Techowl Shield | APT36ʼs Hidden Agenda: Fake Government Documents as Malware Lures

Introduction

In mid-2025, security researchers uncovered a new wave of attacks linked to APT36 (Transparent Tribe), a Pakistan-based threat actor long known for targeting Indian government, defense, and military sectors. Unlike their previous Windows-focused campaigns, this operation marked a significant shift towards Linux environments, especially BOSS Linux, the distribution widely adopted across Indian government agencies.

This blog explores how the campaign unfolded, breaking down each major lure, the malware it delivered, and the tactics used to bypass security defenses.

Context

APT36 (Transparent Tribe) : A Pakistan-based threat group active for over a decade, known for cyberespionage against India’s government, defense, and military sectors. Their operations almost always rely on phishing emails with official-looking attachments.
Past Activity : Historically, APT36 focused on Windows systems, delivering malware families like CrimsonRAT and ObliqueRAT through fake defense circulars, HR letters, or meeting notices.
Target OS – BOSS Linux : The group’s primary target became BOSS Linux (Bharat Operating System Solutions), an Indian government–backed Linux distribution developed by C-DAC. BOSS Linux is widely adopted in ministries and defense organizations as part of India’s digital sovereignty initiative.

Evolution of the .desktop Malware Campaign (June–August 2025)

This flowchart shows how APT36 uses fake .desktop files as the main weapon. These files look like normal PDFs or government documents, but when opened they secretly install malware while showing a harmless decoy form.

In simple terms, .desktop files acted like a Trojan horse: tricking victims with fake government forms while secretly delivering spying tools or data stealers in the background.

June 25,2025 – First Known Lure :“Cancellation of Gem ID”

The earliest .desktop -based lure attributed to TransparentTribe was packaged in a malicious archive named Saurabh CGDA.zip . Inside the ZIP, attackers included a weaponized .desktop shortcut file named Cancellation of Gem ID.pdf.desktop .

When unsuspecting users executed the file, the launcher reached out to 209.38.203[.]53/eXVndW5kdQ==/tcl-8.7 to fetch the actual malicious payload. The payload was hosted in an obfuscated format (hex/base64), decoded locally, and executed on the victim machine.

The attackers simultaneously opened a decoy document hosted on Google Drive:

drive[.]google[.]com/file/d/1c-5EqS7ztM2QrhKTTgIdOsdfWgx1wj6N/view?usp=sharing

The decoy, titled “Undertaking for the Cancellation of GEM ID”, mimicked an official government form used for terminating a GeM (Government e-Marketplace) ID under the Controller General of Defence Accounts (CGDA). It contained placeholders for sensitive information such as Buyer Name, HOD Name/ID, Office Name, and ID Activation Medium.

Key Observations

Social Engineering: Double-extension ( .pdf.desktop ) trick + realistic form.
Delivery Method: Likely distributed through spear-phishing emails with ZIP attachments.
TTP Pattern: Loader downloads from attacker infra → executes binary → opens decoy → maintains stealth.
This loader + decoy dual-action would become the signature of later APT36 .desktop campaigns.

July 7,2025 – Go-Based Linux Malware for BOSS Systems

The campaign introduced a more advanced .desktop -based lure, delivered inside a malicious archive named Cyber-Security-Advisory.zip . Inside, the attackers placed the weaponized file Cyber-Security-Advisory.desktop, designed to appear like a routine advisory document.

When the .desktop file was opened, it dropped a Go-based ELF malware called BOSS.elf , saved on the system as client.elf . This malware connected to 101.99.92.182:12520 and ran quietly in the background using tricks like nohup and sending its output to /dev/null so the victim wouldn’t notice it running.

At the same time, the file launched a decoy presentation in LibreOffice Impress. It looked like a normal PowerPoint, but was actually an HTML file with an embedded iframe only meant to distract the user while the malware did its work.

The malware collected system information such as hostname, CPU, and RAM, searched for files, and even took desktop screenshots using Go libraries.

Key Observations

Social Engineering: The file name “Cyber-Security-Advisory” looked like an official security notice, something government or defense staff would trust.
Delivery Method: Sent as a ZIP archive with a hidden .desktop file inside.
Tactics Used:
Malware was saved and run from the /tmp folder.

It stayed hidden by using nohup and sending output to /dev/null .

A fake presentation opened as a decoy to keep the victim busy.

July 15 (Poseidon Stealer)

On July 15,a new .desktop lure named GRANT OF INTERVIEWS MEETINGS ETC TO THE STAFF SIDE BY OFFICERS IN MOD HQ ORGANIZATIONS.desktop was spotted. This file was shared publicly on Twitter by a community researcher, making it one of the first sightings of this variant in the wild.

When opened, the .desktop file dropped the Poseidon Stealer, a well-known credential and data theft malware. The payload connected back to two commandand-control servers at 64.227.189.57 and 178.128.204.138 to send stolen information

Unlike the earlier Go-based implant ( BOSS.elf ), Poseidon is commodity malware not built by APT36 themselves, but borrowed and reused.

Key Observations

Social Engineering: The file name was written to sound like an official Ministry of Defence meeting notice.
Delivery Method: .desktop file likely sent through phishing emails or shared ZIPs.
Tactics Used:
Payload was Poseidon Stealer (two variants confirmed by hashes).

Connected to multiple external C2 servers for redundancy.

July 30,2025 – Hybrid Payloads (Poseidon + Mythic)

On July 30, a new .desktop lure appeared with the long filename Representation Regarding Non-Deduction of Income Tax Missing Part II Orders.desktop

When executed, the lure delivered two different payloads , the Poseidon Stealer and a backdoor connected to the Mythic C2 framework. The malware communicated with command-and-control servers at 164.92.238.177 and 46.101.246.74 .

This was an important development because it showed that APT36 was not only using a commodity stealer (Poseidon) but also mixing it with a modular red-team tool (Mythic). It was a clear sign of the group testing hybrid attack strategies.

Key Observations

Social Engineering: The file name looked like an official government notice about income tax orders, designed to appear routine to civil servants.
Delivery Method: .desktop file likely spread through phishing emails with ZIP attachments.
Tactics Used:
Delivered two payloads together: Poseidon (for stealing data) and Mythic (for persistent access).

Used two separate C2 servers for reliability.

August 1st lure (Meeting_Ltr_ID1543ops.pdf.desktop → Golang RAT ELF)

On August 1, the campaign moved into a larger phishing wave. One of the main lures spotted was Meeting_Ltr_ID1543ops.pdf.desktop . When victims opened this file, it installed a new Golang-based RAT ELF

The malware connected to several attacker-controlled domains, including:

modgovindia[.]space
kavach[.]space
modindia[.]serveminecraft[.]net

The RAT was capable of giving attackers remote access and control, making it more advanced than the earlier Poseidon and Mythic combinations. Security vendors such as CloudSEK and CYFIRMA flagged this as the point where the campaign scaled up, with many phishing emails being sent and payloads hosted on Google Drive.

At the same time, the .desktop lure still followed the familiar trick: it opened a decoy document in the background so the victim thought they were just viewing a file, while the malware was already active.

Key Observations

Social Engineering: File name used a meeting letter format, matching real Ministry of Defence communication styles.
Delivery Method: .desktop file attached in phishing ZIPs; payload hosted on Google Drive.
Tactics Used:
Installation of a custom Golang RAT ELF.

Use of government-themed domains for infrastructure.

August 5 – AresRAT Deployment

On August 5, a new .desktop lure was discovered with the filename Jt_Trg_Matrix_24_25.desktop .

When executed, the file dropped an AresRAT ELF payload, delivered as sysutil.elf and utilities.elf .

The malware connected to two command-and-control servers:

149.102.152.50:11475
84.247.176.126:33548

It also used an Indian-themed malicious domain, swachbharat[.]xyz , referencing the Swachh Bharat (Clean India) government campaign to appear more believable.

Key Observations

Social Engineering: Filename made to look like a “training matrix” document, something common in military or government circles.
Delivery Method: .desktop lure with ELF payloads dropped into the system.
Tactics Used:
Deployment of AresRAT ELF binaries.

Use of Indian government–themed malicious domains for infrastructure.

Multiple C2 servers on non-standard ports (11475, 33548).

August 6 - Persistence and Enterprise-Themed Infrastructure

On August 6, a lure named Def_Sec_Briefings_Schedule.pdf.desktop was spotted in circulation.

When executed, the .desktop file downloaded and ran a new ELF binary

The malware connected to attacker-controlled infrastructure, including:

trmm[.]space
solarwindturbine[.]site:4000/commands
solarwindturbine[.]site:4000/health

To appear less suspicious, the lure also opened a decoy document in the background. The use of enterprise-themed infrastructure names like SolarWindTurbine gave the campaign a more professional cover, making it harder for casual users to question.

Key Observations

Social Engineering: Filename styled like a “Defence Security Briefings Schedule” to attract defense personnel.
Delivery Method: .desktop shortcut disguised as a PDF, fetching payload from themed attacker infrastructure.
Tactics Used:
Downloaded and executed an ELF binary from custom domains.

Continued to open decoy files to hide malicious activity.

Infrastructure masqueraded as enterprise-related services (e.g.,SolarWindTurbine).

August 20,2025 –WebSocket-Enabled RAT

On August 20, researchers identified a new .desktop lure named Meeting_Notice_dtd_20_Aug.desktop . When opened, the file installed a Go-based Linux RAT that was able to maintain communication with its command server over WebSockets ,a more modern and stealthy method compared to traditional TCP connections.

The RAT connected to:

Domain: seemysitelive[.]store
IP: 164.215.103[.]55

Meanwhile, the lure displayed a decoy document to make the victim believe they were simply viewing a meeting notice, hiding the background malware activity.

Key Observations

Social Engineering: Filename designed as a routine meeting notice, a common lure theme in Indian government targeting.
Delivery Method: .desktop shortcut masquerading as a PDF.
Tactics Used:
Dropped a Go-based RAT with new WebSocket-based communication.

Used fresh infrastructure with a generic business-style domain.

Decoy file opened to distract the victim.

MITRE ATT&CK Mapping for APT36 .desktop Campaign

Tactic	Technique	Details in This Campaign
Initial Access	Phishing: Spearphishing Attachment (T1566.001)	Malicious .desktop files delivered in ZIP archives via phishing emails.
Execution	User Execution: Malicious File (T1204.002)	Victims double-clicked .desktop files disguised as PDFs or advisories.
Execution	Command and Scripting Interpreter: Bash (T1059.004)	.desktop entries invoked Bash commands to fetch and execute payloads.
Persistence	Boot or Logon Autostart Execution: XDG Autostart Entry (T1547.013)	.desktop files placed with X-GNOME-Autostart-enabled=true to run at startup.
Persistence	Scheduled Task/Job: Cron (T1053.003)	Some variants used cron jobs for persistence.
Defense Evasion	Obfuscated/Encrypted File or Information (T1027)	Payloads stored in hex/base64, decoded on the victim system.
Defense Evasion	Masquerading: Double File Extension (T1036.007)	Files named like *.pdf.desktop to look like documents.
Discovery	System Information Discovery (T1082)	ELF malware collected hostname, CPU, RAM.
	File and Directory Discovery (T1083)	Malware scanned drives for files.
	Screen Capture (T1113)	Used Go screenshot libraries to capture desktop images.
Credential Access	Credential Dumping: Application Data (T1555)	Poseidon stealer collected browser credentials, stored secrets.
Command and Control	Application Layer Protocol: Web Protocols (T1071.001)	Payloads retrieved over HTTPS from Google Drive.
	Application Layer Protocol: WebSockets (T1071.004)	Late-stage RAT (Aug 20) communicated via WebSockets.
	Non-Standard Port (T1571)	Some C2 servers used uncommon ports (e.g., 11475, 33548).
Exfiltration	Exfiltration Over C2 Channel (T1041)	Stolen data sent back to C2 over the same channels.
Impact	Data Staged (T1074)	Collected data prepared locally before exfiltration.

Final Word

APT36 has been very active in recent months, adapting its playbook and relentlessly going after Indian government and defense organizations. By moving from Windows malware to Linux .desktop files, the group has shown how quickly threat actors can evolve when their targets change environments.

These attacks are not random , they are deliberately designed to blend in with everyday government workflows, using fake meeting notices, advisories, and cancellation forms. What looks like a normal document on the surface is, in reality, a silent spy tool waiting underneath.