The Pakistani threat group APT36 has launched new cyber-espionage attacks targeting India’s government and defense sectors by abusing Linux .desktop files to deploy malware.
According to recent reports from CYFIRMA and CloudSEK, the campaign—first detected on August 1, 2025—is still active. Researchers highlight that this activity focuses on data theft, long-term surveillance, and persistent backdoor access. Notably, APT36 has a history of using .desktop files in espionage operations across South Asia.
Abuse of Linux Desktop Files
Victims receive phishing emails containing ZIP archives with a disguised .desktop file masquerading as a PDF. Once opened, the file triggers a hidden bash command that fetches a hex-encoded payload from an attacker-controlled server or Google Drive, writes it into /tmp/, makes it executable with chmod +x, and launches it in the background.
To avoid suspicion, the malware also opens Firefox to display a decoy PDF hosted online. Attackers manipulated fields like Terminal=false to hide terminal windows and X-GNOME-Autostart-enabled=true for persistence at every login.
While .desktop files are typically harmless text-based launchers defining icons and commands, APT36 weaponized them as malware droppers and persistence mechanisms—a method similar to how W
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: