August 28th, 2025

APT36 Exploits Linux .desktop Files for Malware Delivery

Medium

Our Cyber Threat Intelligence Unit is monitoring an active malware campaign linked to APT36 (Transparent Tribe), a threat actor associated with Pakistan. APT36 has been observed distributing weaponized Linux .desktop files through phishing emails containing ZIP archives. These files are disguised as legitimate PDFs but exploit the Exec= field to run hidden bash commands. When launched, the .desktop file retrieves a hex-encoded payload hosted on Google Drive, decodes it, writes it to /tmp/, and runs it. To avoid detection, the script also opens a benign PDF in Firefox. Persistence is established through autostart entries and modifications to cron or systemd. The payload, a Go-based ELF binary, communicates with attacker infrastructure over bi-directional WebSocket connections. This campaign highlights APT36’s growing focus on Linux targets by exploiting overlooked vectors such as .desktop files, akin to malicious Windows LNK droppers but less scrutinized on Linux systems.

Technical Details

Attack Type: Espionage-focused Malware Delivery & Persistence.
Severity: Medium
Threat Actor: APT36 (Transparent Tribe).
Delivery Method: Phishing emails containing ZIP archives with disguised .desktop files.
Technique: Abuse of the .desktop Exec= field to run hidden bash commands.
Affected Products: Systems using Linux Desktop environments and Linux .desktop files.

Attack Chain/Method:

User opens malicious .desktop file (disguised as PDF).
Bash command fetches hex-encoded payload from Google Drive.
Payload is written to /tmp/, decoded, made executable, and executed.
Decoy PDF opens in Firefox to evade detection.
Payload establishes WebSocket C2 channel and deploys persistence via:
- .desktop autostart (X-GNOME-Autostart-enabled=true).
- Cron and systemd service modifications.

Impact

Data Exfiltration: Theft of sensitive information from Linux hosts.
Long-Term Access: Establishment of persistence for espionage operations.
Operational Risk: Potential compromise of government and defense systems leading to confidentiality, integrity, and availability impacts.
Reputational & Regulatory Harm: Breach of classified or sensitive data could trigger regulatory non-compliance and geopolitical consequences.

Detection Method

Inspect outbound WebSocket traffic, especially over port 8080.
Monitor for connections to Google Drive followed by suspicious command-line activity (xxd -r -p, chmod +x).
Detect unauthorized .desktop files with unusual Exec= values.
Hunt for Go ELF binary executions from /tmp/, especially in conjunction with Firefox processes.
Review cron/systemd logs for anomalous entries linked to persistence.
Look for simultaneous Firefox launches opening Google Drive-hosted PDFs alongside hidden processes.

Indicators of Compromise

Type	Indicator	Description
IP Address	209.38.203[.]53, 165.232.114[.]63, 165.22.251[.]224, 178.128.204[.]138, 64.227.189[.]57	DIGITALOCEAN LLC (C2), Poseidon/Mythic (C2)
File Hash SHA256	8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1	Meeting_Ltr_ID1543ops.pdf.desktop launcher
File Hash SHA256	e689afee5f7bdbd1613bd9a3915ef2a185a05c72aaae4df3dee988fa7109cb0b	Meeting_Ltr_ID1543ops.pdf-.elf payload
File Hash SHA256	34ad45374d5f5059cad65e7057ec0f3e468f00234be7c34de033093efc4dd83d	Malicious ZIP archive
File Hash SHA256	6347f46d77a47b90789a1209b8f573b2529a6084f858a27d977bf23ee8a79113	Malicious .desktop file
Domain	securestore[.]cv	Playload delivery server
Domain	seemysitelive[.]store:8080/ws	WebSocket C2 server

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

User Awareness: Train users not to open unexpected .zip attachments or PDFs.
Execution Controls: Disable execution of untrusted .desktop files or enforce stricter association policies.
Attachment Filtering: Block inbound ZIP attachments containing .desktop files.
Monitoring & Hunting:
- Deploy EDR rules for .desktop abuse and ELF execution from /tmp/.
- Monitor for suspicious WebSocket connections over ports 8080.
- Alert on new cron/systemd entries or unusual persistence artifacts.
Patching & Hardening: Ensure Linux hosts and desktop environments are fully patched and hardened.
Network Controls: Block access to known malicious domains and IOCs listed in the IOC section above.

Conclusion

The APT36 campaign demonstrates the group’s changing techniques and ongoing focus on government and defense systems, shifting from traditional Windows attack methods to Linux .desktop abuse. By exploiting a widely trusted file type, APT36 achieves discreet delivery, persistence, and data exfiltration.

We urge organizations to implement layered defenses, including blocking and filtering malicious attachments, monitoring for anomalous WebSocket traffic and persistence mechanisms, and improving visibility of Linux endpoints. Proactive hunting and prompt responses are essential to countering sophisticated adversaries, such as the Transparent Tribe.

References

https://www.bleepingcomputer.com/news/security/apt36-hackers-abuse-linux-desktop-files-to-install- malware/

https://www.cloudsek.com/blog/investigation-report-apt36-malware-campaign-using-desktop-entry-files-and-google-drive-payload-delivery

https://hunt.io/blog/apt36-india-infrastructure-attacks

https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/