The Pakistani APT36 cyberspies are utilizing Linux .desktop information to load malware in new assaults towards authorities and protection entities in India.
The exercise, documented in reviews by CYFIRMA and CloudSEK, goals at knowledge exfiltration and chronic espionage entry. APT 36 has beforehand used .desktop information to load malware in focused espionage operations in South Asia.
The assaults have been first noticed on August 1, 2025, and primarily based on the newest proof, are nonetheless ongoing.
Desktop file abuse
Though the assaults described within the two reviews use completely different infrastructure and samples (primarily based on hashes), the strategies, ways and procedures (TTPs), assault chains, and obvious targets are the identical.
Victims obtain ZIP archives via phishing emails containing a malicious .desktop file disguised as a PDF doc, and named accordingly.
Linux .desktop information are text-based utility launchers that include configuration choices dictating how the desktop setting ought to show and run an utility.
Customers open the .desktop file pondering it is a PDF, which causes a bash command hidden within the ‘Exec=” discipline to create a short lived filename in “/tmp/’ the place it writes a hex-encoded payload fetched from the attacker’s server or Google Drive.
Then, it runs ‘chmod +x’ to make it executable and launches it within the background.
To decrease suspicion for the sufferer, the script additionally launches Firefox to show a benign decoy PDF file hosted on Google Drive.
Supply: CloudSEK
Along with the manipulation of the ‘Exec=” discipline to run a sequence of shell instructions, the attackers additionally added fields like “Terminal=false’ to cover the terminal window from the consumer, and ‘X-GNOME-Autostart-enabled=true’ to run the file at each login.
Supply: CloudSEK
Sometimes, .desktop information on Linux are plain-text shortcut information, defining an icon, identify, and command to execute when the consumer clicks it.
Nevertheless, in APT36 assaults, the attackers abuse this launcher mechanism to show it basically right into a malware dropper and persistence institution system, equally to how the ‘LNK’ shortcuts are abused on Home windows.
As a result of .desktop information on Linux are sometimes textual content, not binaries, and as their abuse is not extensively documented, safety instruments on the platform are unlikely to observe them as potential threats.
The payload dropped by the malformed .desktop file on this case is a Go-based ELF executable that performs espionage features.
Though packing and obfuscation made evaluation difficult, the researchers discovered that it may be set to remain hidden, or try and arrange its separate persistence utilizing cron jobs and systemd providers.
Communication with the C2 is made via a bi-directional WebSocket channel, permitting knowledge exfiltration and distant command execution.
Supply: CloudSEK
Each cybersecurity corporations discover this newest marketing campaign to be an indication of the evolution of APT36’s ways, that are turning extra evasive and complicated.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
