Full Report
The Pakistani APT36 cyberspies are using Linux .desktop files to load malware in new attacks against government and defense entities in India. [...]
Analysis Summary
# Threat Actor: APT36
## Attribution & Identity
* **Threat Actor:** APT36 (also known as Pakistan-based APT group).
* **Associations:** Previously documented using similar techniques, indicating evolutionary sophistication.
## Activity Summary
* **Recent Campaigns:** New attacks spotted first on August 1, 2025, and reported as ongoing.
* **Objective:** Data exfiltration and persistent espionage access.
* **Method:** Phishing emails delivering ZIP archives containing malicious Linux `.desktop` files disguised as PDF documents.
## Tactics, Techniques & Procedures
* **Initial Access/Execution:** Abusing legitimate Linux `.desktop` application launcher files delivered via phishing.
* **Evasion/Obfuscation:** Using hex-encoded payloads written to files in `/tmp/`.
* **Persistence:** Establishing persistence via modification of the `.desktop` file fields (`X-GNOME-Autostart-enabled=true` to run at every login) and optionally setting up separate persistence using cron jobs and systemd services.
* **Execution Hiding:** Setting the `Terminal=false` field to hide the command-line interface window from the user.
* **Deception:** Launching Firefox to display a benign decoy PDF file hosted on Google Drive to distract the victim while malware executes in the background.
* **Communication:** Using a bi-directional WebSocket channel for C2 communication, enabling remote command execution and data exfiltration.
* **Payload Stage:** Dropping a Go-based ELF executable post-exploitation.
## Targeting
* **Sectors:** Government and Defense entities.
* **Geography:** India (mentioned as the primary target region).
* **Victims:** Government and defense organizations in India.
## Tools & Infrastructure
* **Malware Families:** A Go-based ELF executable payload.
* **Infrastructure (C2):** Attacker-controlled servers (used to host the hex-encoded payload) and Google Drive (used for payload delivery and decoy documents).
## Implications
APT36 is exhibiting an evolution toward more evasive and sophisticated tactics, leveraging legitimate system components (`.desktop` files), which are generally less monitored by security tools than traditional Windows shortcut abuse (like LNK files), indicating an effort to increase operational stealth on targeted Linux systems.
## Mitigations
* Implement robust monitoring for suspicious modifications or use of Linux `.desktop` files, especially regarding the `Exec=` field, terminal visibility settings, and autostart definitions.
* Scrutinize email attachments, particularly ZIP archives containing non-traditional executable/scripting files disguised as documents.
* Ensure endpoints block execution of unknown binaries retrieved from external sources or written to temporary directories like `/tmp/`.
* Monitor for the creation of persistence mechanisms like new entries in systemd services or cron jobs following initial access events.