Threat Advisories:
WordPress Sites Under Siege by Old Critical Flaws Transparent Tribe’s DeskRAT Campaign Targets Indian Military Systems SessionReaper Flaw Enables Seamless Session Hijacking on Adobe Commerce CVE‑2025‑61932: Critical Lanscope Endpoint Manager Flaw Actively Exploited Lazarus Targets Europe’s UAV Innovation October 2025 Linux Patch Roundup MuddyWater Deploys Phoenix Backdoor in Targeted Espionage Campaign Critical Cloud Threat: Azure Blob Storage Under Active Attack Operation Silk Lure Scam: When Job Hunts Leads to Malware Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws Microsoft’s October 2025 Patch Tuesday TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild Stealit’s New Trick: Packing Malware Inside Node.js Single Executables Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed UTA0388: AI-Powered Targeted Operations Leveraging GOVERSHELL Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military Service Finder Plugin Flaw Opens Door to Full Site Compromise
Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
0:00
0:00
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Transparent Tribe’s DeskRAT Campaign Targets Indian Military Systems

Red | Attack Report
Download PDF

Transparent Tribe (APT36) Targets Indian Defense Sector with DeskRAT

Summary

The Pakistan-linked threat actor Transparent Tribe (APT36), also known as Mythic Leopard, ProjectM, TEMP.Lapis, Earth Karkaddan, Copper Fieldstone, and Storm-0156, has launched a targeted cyber-espionage campaign against Indian military, defense, and government organizations. The campaign focuses on systems running BOSS Linux, India’s official government distribution, deploying a custom Golang-based Remote Access Trojan (RAT) named DeskRAT.

This advanced attack chain begins with spear-phishing emails disguised as defense-related communications referencing civil unrest and regional incidents. These lures deliver malicious ZIP archives that contain .desktop dropper files and decoy PDFs. Once executed, DeskRAT provides stealthy remote access, enabling file exfiltration, persistence, and long-term surveillance on compromised systems.

The campaign represents APT36’s strategic evolution—transitioning from Windows-based malware to Linux-focused espionage operations, aligning with the group’s continued targeting of Indian defense assets to support Pakistan’s intelligence objectives.

Attack Details

Infection Vector and Delivery

Transparent Tribe leverages spear-phishing emails that mimic legitimate Indian defense communications. These emails reference real-world events like Ladakh unrest or military directives, enhancing credibility.

  • The phishing emails deliver ZIP files hosted on dedicated staging domains such as modgovindia[.]space, containing:
    • A malicious .desktop dropper file.
    • A decoy PDF that opens in Firefox to distract the victim.

Execution and Payload

When the .desktop file is executed, it triggers a Bash one-liner that downloads, decodes, and launches the DeskRAT payload. The malware uses built-in Linux utilities to evade detection and initiate covert operations.

DeskRAT establishes a WebSocket-based Command and Control (C2) channel using fake metadata to blend in with legitimate network traffic. Once connected, it allows attackers to:

  • Browse local directories.
  • Exfiltrate files (up to 100MB).
  • Deploy secondary payloads.
  • Execute remote commands.

Persistence and Stealth

DeskRAT employs four persistence mechanisms tailored for Linux environments:

  1. systemd units
  2. cron jobs
  3. autostart desktop entries
  4. bash startup scripts (in .bashrc)

Its source code reveals LLM-assisted development patterns and placeholder functions to hinder reverse engineering.

Strategic Intent

The campaign’s timing and focus align with Pakistan’s regional intelligence goals, signaling an escalation in Linux-based espionage targeting India’s defense digital infrastructure.

Recommendations

Harden Linux System Defenses

  • Update all BOSS Linux systems with the latest security patches.
  • Remove unnecessary utilities (like xxd) and restrict execution permissions in user and temporary directories.
  • Enforce least-privilege policies to reduce potential exploitation vectors.

Monitor and Block Spear-Phishing Campaigns

  • Deploy advanced email security filters with sandboxing and URL reputation analysis.
  • Block attachments with .desktop files or ZIP archives containing executable content.
  • Conduct awareness training for personnel handling defense communications.

Detect Malicious Artifacts

  • Continuously monitor for:
    • Unauthorized .desktop files.
    • Modified .bashrc entries.
    • Abnormal systemd or cron jobs.
  • Use file integrity monitoring (FIM) and Endpoint Detection and Response (EDR) to detect DeskRAT persistence.

Inspect Network Traffic

  • Monitor for unexpected ws:// connections or WebSocket activity on port 8080.
  • Block traffic to known Transparent Tribe infrastructure and maintain updated threat intelligence feeds.

Indicators of Compromise (IoCs)

SHA256 Hashes:

  • 43715401531e0060827d3dcfd406add434829192051fe76d5ffdbb22602cc136
  • 567dfbe825e155691329d74d015db339e1e6db73b704b3246b3f015ffd9f0b33

MD5 Hashes:

  • 4c56fedd177108a8849cec423f020625
  • 3563518ef8389c7c7ac2a80984a2c4cd

File Names:

  • MoM_regarding_Defence_Sectors_by_Secy_Defence_25_Sep_2025.zip
  • MoM_regarding_Defence_Sectors_by_Secy_Defence_25_Sep_2025.desktop

File Paths:

  • /tmp/MoM_regarding_Defence_Sectors_by_Secy_Defence_25-Sep_2025-<timestamp>
  • $HOME/.config/autostart/system-backup.desktop
  • $HOME/.config/system-backup/startup.sh
  • $HOME/.config/system-backup/client.log

Domain:

  • modgovindia[.]com

URLs:

  • hxxps[:]//modgovindia[.]com/download[.]php?file=Gimpfile[.]txt
  • hxxps[:]//modgovindia[.]com/CDS_Directive_Armed_Forces[.]pdf

IPv4 Address:

  • 147[.]93[.]155[.]118

MITRE ATT&CK TTPs

TacticTechniqueTechnique ID
Initial AccessSpearphishing AttachmentT1566.001
ExecutionUnix Shell Command and Scripting InterpreterT1059.004
PersistenceBoot or Logon Autostart Execution, systemdT1543.003, T1547
Defense EvasionObfuscated Files or InformationT1027
DiscoverySystem Information DiscoveryT1082
CollectionData from Local SystemT1005
ExfiltrationExfiltration Over C2 ChannelT1041
Command and ControlWebSocket-based C2T1071
ImpactData Theft and EspionageT1499
DeobfuscationDecode Files or InformationT1140
Hide ArtifactsHidden Files and DirectoriesT1564.001

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox