Security researchers observed activity in August and September 2025 that has been attributed to Transparent Tribe, also tracked as APT36, which used spear‑phishing to deliver a Golang remote access trojan known as DeskRAT.
The attack chain typically begins with a phishing email that contains a ZIP attachment or a link to an archive hosted on legitimate cloud services. The ZIP files include a malicious Desktop file that displays a decoy PDF named “CDS_Directive_Armed_Forces.pdf” while executing the main payload, which is retrieved from an external server identified as “modgovindia[.]com”.
Researchers say the campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems and that the DeskRAT backdoor establishes command‑and‑control over WebSocket. The malware implements multiple persistence mechanisms – systemd service, cron job, autostart entries and a shell script launched from .bashrc – and supports commands for heartbeat and ping, browsing directories, collecting and exfiltrating matching files, and dropping and executing additional payloads.
Separate analysis by QiAnXin XLab has described related Golang backdoors it tracks as StealthServer and detailed Windows and Linux variants that share functionality with DeskRAT; that report is detailed by the researchers. The Windows variants use a mix of persistence and anti‑analysis techniques while later variants adopted WebSocket communication similar to the Linux DeskRAT build.
The disclosure comes amid other recent South and East Asia‑focused campaigns. A phishing campaign by Bitter APT has been described in technical writeups, and analysts have reported renewed activity from SideWinder in a campaign overview and related writeups. Reporting also links activity by an OceanLotus‑aligned group and by a group tracked as Mysterious Elephant, all of which have targeted government and infrastructure sectors in the region.
Analysts noted defensive implications including modules observed to exfiltrate WhatsApp data and browser artifacts. Researchers also said the operators moved from using legitimate cloud storage for initial staging to dedicated servers.