Full Report
A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT. The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior
Analysis Summary
# Threat Actor: APT36 (Transparent Tribe)
## Attribution & Identity
* **Identification/Attribution:** Pakistan-nexus state-sponsored hacking group.
* **Known Aliases:** Transparent Tribe, APT36.
* **Associated Groups:** N/A (Mentioned as an established group active since at least 2013).
## Activity Summary
APT36 has been observed conducting cyber espionage campaigns targeting Indian government entities during August and September 2025. This activity involved spear-phishing attacks designed to deliver the DeskRAT remote access trojan (RAT). Initial campaigns used legitimate cloud services like Google Drive for payload distribution, but have transitioned to using dedicated staging servers. The group has also targeted Windows endpoints with variants of the same malware tracked as StealthServer, indicating a cross-platform focus.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing emails containing ZIP file attachments or links to archives hosted on cloud services (e.g., Google Drive).
- **Execution:** Malicious `.desktop` file attachments used to execute commands.
- **Payload Delivery:** Dropping a decoy PDF ("CDS\_Directive\_Armed\_Forces.pdf") using Mozilla Firefox while simultaneously executing the main payload from an external server (`modgovindia[.]com`).
- **Persistence (Linux/BOSS OS):**
- Creating a systemd service.
- Setting up a cron job.
- Adding the malware to the Linux autostart directory (`$HOME/.config/autostart`).
- Configuring `.bashrc` to launch the trojan via a shell script in the `$HOME/.config/system-backup/` directory.
- **Persistence (Windows - StealthServer V1):** Scheduled tasks, PowerShell script added to the Windows Startup folder, and Windows Registry modifications.
- **Defense Evasion:** StealthServer Windows-V1 and V2 incorporate anti-analysis and anti-debug techniques (targeting OllyDbg, x64dbg, IDA). Indicators for C2 servers called "stealth servers" which lack public NS records.
## Targeting
* **Sectors:** Government entities, specifically Indian military organizations (implied by decoy document reference).
* **Geography:** India (primary target).
* **Victims:** Indian government entities; specifically mentioned focus on **BOSS (Bharat Operating System Solutions) Linux systems**. Windows endpoints have also been targeted.
## Tools & Infrastructure
* **Malware Families Used:**
* **DeskRAT:** A Golang-based Remote Access Trojan (RAT) used against Linux systems.
* Linux/DeskRAT Commands: `ping`, `heartbeat`, `browse_files`, `start_collection`, `upload_execute`. C2 communication via WebSockets.
* **StealthServer:** The Windows variant of the Golang backdoor, observed in three versions (V1, V2, V3).
* StealthServer Linux Variants: Two variants observed. One is DeskRAT functionality; the second uses HTTP for C2 and supports commands: `browse`, `upload`, `execute`.
* **Decoy Artifact:** "CDS\_Directive\_Armed\_Forces.pdf".
* **Infrastructure (Defanged):**
* Initial distribution: Legitimate cloud storage (Google Drive).
* Staging/C2 Server: `modgovindia[.]com` (Used to pull artifacts).
## Implications
APT36 remains an active and sophisticated threat focused on cyber espionage against high-value Indian government and/or military targets. The shift to Golang for cross-platform malware (Linux/Windows) increases operational flexibility, and the use of WebSockets for C2 (DeskRAT/StealthServer V3) demonstrates an attempt to utilize common, often less scrutinized, network protocols for better evasion. The specific targeting of BOSS Linux systems highlights a focus on specialized, local operating environments often used by government infrastructure.
## Mitigations
- Enhance detection capabilities for Golang-based executables across endpoints.
- Scrutinize emails carrying ZIP attachments or links to cloud storage, especially those that prompt the execution of associated `.desktop` files.
- Monitor for persistence mechanisms characteristic of this group on Linux systems (systemd/cron jobs, modifications to `.bashrc`).
- Deploy endpoint defense solutions capable of detecting anti-analysis/anti-debug techniques employed by the malware variants.
- Harden network defenses against known C2 communication patterns like WebSockets used in beaconing.