[.]cv. - At the same time, a decoy PDF hosted on Google Drive is displayed in Mozilla Firefox to mislead the victim.
- Communication and Persistence
- The Go-based binary connects to a command-and-control (C2) server:
modgovindia[.]space:4000. - It can fetch further payloads, execute commands, and exfiltrate sensitive data.
- Persistence is achieved through cron jobs, ensuring the malware restarts after reboots or crashes.
- The Go-based binary connects to a command-and-control (C2) server:
Malware Capabilities
- Conducts system reconnaissance.
- Uses anti-debugging and anti-sandbox checks to bypass security analysis.
- Deploys Poseidon backdoor, enabling:
- Long-term system access.
- Data collection.
- Credential theft.
- Potential lateral movement across networks.
CloudSEK and Hunt.io independently confirmed this activity, linking it to Transparent Tribe’s expanding operations.
Broader Campaigns and Tactics
Transparent Tribe (APT36) and its subgroup SideCopy have a long history of targeting Indian institutions. Recent campaigns include:
- Targeting Kavach 2FA Security
- Victims receive phishing emails leading to fake login portals.
- After entering an email address, users are prompted for their password and Kavach authentication code.
- This method has been in use since early 2022.
- Use of Typo-Squatted Domains
- Fake domains hosted on Pakistan-based infrastructure.
- Designed to look like legitimate government websites.
- Regional Expansion
- Another South Asian APT, SideWinder, has targeted Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey.
- They use spoofed Zimbra and Secure Portal pages hosted on Netlify and Pages.dev to steal credentials.
Conclusion
The new dual-platform approach highlights Transparent Tribe’s growing sophistication. By customizing attacks for both Windows and Linux environments, APT36 significantly increases its chances of success while maintaining long-term persistence in government networks.
This campaign underscores the urgent need for stronger email security, employee awareness training, and advanced detection mechanisms across government and defense infrastructure.
IOC Table for Transparent Tribe Campaign
| Category | Indicator / Value | Description / Notes |
|---|---|---|
| Malicious File | Meeting_Ltr_ID1543ops.pdf.desktop | Fake desktop shortcut masquerading as PDF |
| C2 Server | modgovindia[.]space:4000 | Command and Control (C2) server |
| Malware Host | securestore[.]cv | Hosting hex-encoded ELF binary |
| Decoy File | Google Drive (legitimate hosting abused) | Opens a fake PDF to trick victims |
| Backdoor | Poseidon | Transparent Tribe RAT used for persistence, data theft, and lateral movement |
| Phishing Infrastructure | Spoofed Kavach login portals | Fake pages to steal 2FA and credentials |
| Spoofed Services | Zimbra, Secure Portal pages (Netlify, Pages.dev) | Credential theft via lookalike portals |
