APT36 Uses DeskRAT to Target Indian Government Linux Systems
Category:Threat Alerts / Threat Intelligence
Sekoia.io researchers attribute a campaign targeting Indian government Linux systems to TransparentTribe (APT36). The operation delivered a Golang-based RAT named DeskRAT via crafted ZIP archives and Bash installation chains that executed decoy PDFs before dropping the payload. DeskRAT communicates with C2 over WebSocket, supports file exfiltration and persistence, and is notable for targeting BOSS Linux distributions used in government environments. Researchers observed signs that LLMs may have been used during development. The campaign exploited geopolitical events as lures and demonstrated a trend toward purpose-built Linux tooling by nation-aligned actors.
CORTEX Protocol Intelligence Assessment
Business Impact: Medium-High government systems and critical services running specialized Linux distributions are at risk of espionage. Technical Context: Golang RATs and WebSocket C2 channels provide cross-platform resilience and simple deployment.
Strategic Intelligence Guidance
- Harden Linux images used in government contexts and restrict execution of untrusted scripts.
- Monitor for WebSocket-based C2 patterns and anomalous file collections.
- Conduct targeted phishing awareness for teams handling regional security issues.
- Share IOCs with national CERTs to expedite detection across agencies.
Threats
Targets
Intelligence Source: Pakistani-Linked Hacker Group Targets Indian Government - Infosecurity Magazine | Oct 24, 2025