APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery

SUMMARY :

Pakistan-linked APT36 (Transparent Tribe) launched a new cyber-espionage campaign targeting Indian government and defense entities. Active in August 2025, the group used phishing ZIP files containing malicious Linux “.desktop” shortcuts that downloaded payloads from Google Drive.

OPENCTI LABELS :

persistence,stealth,apt36,websocket,google drive,icon data,ctfuft,linux desktop,stealth server,unix timestamp,syscall


AI COMMENTARY :

1. In the latest cyber-espionage revelation, Pakistan-linked group APT36—also known as Transparent Tribe—has launched a sophisticated malware campaign leveraging Linux desktop entry files to infiltrate targeted networks. This operation, detailed under the name “APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery,” underscores the group’s focus on persistence and stealth as it continues to refine its tactics against high-value government and defense entities. The meticulous design of the attack chain reflects the adversary’s deep understanding of Linux desktop environments and icon data manipulation.

2. The campaign, active since August 2025, specifically targeted Indian government and defense organizations to extract sensitive intelligence. By exploiting trusted digital channels, APT36 achieved a high degree of stealth, embedding malicious shortcuts inside phishing ZIP attachments. Victims who opened these archives encountered familiar-looking ".desktop" files that appeared legitimate on Linux workstations, enabling the adversary to blend malicious code execution seamlessly into everyday administrative and operational workflows.

3. At the heart of the distribution mechanism lies the abuse of .desktop shortcuts that contain embedded Base64-encoded icon data. When launched, these shortcuts initiate a background process that contacts Google Drive to fetch the primary payload. Hosting the malicious binary on a widely used cloud storage platform allows the threat actors to mask traffic as ordinary user activity. This approach not only improves delivery success rates but also complicates detection, since downloads from Google Drive seldom raise immediate alarms in enterprise networks.

4. A deeper technical analysis reveals that the campaign employs a custom loader named ctfuft to orchestrate payload delivery and installation. Upon execution, ctfuft records a current unix timestamp to coordinate timed reinfections and establish persistent footholds via crontab entries. It then uses low-level syscall techniques to disable or bypass security sensors. After securing persistence, the loader opens a WebSocket channel to a stealth server controlled by the adversary, enabling real-time command and control in an encrypted session that closely mimics legitimate web traffic.

5. Defenders can mitigate this threat by implementing strict email filtering to block or quarantine emails with .desktop attachments, monitoring outbound connections to Google Drive for unusual file requests, and inspecting WebSocket sessions for anomalous patterns. Surveillance of filesystem changes—particularly unexpected cron job creations—and analysis of syscall activity can surface indicators of compromise early. Sharing threat intelligence on ctfuft, Linux desktop entry abuse, and associated stealth server infrastructure will further help organizations stay ahead of APT36’s evolving tactics.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery