Article Details

APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign. A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT. The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior campaign disclosed by CYFIRMA in August 2025. The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive. Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF ("CDS_Directive_Armed_Forces.pdf") using Mozilla Firefox while simultaneously executing the main payload. Both the artifacts are pulled from an external server "modgovindia[.]com") and executing it. Like before, the campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems, with the remote access trojan capable of establishing command-and-control (C2) using WebSockets. The malware supports four different methods for persistence, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory ($HOME/.config/autostart), and configuring .bashrc to launch the trojan by means of a shell script written to the "$HOME/.config/system-backup/" directory. DeskRAT supports five different commands - "DeskRAT's C2 servers are named as stealth servers," the French cybersecurity company said. "In this context, a stealth server refers to a name server that does not appear in any publicly visible NS records for the associated domain." "While the initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now transitioned to using dedicated staging servers." The findings follow a report from QiAnXin XLab, which detailed the campaign's targeting of Windows endpoints with a Golang backdoor it tracks as StealthServer through phishing emails containing booby-trapped Desktop file attachments, suggesting a cross-platform focus. It's worth noting that StealthServer for Windows comes in three variants - XLab said it also observed two Linux variants of StealthServer, one of which is DeskRAT with support for an extra command called "welcome." The second Linux version, on the other hand, uses HTTP for C2 communications instead of WebSocket. It features three commands - It also recursively searches for files matching a set of extensions right from the root directory ("/") and then transmits them as it encounters them in an encrypted format via a HTTP POST request to "modgovindia[.]space:4000." This indicates the Linux variant could have been an earlier iteration of DeskRAT, since the latter features a dedicated "start_collection" command to exfiltrate files. "The group's operations are frequent and characterized by a wide variety of tools, numerous variants, and a high delivery cadence," QiAnXin XLab said. Attacks from Other South and East Asian Threat Clusters The development comes amid the discovery of various campaigns orchestrated by South Asia-focused threat actors in recent weeks - Notably, these intrusions have also focused on exfiltrating WhatsApp communications from compromised hosts using a number of modules – viz., Uplo Exfiltrator and Stom Exfiltrator – that are devoted to capturing various files exchanged through the popular messaging platform. Another tool used by the threat actor is ChromeStealer Exfiltrator, which, as the name implies, is capable of harvesting cookies, tokens, and other sensitive information from Google Chrome, as well as siphon files related to WhatsApp. The disclosure paints a picture of a hacking group that has evolved beyond relying on tools from other threat actors into a sophisticated threat operation, wielding its own arsenal of custom malware. The adversary is known to share tactical overlaps with Origami Elephant, Confucius, and SideWinder, all of which are assessed to be operating with Indian interests in mind. "Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region," Kaspesky said. "The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware."