Threat Research

Cyber Espionage in India: Decoding APT-36’s New Linux Malware Campaign

Securonix

Uptycs researchers uncovered Poseidon, a Linux backdoor tied to APT-36 (Transparent Tribe), delivered via a tainted Kavach 2FA tool to compromise Indian government-related systems. Poseidon functions as a versatile backdoor offering keystroke logging, screen captures, file transfers, and remote control, with infrastructure linked to prior APT-36 campaigns. #Poseidon #APT-36

Keypoints

  • Poseidon is a new Linux malware linked to APT-36/Transparent Tribe targeting Indian government organizations.
  • The attacker used a backdoored Kavach 2FA tool to deliver Poseidon, displaying the legitimate login page while the payload downloads in the background.

MITRE Techniques

  • [T1189] Drive-by Compromise – Poseidon is distributed through malicious Kavach-laden pages masquerading as Indian government sites. “Poseidon is distributed through malicious websites disguised as legitimate Indian government sites.”
  • [T1059.006] Python – The ELF sample is a compiled Python executable (Pyinstaller) used to run the payload. “It’s a compiled Python executable (Pyinstaller) of nearly 5 MB in size.”
  • [T1105] Ingress Tool Transfer – A malicious “bosshelp” file is downloaded to the victim’s system. “a malicious “bosshelp” file is downloaded from hxxps://sharing1[.]filesharetalk.com/bosshelp to the user’s ~/.local/share directory.”
  • [T1113] Screen Capture – The second-stage payload supports screen capture functionality. “Screencapture_run – Take a screenshot of victim’s desktop.”
  • [T1056.001] Keylogging – The payload can log keystrokes. “Keylog_Run – Logging keystrokes.”
  • [T1055] Process Injection – The payload includes LibInject to inject a library. “LibInject – Inject a library.”

Indicators of Compromise

  • [MD5 Hash] – Kavach, c82bf2c50900b89b66e9f62d68c415ab, and 382285738bae358060011ad847e845d2 (plus 5 more hashes)
  • [IP Address] – 70.34.214.252, 153.92.220.48
  • [Domain] – sharing1.filesharetalk.com, govscholarships.in, kavach-app.in
  • [URL] – sharing1.filesharetalk.com/bosshelp, ksboard.in

Read more: https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint