APT36 Hacker Group Attacking Linux Systems with New Tools to Disturb Services

For more than a decade, Indian government and defense organizations have operated under a constant digital shadow.

A tightly connected espionage ecosystem, primarily involving the Transparent Tribe (APT36) group and the aligned SideCopy cluster, has continued to probe and adapt.

These actors rely on proven tactics like spear-phishing and weaponized documents to quietly embed themselves in target environments.

Their goal remains unchanged: long-term intelligence collection through stealthy, resilient access.

Recent observations reveal multiple active campaigns targeting these sectors across both Windows and Linux environments.

One campaign targeted Windows systems using phishing emails that delivered malicious files, ultimately deploying Geta RAT.

The infection chain abuses legitimate Windows components—including mshta.exe and XAML deserialization—to evade traditional file-based detection mechanisms.

VP of Security Engineering and AI Strategy at Aryaka, Aditya K Sood noted that critical infrastructure is under threat from highly organized, state-sponsored “espionage ecosystems” deploying tools aimed at disrupting essential services and gathering intelligence.

The attackers have steadily evolved their tooling to include cross-platform payloads and memory-resident execution.

This design prioritizes patience over speed, allowing them to maintain a durable foothold.

The operations are not isolated incidents but coordinated efforts within a mature threat landscape, reinforcing the need for sustained defense efforts against these “espionage ecosystems.”

Linux Campaign and System Persistence

In a significant shift, a separate campaign focused on Linux environments, an area where Transparent Tribe has shown growing maturity.

This operation utilized a Go-based downloader to install Ares RAT, a Python-based remote access tool historically associated with the group. Once deployed, the malware performed automated system profiling and structured data exfiltration.

To achieve persistence, the attackers used systemd user services. This technique allows the malware to survive reboots while blending into normal system operations.

This reliable access mechanism ensures they can continue their reconnaissance missions uninterrupted.

This campaign signals a clear intent to maintain parity across platforms rather than treating Linux as an afterthought.

Additionally, an emerging tool named Desk RAT, distributed via malicious PowerPoint Add-Ins, highlights the group’s ongoing innovation in surveillance.

Detecting these actors requires visibility across platforms and attention to subtle behavioral signals. Defenders must understand that persistence is the attacker’s greatest weapon.

Security teams must monitor for unusual service creations and network anomalies. Taking these steps empowers organizations to disrupt the espionage lifecycle before sensitive data is lost.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.