Threat Research

APT36 Python Based ELF Malware Targeting Indian Government Entities

Cyfirma
APT36 Python Based ELF Malware Targeting Indian Government Entities

CYFIRMA uncovered an APT36 campaign delivering a Python-based RAT to BOSS Linux systems via weaponized .desktop shortcut files inside a malicious archive that staged downloads from lionsdenim[.]xyz and 185[.]235[.]137[.]90. The campaign establishes persistence (systemd user services), supports remote command execution, file exfiltration, screenshots, and cross-platform control for sustained espionage. #APT36 #BOSS

Keypoints

  • APT36 (Transparent Tribe) conducted a targeted spear-phishing campaign using Analysis_Proc_Report_Gem_2025.zip containing a malicious .desktop shortcut to compromise Linux BOSS environments.
  • The .desktop file decodes and runs an embedded script that downloads a decoy PDF and two payloads (swcbc ELF and swcbc.sh) from attacker-controlled infrastructure to /tmp, then executes them while showing a benign document to the user.
  • The primary ELF (swcbc) is a PyInstaller-packed, Python-based RAT providing system enumeration, unique host ID generation, remote command execution, bi-directional file transfer, screenshot capture, archiving for exfiltration, and a self-destruct (clean) routine.
  • Persistence is achieved via a user-level systemd service created by the malicious shell script, and the malware installs to hidden directories (e.g., ~/.swcbc) to blend with legitimate files.
  • Key IOCs include the domain lionsdenim[.]xyz, IP 185.235.137.90, and multiple file hashes; infrastructure characteristics indicate short-lived, attacker-controlled assets registered through low-cost TLDs.
  • The campaign represents an operational shift by APT36 from Windows-focused tooling to multi-platform capabilities, increasing risk to Indian government and strategic sector networks running hybrid Windows–Linux deployments.

MITRE Techniques

  • [T1566 ] Phishing – Used spear-phishing emails to deliver weaponized Linux shortcut files (‘The intrusion begins with spear-phishing emails designed to lure recipients into opening weaponized Linux shortcut files.’)
  • [T1059 ] Command and Scripting Interpreter – The .desktop Exec field runs shell commands that decode Base64 and execute the embedded script (‘Exec field secretly runs a shell command that echoes a Base64-encoded string, decodes it, and executes the resulting script.’)
  • [T1064 ] Scripting – Shell scripts downloaded and executed additional payloads and established persistence (‘the script downloads two additional payloads… and executes the files ./swcbc and ./swcbc.sh in the background.’)
  • [T1129 ] Shared Modules – Malware contains cross-platform functions and shared command handlers to enable identical C2-driven behavior on Linux and Windows (‘exposes cross-platform functions, shared command handlers, and identical C2-driven behavior for both operating systems.’)
  • [T1543 ] Create or Modify System Process – The bash script creates a user-level systemd service file to run the ELF and ensure automatic restarts and startup execution (‘leverages systemd’s user-level service functionality to establish persistence… creating a corresponding systemd service file within the user’s configuration directory.’)
  • [T1027 ] Obfuscated Files or Information – Malicious logic is hidden via Base64 encoding and PyInstaller packaging to reduce detection and analysis (‘hiding the malicious logic inside encoded data’ and ‘PyInstaller packaging… to obfuscate its contents’).
  • [T1036 ] Masquerading – The .desktop file is styled to appear as a normal document shortcut to deceive users (‘The .desktop entry is designed to appear as a normal document shortcut’).
  • [T1070 ] Indicator Removal on Host – The malware includes a clean/uninstall routine that removes installation artifacts and autostart entries (‘The clean function acts as a self-destruct mechanism, removing all traces of the malware from the infected system.’)
  • [T1222 ] File and Directory Permissions Modification – The installer applies execution permissions to downloaded files using chmod to enable execution (‘applies execution permissions to both files using the chmod +x command.’)
  • [T1564 ] Hide Artifacts – .desktop metadata and settings (Terminal=false, Icon) are used to conceal background execution (‘Terminal=false hides all command execution, Type=Application makes the system run the embedded commands, and Icon=x-office-document gives it a familiar document icon’).
  • [T1082 ] System Information Discovery – The implant collects OS platform and release information as part of initial profiling (‘Collects OS platform and release information’).
  • [T1083 ] File and Directory Discovery – The malware immediately performs file system enumeration to identify targets for exfiltration (‘Immediately performs file system enumeration’).
  • [T1046 ] Network Service Discovery – The malware establishes network communication and baseline state to support C2 interactions (‘Establishes baseline system state’).
  • [T1518 ] Software Discovery – The implant gathers platform and environment details to adapt execution and persistence mechanisms (‘Collects OS platform and release information’ and identifies BOSS targets).
  • [T1071 ] Application Layer Protocol – C2 communications use HTTP POST requests to send system data and receive commands (‘It uses HTTP POST requests to connect to its command and control (C2) center’).
  • [T1095 ] Non-Application Layer Protocol – The campaign uses alternate network channels for C2 alongside application-layer traffic (‘the malware sets up a two-way communication channel with the attacker’s server’).
  • [T1105 ] Ingress Tool Transfer – Secondary payloads are retrieved from attacker-controlled servers via HTTP GET and script-driven downloads (‘the script downloads two additional payloads from the attacker-controlled server 185[.]235[.]137[.]90[:]32587’).
  • [T1571 ] Non-Standard Port – Payload hosting and transfer used a non-standard port (32587) in the attacker-controlled URL (‘retrieved from http://185[.]235[.]137[.]90[:]32587/uploads/…’).
  • [T1573 ] Encrypted Channel – C2-driven behavior and channel management are emphasized for secure operator communications (‘exposes cross-platform functions, shared command handlers, and identical C2-driven behavior for both operating systems.’)

Indicators of Compromise

  • [File Names ] primary delivery and payload names – Analysis_Proc_Report_Gem.desktop, Analysis_Proc_Report_Gem_2025.zip, swcbc, swcbc.sh
  • [Domains ] malicious hosting and decoy PDF – lionsdenim[.]xyz (decoy PDF host and staging domain)
  • [IP Addresses ] attacker infrastructure and hosting – 185.235.137.90 (payload hosting, Frankfurt), 67.223.118.206 (lionsdenim[.]xyz resolution, Los Angeles)
  • [MD5 Hashes ] identified payload file hashes – ‘Analysis_Proc_Report_Gem_2025.zip’ MD5 e9ab3246d4ab6cef550f7ea1d9f938e1, ‘Analysis_Proc_Report_Gem.desktop’ MD5 17992c80e99d268ec7d759d3df3cbfad (and 2 more MD5 hashes)
  • [SHA-256 Hashes ] YARA and IOC list of malware components – defa2e29e45168471ce451196e1617b9659b3553b125e5464b1db032d7eac90a, 5ff9777aac434cae5995bf26979b892197e3f0e521c73f127c2e2628e84ef509 (and 2 more SHA-256 hashes)

Read more: https://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint