APT36 Targets Indian Defense with Fake Cybersecurity Advisories Hiding Advanced Linux Malware 

• APT36 leveraged the popularity of BOSS Linux to compromise sensitive networks connected to national security.
• The attackers use a visual decoy in the form of an HTML document pretending to be a cybersecurity advisory.
•  Upon execution, a malicious ELF binary exfiltrates data and monitors compromised systems.

A cyber-espionage campaign orchestrated by the threat actor APT36, also known as Transparent Tribe, targets Indian defense personnel and organizations using BOSS Linux, a distribution widely employed by Indian government agencies, via malicious archives attached to phishing emails.

This incident marks a significant evolution in APT36’s operational tactics, now incorporating malware specifically engineered for Linux environments.  

According to CYFIRMA’s research, the attack begins with highly targeted phishing emails containing ZIP file attachments. Within these attachments lies a malicious .desktop file masquerading as a “Cyber-Security-Advisory.” 

Upon execution, this file initiates a multi-stage process designed to evade detection and lower user suspicion.  

The attack deploys a decoy PowerPoint presentation to gain the target’s trust while simultaneously executing a malicious ELF (Executable and Linkable Format) binary in the background. 

An HTML file containing an <iframe> element is presented with a filename that suggests the document is a legitimate PowerPoint presentation, which then loads a seemingly non-suspicious blog page hosted on the same malicious domain that is actively used in cyber-espionage campaigns attributed to APT36. 

Known as "BOSS.elf," this binary enables unauthorized access to the target system, allowing for data exfiltration and advanced surveillance operations. 

Further technical analysis reveals that the malware collects critical system information, conducts reconnaissance, and maintains persistent communication with a command-and-control (C2) server at 101.99.92.182.  

The ‘sorlastore’ domain was also used in malicious macro-embedded PowerPoint Add-in (PPAM) campaigns targeting Windows.

The campaign’s complexity demonstrates a significant escalation in Transparent Tribe’s capabilities and highlights the increased vulnerabilities of critical systems. APT36 has leveraged the popularity of BOS Linux to compromise sensitive networks connected to national security.

This social engineering approach targeting official entities has been widely used, with recent campaigns including the Russia-affiliated Void Blizzard APT sending fake European Defense & Security Summit emails.