A spear-phishing campaign targeting organizations in India used weaponized Linux .desktop files to deliver a MeshAgent payload through a multi-stage, heavily obfuscated Go-based dropper chain possibly linked to APT36 (Transparent Tribe). The campaign used decoy PDFs, ELF magic-byte restoration, AES/DES decryptors, anti-VM checks, and C2 infrastructure at indianbosssystems.ddns[.]net resolving to 54.144.107.42. #APT36 #MeshAgent
Keypoints
- The campaign used spear-phishing with a malicious .desktop file masquerading as a PDF to lure users into executing the payload.
- The .desktop file opens a decoy PDF while restoring ELF magic bytes and running an obfuscated background execution chain to avoid detection.
- A multi-stage chain of UPX-packed Go binaries performs AES/DES decryption, drops additional stages, and finally deploys a MeshAgent remote access tool.
- Dropper implements anti-VM and sandbox-evasion checks (DMI fields, MAC prefixes, processes, uptime, /etc/os-release checks) to evade analysis.
- Final MeshAgent payload connects to a wss C2 at wss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx; domains resolve to 54.144.107.42 on AWS EC2.
- Multiple file hashes, filenames, and YARA rules are provided for detection; initial payload samples were not flagged on VirusTotal at time of writing.
- Attribution points to APT36 (aka Transparent Tribe, Mythic Leopard, G0134) based on technique overlap and past use of similar Linux-focused methods.
MITRE Techniques
- [T1566] Phishing β Use of spear-phishing .desktop attachments masquerading as PDFs to trick users into executing the malicious file: βThe malicious .desktop file is crafted to appear harmless by masquerading as a legitimate document.β
- [T1204] User Execution β Relying on user to open the .desktop which launches decoy PDF while executing background payload: βUpon launch, the file opens a benign-looking decoy PDF β¦ while a background process silently runs the obfuscated routines.β
- [T1574] Hijack Execution Flow β Restoring ELF magic bytes on the fly to make stripped binaries executable and evade platform scanning: βprintf βx7FELFβ | dd of=mayuw bs=1 count=4 conv=notruncβ
- [T1027] Obfuscated Files or Information β Heavy obfuscation using Base64 and DES-CBC encryption of strings and payloads to evade static detection: βAll strings are obfuscated using a combination of Base64 encoding and DES-CBC encryption.β
- [T1203] Exploitation for Client Execution (abuse of legitimate tools) β Using MeshAgent, a legitimate remote admin tool, repurposed for remote access and post-exploitation: βThe final payload delivered β¦ is a MeshAgent binary, a legitimate remote administration tool that has been repurposed for malicious use.β
- [T1490] Ingress Tool Transfer β Staged downloads from cloud hosting (Google Drive, Google Docs, Drive links) to deliver decoy and encrypted payload components: table of URLs showing multiple https://drive.google[.]com and docs.google[.]com links.
- [T1086] PowerShell? (not applicable) β (No PowerShell observed; included techniques reflect Linux-specific methods and dropper behavior.)
Indicators of Compromise
- [File name / SHA-256] initial .desktop and decoy β Note_Warfare_Ops_Sindoor.pdf.desktop (9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59), /tmp/Note_Warfare.pdf (ba5b485552ab775ce3116d9d5fa17f88452c1ae60118902e7f669fd6390eae97)
- [File name / SHA-256] decryptors and downloaders β mayuw (9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b), shjdfhd (0f4ef1da435d5d64ccc21b4c2a6967b240c2928b297086878b3dcb3e9c87aa23)
- [File name / SHA-256] stage downloaders β inter_ddns (38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4), access (231957a5b5b834f88925a1922dba8b4238cf13b0e92c17851a83f40931f264c1)
- [File name / SHA-256] MeshAgent payload β server2 decrypted (05b468fc24c93885cad40ff9ecb50594faa6c2c590e75c88a5e5f54a8b696ac8) and encrypted server2 (b46889ed27b69b94fb741b4d03be7c91986ac08269f9d7c37d1c13ea711f6389)
- [Domain / IP] C2 infrastructure β wss://boss-servers.gov.in.indianbosssystems.ddns[.]net:443/agent.ashx; indianbosssystems.ddns[.]net subdomains resolve to 54.144.107.42 (AWS EC2)
- [YARA rules] detection signatures β Provided rules include SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25, SUSP_LNX_Sindoor_DesktopFile_Aug25, MAL_Sindoor_Decryptor_Aug25, MAL_Sindoor_Downloader_Aug25 (hashes embedded in meta fields)
Read more: https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/