APT36, a group with ties to Pakistan, has launched a new cyber espionage campaign that uses the Golang-based remote access trojan (RAT) DeskRAT to target Indian government agencies. The malware, which mostly targets BOSS Linux computers but has recently spread to Windows platforms, is distributed via phishing emails that contain malicious ZIP packages or cloud-hosted links. After DeskRAT is run, it creates WebSocket-based command-and-control channels that allow attackers to explore, gather, and steal confidential files while being persistent through several starting methods. The campaign highlights the critical need for improved email security, endpoint monitoring, and Linux hardening across government networks and shows how APT36’s techniques have evolved toward cross-platform, stealthier malware delivery.
The DeskRAT malware is a Golang-based remote access trojan that targets BOSS Linux and Windows systems via spear-phishing emails with malicious.desktop files inserted in ZIP archives or cloud-hosted links. When executed, the malware shows a decoy PDF to hide its activity while downloading and launching payloads from attacker-controlled sites like modgovindia[.]com. DeskRAT establishes persistence using a variety of ways, including systemd services, cron tasks, autostart entries, and.bashrc changes. Communication with the command-and-control (C2) infrastructure takes place across WebSocket channels to “stealth servers” that are hidden from public DNS records. The malware accepts commands for file browsing, targeted data gathering, file upload and execution, and periodic heartbeat signals, allowing complete remote control and exfiltration capabilities. The details and technicalities of the attack campaign are discussed further.
The primary method of delivery is through phishing emails. Messages include either a ZIP attachment or a link to an archive maintained on a reputable cloud service (such as Google Drive). The archive contains a malicious.desktop file that runs a decoy PDF in a browser while executing the actual payload. Early distribution employed cloud-hosted archives for staging, but more current activity employs attacker-controlled staging domains like modgovindia[.]com and modgovindia[.]space. The Infection chain was identified as follows
DeskRAT is a powerful Golang remote access trojan that provides a variety of data collecting and remote-control tasks and runs cross-platform, mostly on BOSS Linux and Windows StealthServer variations. Prior to encrypted exfiltration, it carries out targeted file collection with size restrictions, runs commands to enumerate and traverse directories, and supports WebSocket (and in some older releases, HTTP) C2 channels to stealth name servers. The virus can transmit heartbeat/ping messages to keep C2 present, drop and run secondary payloads (shell, Python, or other desktop files), and incorporate evasive characteristics in Windows builds (anti-debugging checks). Systemd units, cron jobs, autostart entries, and.bashrc tweaks that execute helper scripts are some of the ways persistence varies under Linux, making detection and removal challenging and enabling long-term footholds.
In order to ensure that the implant survives reboots and user logins, DeskRAT uses four different mechanisms to establish resilient persistence on Linux: creating a systemd service, setting up a cron job, adding a launcher to the user autostart folder ($HOME/.config/autostart), and appending a.bashrc entry that calls a helper shell script located in $HOME/.config/system-backup/. Ping (sends a JSON timestamp and expects a pong), heartbeat (returns a heartbeat_response with timestamp), browse_files (returns directory listings), start_collection (recursively searches for configured file extensions and exfiltrates matches under a ~100 MB per-file threshold), and upload_execute (drops and runs additional payloads like Python, shell, or.desktop files) are among the compact commands that the implant exposes over its WebSocket C2 channel once it is activated. This allows for remote reconnaissance, targeted collection, and dynamic deployment of follow-on
APT36 (Transparent Tribe), a Pakistan-based actor with a lengthy history of targeting Indian organizations, has been implicated in the activity; new reports link the same or closely related toolset families seen on both the Windows (StealthServer) and Linux (DeskRAT) platforms. Instead of using normal cloud services for staging, the organization now uses attacker-controlled staging servers and stealth name servers that are hidden from public DNS visibility. An investment in custom development and a strategic shift toward cross-platform, covert espionage operations are indicated by the evolution of tooling from basic implants and third-party utilities to customized Golang backdoors with modular capabilities, anti-analysis features on Windows variants, and expanded exfiltration commands.
While similar activity and related clusters have concurrently targeted the government, military, power, maritime, and diplomatic sectors throughout South and Southeast Asia, observed campaigns since mid-2025 have concentrated on Indian government targets, namely environments using BOSS Linux. The operational pattern, which frequently overlaps with or resembles strategies from regional threat clusters, consists of spear-phishing using customized lure documents, credential harvesting portals, and weaponized document delivery. With possible repercussions for diplomatic and defense communications throughout the region, the combination of regionally specialized targeting and localized lures points to a concentrated espionage effort against state and vital infrastructure institutions in India and its neighbors.
With the combination of several persistence methods, stealthy C2 communications, targeted spear-phishing, and strong data gathering and exfiltration capabilities, DeskRAT and its Windows counterpart StealthServer constitute an advanced, cross-platform espionage capability from APT36. The malware’s spread across Indian government systems and the larger South and Southeast Asian region shows a high-value strategic goal, while its modular design, anti-analysis capabilities, and use of decoy documents make identification difficult. In order to minimize the risk of sensitive data and credentials being compromised, immediate defensive measures should concentrate on email hardening, network confinement, monitoring for documented persistence and C2 signs, and quick DFIR response.
As the DeskRAT campaign allows attackers to sustain long-term access, exfiltrate critical government files, and deploy secondary payloads for additional infiltration, it poses serious operational and data-security risks. Targeting vital Indian government systems increases the possibility of strategic, political, and intelligence influence, while its cross-platform reach and covert persistence techniques raise the possibility of undetected penetration. The confidentiality, availability, and integrity of vital data are at risk for impacted organizations, and they are also more vulnerable to credential theft and network lateral movement.
https://www.cyfirma.com/research/apt36-a-phishing-campaign-targeting-indian-government-entities/
