# Pakistan-linked APT36 Abuses Linux .desktop Files to Drop Custom Malware in New Campaign

A recent campaign by the Pakistan-linked threat actor Transparent Tribe (APT36) has been uncovered, leveraging Linux .desktop files to deliver custom malware to Indian government entities. This latest attack marks a notable shift in tactics for the group, as they expand their operations beyond traditional Windows-based attacks.

## Targeting Indian Government Entities with Spear-Phishing Emails

Transparent Tribe has been targeting Indian government entities via spear-phishing emails, deploying custom malware designed for persistent espionage. The campaign uses a malicious archive disguised as a PDF file, which contains a hidden .desktop file flagged on VirusTotal. This shortcut masquerades as a PDF but executes hidden commands via Bash, allowing the malware to remain undetected.

## How the Malware Works

The malicious .desktop file is designed to mimic a PDF and hides malicious commands in its Exec= line. It downloads a hex-encoded payload from securestore[.]cv, decodes and executes it silently, while showing a benign PDF in Firefox as a decoy. The file is disguised with a PDF icon, set to run as an application, and enabled for autostart, ensuring persistence and stealth.

## Persistence and Stealth

The campaign uses cron jobs and systemd service abuse to ensure persistence via the C2 connection. On execution, it connects to the C2 using DNS queries and UDP sockets, enabling data exfiltration and attacker control. The malware is designed to operate unnoticed, making it difficult for detection by traditional security measures.

## Operation Transparent Tribe: A History of Cyber Espionage

Operation Transparent Tribe was first spotted in February 2016 by Proofpoint Researchers. At that time, the researchers tracked the sources IP in Pakistan and identified a series of cyber espionage operations against Indian diplomats and military personnel in some embassies in Saudi Arabia and Kazakhstan.

## Expansion of Operations and Victimology

Transparent Tribe has been active since at least 2013, targeting entities across 27 countries, most of them in Afghanistan, Germany, India, Iran, and Pakistan. The group's recent campaign marks a notable shift towards exploiting indigenous technologies, using Linux .desktop files to deliver custom malware.

## Conclusion

The adoption of .desktop payloads targeting Linux BOSS reflects a tactical shift toward exploiting indigenous technologies. Combined with traditional Windows-based malware and mobile implants, this shows the group's intent to diversify access vectors and ensure persistence even in hardened environments. Indian government entities remain the primary focus, but the expanded operations introduce risk to partners, suppliers, and diplomatic missions abroad.

Follow us on Twitter: @securityaffairs and Facebook and Mastodon