Apt36 Targets Indian Government With Golang-based Deskrat Malw...

A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT.

The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior campaign disclosed by CYFIRMA in August 2025.

The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive. Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF ("CDS_Directive_Armed_Forces.pdf") using Mozilla Firefox while simultaneously executing the main payload.

Both the artifacts are pulled from an external server "modgovindia[.]com" and executed. Like before, the campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems, with the remote access trojan capable of establishing command-and-control (C2) using WebSockets.

The malware supports four different methods for persistence, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory ("$HOME/.config/autostart"), and configuring .bashrc to launch the trojan by means of a shell script written to the "$HOME/.config/system-backup/" directory.

"DeskRAT's C2 servers are named as stealth servers," the French cybersecurity company said. "In this context, a stealth server refers to a name server that does not appear in any publicly visible NS records for the associated domain."

"While the initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now transitioned to using dedicated staging servers."

The findings follow a report from QiAnXin XLab, which detailed the campaign's targeting of Windows endpoints with a Golang backdoor it tracks as StealthServer through phishing emails containing booby-trapped Desktop file attachments, suggesting a cross-platform focus.

It's worth noting that StealthServer for Windows comes in three variants -

XLab said it also observed two Linux variants of StealthServer, one of which is DeskRAT with support for an extra command called "welcome." The second Linux version, on the other hand, uses HTTP for C2 communications instead of WebSocket. It features th

Source: The Hacker News