APT36 used a malicious Linux .desktop file inside a ZIP attachment to download and execute a Go-based dropper from Google Drive, then open a decoy PDF in Firefox to mask the compromise. The dropper performs anti-analysis checks, establishes persistence, and attempts WebSocket C2 connections to ws://seemysitelive.store:8080/ws. #APT36 #seemysitelive.store
Keypoints
- APT36 deployed a ZIP attachment (PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.zip) containing a malicious .desktop file that impersonates a PDF shortcut.
- The .desktop file embeds large Base64 icon data and conceals bash commands in the Exec field to fetch a hex-encoded payload from Google Drive and write it to /tmp with a timestamped filename.
- The downloaded payload is an ELF Go binary that includes anti-debugging/anti-sandbox routines, persistence mechanisms, and WebSocket-based C2 beaconing behavior.
- The attack launches the payload silently (Terminal=false) and concurrently opens a decoy PDF in Firefox to reduce user suspicion and maintain stealth.
- Command-and-control infrastructure included the domain seemysitelive[.]store and IP 164.215.103.55, with a WebSocket URL ws://seemysitelive[.]store:8080/ws returning âWelcome to Stealth Server.â
- IOCs include hashes for the ZIP, .desktop, and Go payload, the Google Drive delivery URLs, and file-drop patterns in /tmp; detection and mitigation recommendations include blocking the C2, hunting for suspicious .desktop files, and scanning for the listed hashes.
- The campaign represents an evolution in APT36 targeting Linux environments and procurement-themed spearphishing to access government and defense-related systems.
MITRE Techniques
- [T1566 ] Phishing â Delivery via phishing ZIP attachments containing malicious .desktop files. Quote: âDelivery via phishing ZIP attachments containing malicious .desktop filesâ
- [T1204.002 ] User Execution: Malicious File â Execution of disguised .desktop files by users. Quote: âExecution of disguised .desktop files by usersâ
- [T1064 ] Scripting â Use of bash script commands in the .desktop Exec field to download payload. Quote: âUse of bash script commands in the .desktop Exec field to download payloadâ
- [T1543.003 ] Create or Modify System Process: Systemd Service â Persistence via autostart .desktop files and likely cron/systemd services. Quote: âPersistence via autostart .desktop files and likely cron/systemd servicesâ
- [T1564.001 ] Hide Artifacts: Hidden Files and Directories â Dropping payload in hidden /tmp with obfuscation. Quote: âDropping payload in hidden /tmp with obfuscationâ
- [T1036 ] Masquerading â Disguising malware as legitimate PDF shortcuts with icon spoofing. Quote: âDisguising malware as legitimate PDF shortcuts with icon spoofingâ
- [T1027.001 ] Obfuscated Files or Information: Binary Padding â Large base64 icon data to hide malicious commands. Quote: âLarge base64 icon data to hide malicious commandsâ
- [T1110 ] Brute Force / Credential Dumping â Credential harvesting focus in broader APT36 operations (campaign context). Quote: âCredential harvesting focus in broader APT36 operationsâ
- [T1518 ] Software Discovery â Reconnaissance on victim environment (host info gathering). Quote: âReconnaissance on victim environment (host info gathering)â
- [T1071 ] Application Layer Protocol â Using WebSocket protocol for C2 communications. Quote: âUsing WebSocket protocol for C2 communicationsâ
- [T1095 ] Non-Application Layer Protocol â WebSocket is a non-standard C2 communication. Quote: âWebSocket is a non-standard C2 communicationâ
- [T1105 ] Ingress Tool Transfer â Downloading payload from Google Drive. Quote: âDownloading payload from Google Driveâ
- [T1571 ] Non-Standard Port â C2 over uncommon port 8080 using WebSocket. Quote: âC2 over uncommon port 8080 using WebSocketâ
Indicators of Compromise
- [File Hashes ] Malicious ZIP archive â PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.zip MD5: 6ac0fe0fa5d9af8193610d710a7da63c, SHA256: 34ad45374d5f5059cad65e7057ec0f3e468f00234be7c34de033093efc4dd83d
- [File Hashes ] Malicious .desktop file â PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop MD5: a484f85d132609a4a6b5ed65ece7d331, SHA256: 6347f46d77a47b90789a1209b8f573b2529a6084f858a27d977bf23ee8a79113
- [File Hashes ] Go binary payload â dropped ELF executable MD5: 566ddd4eb4ca8d4dd67b72ee7f944055, SHA256: 7a946339439eb678316a124b8d700b21de919c81ee5bef33e8cb848b7183927b
- [Domain/IP ] C2 infrastructure â seemysitelive[.]store, IP 164.215.103.55 (ASN: AS213373); WebSocket URL ws://seemysitelive[.]store:8080/ws returning âWelcome to Stealth Serverâ
- [URLs ] Payload delivery / decoy â Google Drive download pattern: https://drive.google.com/uc?export=download&id=1VQQiTt78N3KpYJzVbE-95uILnO84Wz_- , decoy view URL https://drive.google.com/file/d/1kn0L_6WYbfUUx0dmzwfALDnzkVHJAPTu/view?usp=drive_link
- [File Paths ] Payload drop locations â /tmp/PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf-[TIMESTAMP] (example: /tmp/PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf-1692547200) with executable permissions