"The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive. Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF ("CDS_Directive_Armed_Forces.pdf") using Mozilla Firefox while simultaneously executing the main payload. Both the artifacts are pulled from an external server "modgovindia[.]com" and executing it."
"The malware supports four different methods for persistence, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory ($HOME/.config/autostart), and configuring .bashrc to launch the trojan by means of a shell script written to the "$HOME/.config/system-backup/" directory. DeskRAT supports five different commands - ping, to send a JSON message with the current timestamp, along with "pong" to the C2 server heartbeat, to send a JSON message containing heartbeat_response and a timestamp."
Transparent Tribe (aka APT36) conducted spear-phishing attacks against Indian government entities in August and September 2025. Phishing messages delivered ZIP attachments or links to archives hosted on legitimate cloud services such as Google Drive. ZIP archives contained a malicious Desktop file that displayed a decoy PDF (CDS_Directive_Armed_Forces.pdf) via Mozilla Firefox while executing a Golang remote access trojan, DeskRAT, retrieved from modgovindia[.]com. DeskRAT targets BOSS (Bharat Operating System Solutions) Linux systems, establishes WebSocket-based C2, implements four persistence methods, and supports commands for ping, heartbeat, file browsing, collection, and upload_execute.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]